Hi All,
I am the Network Engineer for an international hub-and-spoke VPN-based network consisting of 164 branches and a data center with two ISP circuits in the US. Presently I have no automated redundancy (not my choice). The two ISP circuits live on different firewalls, but connect to the same 6509 core switch. The way I have it set up presently is all of North, Central and South America all VPN into ISP #1 connected to firewall #1, and all of EMEA/APAC VPN into ISP #2 connected to firewall #2. The 6509 core switch then has static routes to the subnets of the branches, pointing to whichever firewall the VPN is built on for a given branch. The firewalls then have the mandatory default route out to each respective public gateway. The downside to this, of course, is that if one of the ISP's goes down, half of the my sites go with it, because there is no automatic redundancy to fail the sites over, since all of this is static.
My VP came to me this morning. He wants to use BGP to fix this, but the way he understands it working is not a way that I've ever understood BGP to work. All of the coursework I have studied about BGP suggests it can be used in the following ways: iBGP backbone routing, eBGP ISP peering, or eBGP CPE peering to ISP (with prepending for failover if you have two ISP's) for WAN connectivity. However, his understanding is that you can have one firewall, with both ISP lines connected into it, and set up a trust between ISP 1 and ISP 2 and eBGP peer to both of them from your ASN to their ASN. Then, when ISP 1 fails, ISP 2 will take over in such a way that is NOT traditional active/standby circuit failover, but is rather that ISP 2 will provide the transport routing via an alternate transport path to the outside interface IP of my firewall's port connected to ISP 1 (failed ISP).
The end result would be that although ISP #1 is unreachable over it's own ISP's transport infrastructure for whatever outage related reason, BGP would change paths to provide connectivity to ISP 1's subnet IP that is assigned to my firewall outside interface port, but over ISP 2's transport infrastructure, and that would mean that all of the branch firewall's static IPSec VPN configs (peer IP address) would never need to change to ISP 2's address when ISP 1 is technically down.
Has anyone ever heard of this? I would think if this is possible, there would be no need for SD-WAN, as this seems like the ultimate redundancy solution.
No comments:
Post a Comment