Multihoming design and questions

Unanswered Question
Jun 10th, 2008

Guys, please take a look at the Visio I've attached. My organization is in the planning stages to multihome by the end of the summer. We have 4 Checkpoint firewalls at our edge that all service different traffic which we push to them via policy-based routing from the router labeled 'R'.

Checkpoint firewall software has the ability to load-balance tcp flows between 2 different ISP links which we plan to utilize to load-share our traffic over both ISP links. A script is built into the software to monitor the ISP links and be able to dynamically remove traffic from load-balance mode to point only at one ISP link in case of failure.

Given that the firewalls will do as advertised, I'd like some input to the initial config I'm pasting below based on the following requirements and questions:

****

*R1*

****

ip prefix-list TWT-OH seq 10 216.x.x.x/24

ip prefix-list TWT-OH seq 20 165.x.x.x/24

!

router bgp 123

no synchronization

bgp log-neighbor-changes

bgp dampening

network 216.x.x.x 255.255.255.0

network 165.x.x.x 255.255.255.0

!

neighbor x.x.x.x remote-as 456

neighbor x.x.x.x description ISP1

neighbor x.x.x.x password 7 xxxxxxxxxxxxx

neighbor x.x.x.x prefix-list default in

neighbor x.x.x.x prefix-list TWT-OH out

!

neighbor R2 remote-as 123

neighbor R2 description IBGP neighbor

****

*R2*

****

ip prefix-list TWT-OH seq 10 216.x.x.x/24

ip prefix-list TWT-OH seq 20 165.x.x.x/24

!

router bgp 123

no synchronization

bgp log-neighbor-changes

bgp dampening

network 216.x.x.x 255.255.255.0

network 165.x.x.x 255.255.255.0

!

neighbor x.x.x.x remote-as 789

neighbor x.x.x.x description ISP2

neighbor x.x.x.x password 7 xxxxxxxxxxxxx

neighbor x.x.x.x prefix-list default in

neighbor x.x.x.x prefix-list TWT-OH out

!

neighbor R1 remote-as 123

neighbor R1 description IBGP neighbor

1. What configuration needs to exist between ibgp neighbors other than what I've posted?

2. What is the best method to stop transit traffic? Filtering ingress or egress traffic?

3. Based on the fact that the firewalls will be handling load-sharing, will this limit the flexibility we have to shape traffic through use of local-pref and as-path prepending?

4. What is the best way to redistribute my IGP(eigrp) into BGP?

5. Any other things to consider?

We currently are single-homed to ISP1 via a static route, so we're in the process of obtaining everything we need to multihome.

Any opinions or config examples would be much appreciated. I want to make sure I'm covering all my bases.

/rls

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Mon, 06/16/2008 - 13:10

By default, iBGP redistribution into IGP(such as EIGRP, OSPF) is disabled. Issue the "bgp redistribute-internal" command in order to enable redistribution of iBGP routes into IGP. Precautions need to be taken to redistribute specific routes using route maps into IGP.

A sample configuration for redistributing BGP routes into OSPF is give here:

router bgp 65345

bgp redistribute-internal

!

router ospf 100

redistribute bgp 65345 subnets

Refer the "Redistributing Routing Protocols" guide present in the url below for more info on redistribution:

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a008009487e.shtml#intro

Also refer the EIGRP configuration guide in the url below:

http://www.cisco.com/en/US/docs/ios/iproute/configuration/guide/irp_cfg_eigrp_ps6922_TSD_Products_Configuration_Guide_Chapter.html

Actions

This Discussion