Multihoming question:controlling traffic with BGP vs HSRP

Unanswered Question
Jun 5th, 2009

Hi,

This may well be a stupid question, but imagine this:

I have Router1-ISP1 and Router2-ISP2.

My goal is that all egress traffic should flow thru Router1-ISP1. In case of failure, Router2-ISP2 should be used.

I could influence routes with BGP attributes such as localpreference or weight.

Instead, why not just use HSRP and set Router1-ISP1 as active and Router2-ISP2 standby?

Then the ingress traffic:

If I understand correctly, influencing ingress traffic is not a straighforward process since it depends on agreement with ISP.

So my question is, why use BGP attributes for control of egress traffic if HSRP could be used in this case? What is wrong with my rationale?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Fri, 06/05/2009 - 10:37

Hello Marlon,

using HSRP combined with BGP in a scenario like yours can be an acceptable solution.

Actually, in the CCO web site there are configuration examples that describes this.

pro:

simplicity of solution ideal if the intranet is made of a set of client vlans or to go through a firewall

disadvantages:

local scope: if the intranet has other network devices inside you may need to decide to publish a default route in an IGP.

The first level of devices in the internal lan can have a default route using the HSRP VIP as the ip next-hop.

So if dimension of the intranet and the number of internet exit points is bigger (for example there is another pair of internet routers in another site/town) the complexity of injecting a default route in an IGP can be justified and if there are no firewall constraints it may be done directly on internet edge routers.

About BGP tuning: it is wise to have an iBGP session between the two internet edge routers in case a specific route is missing on R1 eBGP session traffic can be sent to R2.

Hope to help

Giuseppe

Joseph W. Doherty Fri, 06/05/2009 - 17:15

Sure you can do that. Although if it's acceptable, even if not desired for return traffic to come via the other router, why attempt to force traffic just out one ISP?

BTW, recall there might be a new(er) BGP feature that will conditionally advertise your network(s) to ISPs. Should allow you to force all ingress traffic across one ISP with failover to other.

By default HSRP flips to the second gateway only when the primary HSRP fails. This can be addressed by HSRP monitoring the WAN interface up/down (usually simple to do).

WAN interface might stay up but lose logical connection to WAN. This can be addressed by HSRP using object tracking (somewhat more complex to do and requires a later IOS).

As Giuseppe notes, there's the possible (hopefully rare) issue some network(s) unreachable on one ISP but is reachable via the other. No easy solution using just HSRP. Can be solved, as Giuseppe also notes, if you have full Internet BGP route tables, and doing so you would no longer need other HSRP WAN tracking options. (Also can use OER/PfR.)

Actions

This Discussion