Multihoming with ASA5500 Scenario

Unanswered Question

Hi,

The company where I work is in process to become an Autonomous System. We'll request an AS number and an IP block to the RIR.
I've attached a picture which shows what we are thinking to do.
Today we already have these two ASA running as active/failover connected to only one ISP through a Cisco router which has only a default route.
Basically I'm adding a second router connected to a second ISP.
Here are our requirements:
- We don't want full internet routes.
- We should load balance Upstream and Downstream traffic however failover is the most important.

That's our thoughts:
1) Obviously we need BGP.
2) Suppose we have a /22 block, we want to propagate /23 in each ISP and if Router or Link to that ISP fails it should propagate /22 to another ISP. Is that possible? Could you point me any paper to read or some example about that?
3) There's an option to propagate /22 in one ISP and the second ISP is just a backup. Is this better than previous option?
4) Since ASA5500 doesn't has BGP, we think to run OSPF/EIGRP between border routers and ASA and distribute default route to ASA. And this is the most confusing to me: If we are dividing /22 into two /23 how it will decide where to send traffic. In fact I'm still not "seeing" how this scenario could work. I would like to hear your opinion if this is the best to do and if not, what is recommended.

I appreciate any thoughts

Thanks

Marcelo

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
johnnylingo Fri, 02/05/2010 - 13:50

4) Since ASA5500 doesn't has BGP, we think to run OSPF/EIGRP between border routers and ASA and distribute default route to ASA. And this is the most confusing to me: If we are dividing /22 into two /23 how it will decide where to send traffic. In fact I'm still not "seeing" how this scenario could work. I would like to hear your opinion if this is the best to do and if not, what is recommended.

I appreciate any thoughts

Thanks

Marcelo

Yes - this is the problem.   If you're just going with a default route to the Internet and both routers are originating it, you have no control over which ISP it takes unless you implement Policy Based Routing (PBR) at each border router.

Another problem is you're not looking at destination address to make intelligent routing decisions.   For example, let's say you use ISP A's DNS server as a forwarder.   You may end up using ISP B to then access ISP A.  That doesn't make much sense.

This would be my suggestion:

1) Configure both Border routers and the ASA for either OSPF or EIGRP.   Have both border routers originate a default route.

2) Configure both Border routers to get customer-only routes from each ISP.   The ISP will generally be able to do this for you, but if not, you can configure it on the router yourself using as-path access lists.  The number of routes you receive will depend on the size of the ISP, but it should be between 100 - 5,000.   That only takes up a couple MB of memory.

3) Redistribute these BGP routes in to OSPF or EIGRP.  This will ensure the ASA always takes ISP A to get to ISP A and ISP B to get to ISP B (unless one of them is down)

4) Keep your outbound BGP announcement simple, and just announce the /22 to both ISPs.   This will allow outside networks to always have the best path to you.

johnnylingo Fri, 02/05/2010 - 13:57

Also, if you don't like the idea of having Internet routes on the ASA, just take these steps:

1) Configure HSRP, VRRP, or GLBP on the Border routers.   Use the shared IP as the ASA's default gateway (or configure the ASA as an OSPF stub)

2) Configure iBGP between the Border routers

3) The Border routers will use BGP attributes (weight, local pref, as-path) to select the best path

Actions

This Discussion

Related Content