BGP routing design question

Answered Question
Aug 2nd, 2010
User Badges:

Hi Everyone,


I was wondering if I could get some help with a BGP config.


In one of our offices, they have a single Internet connection (10Mb), DMZ, and LAN.


They're in the process of setting up some new web servers in the DMZ and a new /2nd Internet connection (4Mb)


This office wants to have the new DMZ web servers go out the new/2nd Internet connection. Everything else (existing DMZ server traffic, user web browsing, site-to-site VPN traffic, etc) should go out the existing 10Mb Internet connection.


Network diagrams are attached here.


I'm much more of a BGP noob than I'd like to be but am thinking that it may be needed to to meet their requirements.


Would I be able to advertise the new DMZ web servers as /32 networks via BGP and have it be preferred to go in and out the 4Mb link and then advertise the rest of their network as a /24 (or whatever the ISP provides) and have that go in and out the 10Mb link?


Would this work? If so, could someone provide some guidelines as to what needs to be configured in BGP to get this working as needed?


Thanks for the help!


Pete

Correct Answer by Mohamed Sobair about 6 years 10 months ago

Pete,


The bellow steps should achieve what you are looking for as well as redundancy:


1- create 2 MHSRP groups , the primary virtual group of the new internet link router where the ASA should point, and the virtual secondary where  the VPN router should point (rest of the traffic). Incase of a failure on the lan , the ASA will point to the secondary , this also applicable for the VPN router.


2- create Multiple static routes for the DMZ subnet pointing to the ASA  on the primary router, All with /32 and one with /24 advertise them both into BGP.


3- create 1 static route for the DMZ subnet pointing to the ASA on the Secondary router and advertise it into BGP.


4- Modify (Local preference) on the primary router for the /32 subnets and set the local prefernce to 500 for example.


5- Modify the (Local preference) on the Secondary router for the whole /24 subnet and set it to 500 for example.



With the above, you wil ensure all DMZ travers the primary router Net Internet link and have the backup router as redundancy, you will also ensure traffic from outside into your network prefers the primary Internet link for /32 subnets, leaving the rest of the traffic traversing the secondary router.



HTH

Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Mon, 08/02/2010 - 19:32
User Badges:
  • Cisco Employee,

Hello,


I guess you need to use PBR for sending traffic from the DMZ server to

second ISP.


access-list 101 permit ip host

ip policy route-map DMZ

exit


This will make sure that all the DMZ server traffic will exit through second

ISP. In order for you to get the traffic through second ISP, you can

advertise the IP's via BGP as you had mentioned in your post.


Hope this helps.


Regards,


NT

priedman1 Tue, 08/03/2010 - 06:27
User Badges:

Hi Nagaraja,


All DMZ servers (the current ones and the new web servers being discussed) will all be on the same subnet in the DMZ and will point to the ASA as their default gateway.


I'm thinking the route manipulation should just have to be done on the routers that connect to the Internet.


Anyone else?


Thanks for the help.


Pete

Nagaraja Thanthry Tue, 08/03/2010 - 06:39
User Badges:
  • Cisco Employee,

Hello,


You are correct. You do need to make the configuration on the routers as the

ASA's do not support PBR. Are these servers in DMZ having public IP or are

they getting NAT'ed to public IP on the ASA? In either case, you need to

configure one of the routers for PBR. Alternatively, if you have a L3 switch

that connects the routers and the ASA, you can make that as the default

gateway for the ASA and then configure PBR over there.


Hope this helps.


Regards,


NT

Correct Answer
Mohamed Sobair Tue, 08/03/2010 - 07:05
User Badges:
  • Gold, 750 points or more

Pete,


The bellow steps should achieve what you are looking for as well as redundancy:


1- create 2 MHSRP groups , the primary virtual group of the new internet link router where the ASA should point, and the virtual secondary where  the VPN router should point (rest of the traffic). Incase of a failure on the lan , the ASA will point to the secondary , this also applicable for the VPN router.


2- create Multiple static routes for the DMZ subnet pointing to the ASA  on the primary router, All with /32 and one with /24 advertise them both into BGP.


3- create 1 static route for the DMZ subnet pointing to the ASA on the Secondary router and advertise it into BGP.


4- Modify (Local preference) on the primary router for the /32 subnets and set the local prefernce to 500 for example.


5- Modify the (Local preference) on the Secondary router for the whole /24 subnet and set it to 500 for example.



With the above, you wil ensure all DMZ travers the primary router Net Internet link and have the backup router as redundancy, you will also ensure traffic from outside into your network prefers the primary Internet link for /32 subnets, leaving the rest of the traffic traversing the secondary router.



HTH

Mohamed

priedman1 Thu, 08/05/2010 - 21:17
User Badges:

Hi Mohamed,


Thank you for the information.


I spoke with the ISP tonight and they said that in order to do this, we'd have to purchase our own AS # which the business is not interested in doing at this time so no BGP for us for now.


Your suggestion with MHSRP & the BGP config looked like it was just what we needed though.


Regards,


Pete

Mohamed Sobair Fri, 08/06/2010 - 04:39
User Badges:
  • Gold, 750 points or more

Hi Pete,


you dont need a registered AS number,your ISPs can agree both on a private AS number of yours.  you would only need your provider independant subnet.


Its very rear to have your ISPs both accept different prefixes but its possible in certain situations.



HTH

Mohamed

Actions

This Discussion