Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BGP multi-homing with two different providers – iBGP and traversal question.

I have two internet connections.  Both connections are with different providers and on two separate routers.  I have two ASA’s that sit behind the routers and I proxy arp all hosted services off of the ASA’s outside interface.

I am obtaining a provider independent AS number from ARIN and would like to setup eBGP peering with each provider, accepting a default route only and advertise my leased block (let’s say 50.100.150.0/24).  I’d like to prepend my AS  on the ISP-B connection to ensure that it is only used as backup.

Here is the real question.  I know I will need to allow TCP-179 through the ASA’s to establish the iBGP connection but because the hosts that I have at site A are proxy-arp’d off of the firewall outside interface, I need some way for traffic to come in from ISP-B, to router B and then traverse over to router A so that it can be sent to ASA-Firewall A.  (please see attached diagram).  What is the best way to accomplish this?  GRE tunnel between the routers & through the firewalls?  I have ample bandwidth and low latency between site A and B.

Thanks

Everyone's tags (5)
3 REPLIES

BGP multi-homing with two different providers – iBGP and trave

I run iBGP between the routers in the 50.100.150.0/24 network. There's no technical need to have iBGP running on your internal network.

Silver

BGP multi-homing with two different providers – iBGP and trave

Is that orange line a direct connection between CPE routers? If yes, a direct iBGP connection is possible. If not, I suggest that you obtain one as it is almost impossible to make the ASAs stay in sync with BGP routing. (-: If you can't, then GRE could be a workaround.

Is ASA redundancy a requirement too? (I mean in case ASA-A fails, are the site-A servers supposed to be accessible via ASA-B?) If yes, you must ensure that the outgoing traffic (default route in internal network) is in sync with active ISP and asymmetric routing is prevented. You can solve that with object tracking and you need the same static NATs in both ASAs.

I would consider creating shared VLANs on ASA interfaces and form a failover pair too but it's a different setup.

BGP multi-homing with two different providers – iBGP and trave

be careful with your setup is you may end up blackwhole your traffic because you have FWs in the path

are these fairewalls statful or not ? are they clustered or standalone ?

1415
Views
0
Helpful
3
Replies