I have a such network typology,
Whenever out2----ISP2 link is down, In2 router will go out thru Out1 and vice versa. How am I going to accomplish that?
Int1 default route to FW1, FW1 default route to Out1
Int2 default route to FW2, FW2 default route to Out2
Int1 and Int2 running OSPF
Out1 and Out2 running BGP with ISP1 and ISP2
interface FastEthernet0/0 (connect to FW1)
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/1 (connect to ISP1)
ip address 22.214.171.124 255.255.255.240
router bgp 65000
network x.66.0.0 mask 255.255.224.0 (Internal Network)
network x.66.192.0 mask 255.255.224.0 (Internal Network)
neighbor 126.96.36.199 remote-as 721 (ISP1)
ip route 0.0.0.0 0.0.0.0 188.8.131.52 (ISP1)
ip route 184.108.40.206 255.255.224.0 10.10.10.2
ip route 220.127.116.11 255.255.224.0 10.10.10.2
I don't want to run any routing protocol on FW, Is running IBGP between Out1 and Out2 enough?
I don't see any problem with your design. You have all routing protocols you need. However, I dont think you should be configuring default static routes in your OUTn. That's what has to change in case a problem occurs. Normally they should be pointing towards respective ISPs. If ISP1 fails, the default for OUT1 should be OUT2.
Hope this helps.
Thanks for your input. Static routes are only way now to create IP routing table outside the FW and it works out fine for 2 years now.
The problem is that whenever ISP link goes down, I have to advertise my internal network thru another ISP link, point internal router's default gateway to other internal router instead of its FW, and exit from the working ISP link.
Here is my goal, I want internal router (Int) to detect the link to ISP is down and Int will turn to its closest (or best cost) internal router and exit from there. How do I do that?
This means that default inside your AS has to be dynamic. I can only think of IBGP on INT routers or redistribution from BGP to OSPF. That default will change only by injecting default from the OUT routers.
I was thinking about that too. If I go for IBGP on INT routers, I have to do extensive change since I have tons Int routers. If I go for redistribution route, I have to set up OSPF on outside routers and FW in area 0. That defeat the purpose of secure network. (Out router is totally Out of any IGP).
Is there a way to set up IGP neighbor relationship (either OSPF or EIGRP) between Out router and Int router even though they are on different network? This way it will dynamically change the default route when it detect BGP changes?
The Next-Hop can be provided using static routes and redist-ing them to OSPF. Alternatively, you can passive the interface. BTW, GRE can be useful even with BGP.
BGP configuration rules require all BGP speakers in an AS (your two outside routers at this point) to be IBGP peers. You can run BGP through firewalls, even with NAT if you are careful (see chapter 9 of my book High Availability Networking with Cisco, for some extreme examples).
The "standard" approach to a setup like yours is to also set up IBGP peering to a few routers inside the firewalls which would then inject an appropriate default route into your routing protocol to direct traffic to the appropriate firewall/outside router. There are multiple examples in Halabi's Internet Routing Architectures book, another must have book for anyone doing a non-trivial BGP configuration (and yours definitely qualifies as non-trivial).
Unfortunately, there is no "cookbook" solution because you will need to make some hard tradeoffs between availability, load sharing, and cost/complexity and you only get to optimize two of the three.
Good luck and have fun!
Vincent C Jones
Thanks for your input, Vincent. Security is definally my primary concern. That's why I am not running any routing protocol on the outside routers to keep them separate from the inside routers.
I will definally check out Halabi's book and your book and see what other option I have without tramatize my network.