08-02-2010 07:17 PM - edited 03-04-2019 09:17 AM
Hi Everyone,
I was wondering if I could get some help with a BGP config.
In one of our offices, they have a single Internet connection (10Mb), DMZ, and LAN.
They're in the process of setting up some new web servers in the DMZ and a new /2nd Internet connection (4Mb)
This office wants to have the new DMZ web servers go out the new/2nd Internet connection. Everything else (existing DMZ server traffic, user web browsing, site-to-site VPN traffic, etc) should go out the existing 10Mb Internet connection.
Network diagrams are attached here.
I'm much more of a BGP noob than I'd like to be but am thinking that it may be needed to to meet their requirements.
Would I be able to advertise the new DMZ web servers as /32 networks via BGP and have it be preferred to go in and out the 4Mb link and then advertise the rest of their network as a /24 (or whatever the ISP provides) and have that go in and out the 10Mb link?
Would this work? If so, could someone provide some guidelines as to what needs to be configured in BGP to get this working as needed?
Thanks for the help!
Pete
Solved! Go to Solution.
08-03-2010 07:05 AM
Pete,
The bellow steps should achieve what you are looking for as well as redundancy:
1- create 2 MHSRP groups , the primary virtual group of the new internet link router where the ASA should point, and the virtual secondary where the VPN router should point (rest of the traffic). Incase of a failure on the lan , the ASA will point to the secondary , this also applicable for the VPN router.
2- create Multiple static routes for the DMZ subnet pointing to the ASA on the primary router, All with /32 and one with /24 advertise them both into BGP.
3- create 1 static route for the DMZ subnet pointing to the ASA on the Secondary router and advertise it into BGP.
4- Modify (Local preference) on the primary router for the /32 subnets and set the local prefernce to 500 for example.
5- Modify the (Local preference) on the Secondary router for the whole /24 subnet and set it to 500 for example.
With the above, you wil ensure all DMZ travers the primary router Net Internet link and have the backup router as redundancy, you will also ensure traffic from outside into your network prefers the primary Internet link for /32 subnets, leaving the rest of the traffic traversing the secondary router.
HTH
Mohamed
08-02-2010 07:32 PM
Hello,
I guess you need to use PBR for sending traffic from the DMZ server to
second ISP.
access-list 101 permit ip host
ip policy route-map DMZ
exit
This will make sure that all the DMZ server traffic will exit through second
ISP. In order for you to get the traffic through second ISP, you can
advertise the IP's via BGP as you had mentioned in your post.
Hope this helps.
Regards,
NT
08-03-2010 06:27 AM
Hi Nagaraja,
All DMZ servers (the current ones and the new web servers being discussed) will all be on the same subnet in the DMZ and will point to the ASA as their default gateway.
I'm thinking the route manipulation should just have to be done on the routers that connect to the Internet.
Anyone else?
Thanks for the help.
Pete
08-03-2010 06:39 AM
Hello,
You are correct. You do need to make the configuration on the routers as the
ASA's do not support PBR. Are these servers in DMZ having public IP or are
they getting NAT'ed to public IP on the ASA? In either case, you need to
configure one of the routers for PBR. Alternatively, if you have a L3 switch
that connects the routers and the ASA, you can make that as the default
gateway for the ASA and then configure PBR over there.
Hope this helps.
Regards,
NT
08-03-2010 07:05 AM
Pete,
The bellow steps should achieve what you are looking for as well as redundancy:
1- create 2 MHSRP groups , the primary virtual group of the new internet link router where the ASA should point, and the virtual secondary where the VPN router should point (rest of the traffic). Incase of a failure on the lan , the ASA will point to the secondary , this also applicable for the VPN router.
2- create Multiple static routes for the DMZ subnet pointing to the ASA on the primary router, All with /32 and one with /24 advertise them both into BGP.
3- create 1 static route for the DMZ subnet pointing to the ASA on the Secondary router and advertise it into BGP.
4- Modify (Local preference) on the primary router for the /32 subnets and set the local prefernce to 500 for example.
5- Modify the (Local preference) on the Secondary router for the whole /24 subnet and set it to 500 for example.
With the above, you wil ensure all DMZ travers the primary router Net Internet link and have the backup router as redundancy, you will also ensure traffic from outside into your network prefers the primary Internet link for /32 subnets, leaving the rest of the traffic traversing the secondary router.
HTH
Mohamed
08-05-2010 09:17 PM
Hi Mohamed,
Thank you for the information.
I spoke with the ISP tonight and they said that in order to do this, we'd have to purchase our own AS # which the business is not interested in doing at this time so no BGP for us for now.
Your suggestion with MHSRP & the BGP config looked like it was just what we needed though.
Regards,
Pete
08-06-2010 04:39 AM
Hi Pete,
you dont need a registered AS number,your ISPs can agree both on a private AS number of yours. you would only need your provider independant subnet.
Its very rear to have your ISPs both accept different prefixes but its possible in certain situations.
HTH
Mohamed
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: