Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WAN config BGP EIGRP config validation

Hello

 

I am preparing to implement a new WAN solution and want to make sure the config looks correct.

The Topology is  ISP - ASR - DMZ 3750x stack (L2) - ASA - Data Center

 

At your earliest conveniece please review the BGP, EIGRP and HSRP configurations and provide

any expertise you can to assure the success of this new WAN install.

 

Please see attached PDF.

sMc
2 ACCEPTED SOLUTIONS

Accepted Solutions

Hello.The text inside PDF has

Hello.

The text inside PDF has really poor quality. Could you please provide configuration in text?

Why do you need 2 track objects on ASRs? If group 1 is primary on ASR1, then there is no reason to decrement HSRP for this group on ASR2 (and vice versa).

How do Nexus devices find the path to Internet?

PS: if you convert trunk to OTV, then you need L3 link between Nexuses; I would prepare it in advance.

It's also interesting how do

It's also interesting how do you route back from ASA to Nexus.
Could you give a hint?

What NAT configuration do you have on your ASA pairs?

Do you plan to use Sites in Active/Active or Active/Standby mode?

8 REPLIES

Hello.The text inside PDF has

Hello.

The text inside PDF has really poor quality. Could you please provide configuration in text?

Why do you need 2 track objects on ASRs? If group 1 is primary on ASR1, then there is no reason to decrement HSRP for this group on ASR2 (and vice versa).

How do Nexus devices find the path to Internet?

PS: if you convert trunk to OTV, then you need L3 link between Nexuses; I would prepare it in advance.

New Member

Vasilii Thank you for the

Vasilii

 

Thank you for the response.

Sorry for the poor quality!

 

Now that you mention it, I am not sure we need to track (2) objects. Essentially we want to know when the WAN at site_1 drops so traffic from site_1 will use the WAN link at Site_2 and vice verse.

 

The Nexus, at each site, would learn it's default fromThe ASA which could/should advertise this to the Nexus via EIGRP. Does that sound right?

 

 

 

sMc
New Member

Vasilii Does my response make

Vasilii

 

Does my response make sense to you? Does this design look valid?

 

sMc

Good morning, sMc.New diagram

Good morning, sMc.

New diagram has much better quality; thanks.

Regarding HSRP track: as I understood, you use 1.2.254.9 on the left part as a default gateway and .10 on the right. Both addresses are HSRP and you make left ASR active for .9 and right one active for .10:

First, you must have consistent IP/HSRP group mapping on both ASRs:

ASR1/left:
 standby 1 ip 1.2.254.9
 standby 1 priority 105
 standby 1 track 1 decr 10
 standby 1 preempt
 standby 2 ip 1.2.254.10
 standby 2 pri 100 (default)
 standby 2 preempt

ASR2/right:
 standby 1 ip 1.2.254.9
 standby 1 priority 100 (default)
 standby 1 preempt
 standby 2 ip 1.2.254.10
 standby 2 pri 105
 standby 2 preempt
 standby 2 track 1 decr 10
 

There is no need to decrement priorities (.9 IP) for both groups, as if you decrement priority on left router, right one will take over... if right on lost connectivity, there is no reason to failover back to left, as neither of them have reachability.

I see you track reachability of directly attached subnet (for primary group)... so it would go down only if interface goes down or loose IP-address. I would suggest to track reachability of some ISP's device (routed via local link) or track 0.0.0.0/0 (if you don't run iBGP).

BGP:

  • why do you use "default-originated" toward ISP?
  • you do not advertise anything to provider (no network nor redistribute statements);
  • what is inbound filtering prefix list?
New Member

VasiliiThank you for the

Vasilii

Thank you for the great guidance.

 

A little back ground.

We currently have a single pipe for Internet and VPN

We are moving to the design on the pdf

The New Internet link is not operational and I am keeping the config and test completely separate from Production network.

 

The object(s) I am tracking are the PER ip addresses. Do I need to track both objects on each ASR?

you do not advertise anything to provider (no network nor redistribute statements); There is nothing currently connected to the design on the PDF. I will advertise the 1.2.x.x addresses. I will also redistribute between BGP and EIGRP.

why do you use "default-originated" toward ISP?  I only want to receive the default gateway from the ISP(s) so I use the prefix list to accomplish this.

 

What would be the best way to route back from ASA to Nexus?

                 EIGRP between ASA and Nexus?

 

We will use Active/Standby mode.

 

What NAT configuration do you have on your ASA pairs. Working on that!

sMc

Hello.As I've already written

Hello.

As I've already written, I suggest to track only one HSRP group (that is supposed to be Active) per ASR; I would configure track 0.0.0.0/0; but with dynamic routing, (between ASA and ASRs) this might be not needed!

I would run static between ASA/ASRs (with track objects); and EIGRP between Nexus/ASA. But there is some other option - use OSPF/BGP for ASR to ASA routing and have EIGRP for ASA to Nexus (only default gateway should be redistributed into EIGRP). But, really it depends on your NAT/DMZ design.

Also, there is no need to run 1.2.254.0/28 on physical interfaces! You may fully use public /28 for NAT and, for transit network, use some private IP-addresses.

It's also interesting how do

It's also interesting how do you route back from ASA to Nexus.
Could you give a hint?

What NAT configuration do you have on your ASA pairs?

Do you plan to use Sites in Active/Active or Active/Standby mode?

New Member

Hello This implementation is

Hello

 

This implementation is coming up soon. Please review this config and advise if it looks stable/correct.

 

 

sMc
101
Views
0
Helpful
8
Replies