+ Reply to Thread
Results 1 to 5 of 5
  1. Senior Member
    Join Date
    Nov 2012
    Posts
    242
    #1

    Default HSRP used on WAN side (With BGP)

    Is it good/bad design using HRSP for redundancy on the WAN. I've seen HRSP being used on 2 internet routers for IPSEC VPN's, but never for setting up BGP (1 BGP session to the VIP of HSRP).



    Can anyone tell me if this is advisable or not and why? Is it a valid design or is it better to use 2 BGP session 1 with better metrics etc..?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member pevangel's Avatar
    Join Date
    Feb 2014
    Location
    'Murica!
    Posts
    333

    Certifications
    CCNP, JNCIP-SEC, JNCSP-SEC, CCNA Security, JNCIS-SP/ENT, ITIL
    #2
    To do this for the purpose of eliminating SPOFs, the ISP would have to deploy two PE routers or last mile switches. The cost of deploying, operating, and maintaining them would be reflected on your bill. Then, you'll have to get a couple of switches, stack them, and place between your perimeter routers and the PEs. You might already have the switches for your LAN so that saves you some money. But in the end it's still going to cost you a lot of money to have redundant connectivity in one location to the same ISP.

    For redundancy at one site, it's better to have your second perimeter router connect to a different ISP. If a second ISP is not an option, then it's still better to directly connect your perimeter routers to the PE routers and setup 2 BGP sessions. Doing FHRP with the ISP would require putting a switch in between you and the ISP which adds another point-of-failure.

    There's also the issue of the ISP doing FHRP for you. If it's not a standard configuration for them, then they most likely would not do it. ISPs have a bunch of customers and one-off solutions are typically avoided.
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Oct 2014
    Location
    San Francisco
    Posts
    143

    Certifications
    CCIE#14023 (R/S, Sec), JNCIE-SP #2332
    #3
    Hmmm, I don't think this would work. To establish a BGP session using a VIP, the session would have to be sourced from the VIP itself. However, when you pick the update source for BGP, the only choice is an interface. So if you point the other end to the VIP the session won't come up. The following is from a switch:

    jemclaug-hh15-c3850-(config-router)#neighbor 1.1.1.1 update-source ?
    ANI Autonomic-Networking virtual interface
    Auto-Template Auto-Template interface
    CEM-PG Circuit Emulation interface with Protection group
    Capwap Capwap tunnel interface
    GMPLS MPLS interface
    GigabitEthernet GigabitEthernet IEEE 802.3z
    InternalInterface Internal Interface
    LISP Locator/ID Separation Protocol Virtual Interface
    Loopback Loopback interface
    Null Null interface
    PROTECTION_GROUP Protection-group controller
    Port-channel Ethernet Channel of interfaces
    TenGigabitEthernet Ten Gigabit Ethernet
    Tunnel Tunnel interface
    Tunnel-tp MPLS Transport Profile interface
    Vlan Catalyst Vlans
    Reply With Quote Quote  

  5. Senior Member keenon's Avatar
    Join Date
    Jun 2004
    Location
    TN
    Posts
    1,913

    Certifications
    CCIE R/S
    #4
    I have never seen or used hsrp on the wan side. as stated i would do 2 different isp connections with bgp with hsrp running on the back end ( Lan side of the router ). If possible get the LOA signed by both to allow you to advertise the blocks on both sides of course as primary/backup paths.
    Become the stainless steel sharp knife in a drawer full of rusty spoons
    Reply With Quote Quote  

  6. Senior Member pevangel's Avatar
    Join Date
    Feb 2014
    Location
    'Murica!
    Posts
    333

    Certifications
    CCNP, JNCIP-SEC, JNCSP-SEC, CCNA Security, JNCIS-SP/ENT, ITIL
    #5
    You can make it work but you won't peer using the VIPs. Create loopbacks on each set of routers. Create a static route to the loopbacks of the other routers using the VIP as the next hop, then do ebgp multihop. We've had this setup for some cloud application but we were in control of all sides.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks