Multihoming with ASA5500 Scenario marcelo.zilio@constel.com.br 44 posts since Jul 12, 2002 Hi, The company where I work is in process to become an Autonomous System We'll request an AS number and an IP block to the RIR I've attached a picture which shows what we are thinking to Today we already have these two ASA running as active/failover connected to only one ISP through a Cisco router which has only a default route Basically I'm adding a second router connected to a second ISP Here are our requirements: - We don't want full internet routes - We should load balance Upstream and Downstream traffic however failover is the most important That's our thoughts: 1) Obviously we need BGP 2) Suppose we have a /22 block, we want to propagate /23 in each ISP and if Router or Link to that ISP fails it should propagate /22 to another ISP Is that possible? Could you point me any paper to read or some example about that? 3) There's an option to propagate /22 in one ISP and the second ISP is just a backup Is this better than previous option? 4) Since ASA5500 doesn't has BGP, we think to run OSPF/EIGRP between border routers and ASA and distribute default route to ASA And this is the most confusing to me: If we are dividing /22 into two /23 how it will decide where to send traffic In fact I'm still not "seeing" how this scenario could work I would like to hear your opinion if this is the best to and if not, what is recommended I appreciate any thoughts Postings may contain unverified user-created content and change frequently The content is provided as-is and is not warrantied by Cisco Multihoming with ASA5500 Scenario Thanks Marcelo Attachments: • as-with-asa.gif (19.0 K) Tags: ip_routing, ospf, bgp, eigrp, asa, asa5500, multihoming, multihome Reza Sharifi 1,298 posts since Jul 2, 2008 Re: Multihoming with ASA5500 Scenario Feb 5, 2010 1:15 PM Hello Marcelo, You can load share traffic and divide your /22 and advertise /23 to each provider using BGP attributes and policies Have a look at this document for more info and configuration example: http://www.cisco.com/en/US/tech/tk365/ technologies_configuration_example09186a00800945bf.shtml#conf5 HTH Reza johnnylingo 458 posts since May 18, 2006 Re: Multihoming with ASA5500 Scenario Feb 5, 2010 2:50 PM 4) Since ASA5500 doesn't has BGP, we think to run OSPF/EIGRP between border routers and ASA and distribute default route to ASA And this is the most confusing to me: If we are dividing /22 into two /23 how it will decide where to send traffic In fact I'm still not "seeing" Postings may contain unverified user-created content and change frequently The content is provided as-is and is not warrantied by Cisco Multihoming with ASA5500 Scenario how this scenario could work I would like to hear your opinion if this is the best to and if not, what is recommended I appreciate any thoughts Thanks Marcelo Yes - this is the problem If you're just going with a default route to the Internet and both routers are originating it, you have no control over which ISP it takes unless you implement Policy Based Routing (PBR) at each border router Another problem is you're not looking at destination address to make intelligent routing decisions For example, let's say you use ISP A's DNS server as a forwarder You may end up using ISP B to then access ISP A That doesn't make much sense This would be my suggestion: 1) Configure both Border routers and the ASA for either OSPF or EIGRP Have both border routers originate a default route 2) Configure both Border routers to get customer-only routes from each ISP The ISP will generally be able to this for you, but if not, you can configure it on the router yourself using as-path access lists The number of routes you receive will depend on the size of the ISP, but it should be between 100 - 5,000 That only takes up a couple MB of memory 3) Redistribute these BGP routes in to OSPF or EIGRP This will ensure the ASA always takes ISP A to get to ISP A and ISP B to get to ISP B (unless one of them is down) Postings may contain unverified user-created content and change frequently The content is provided as-is and is not warrantied by Cisco Multihoming with ASA5500 Scenario 4) Keep your outbound BGP announcement simple, and just announce the /22 to both ISPs This will allow outside networks to always have the best path to you johnnylingo 458 posts since May 18, 2006 Re: Multihoming with ASA5500 Scenario Feb 5, 2010 3:04 PM Also, if you don't like the idea of having Internet routes on the ASA, just take these steps: 1) Configure HSRP, VRRP, or GLBP on the Border routers Use the shared IP as the ASA's default gateway (or configure the ASA as an OSPF stub) 2) Configure iBGP between the Border routers 3) The Border routers will use BGP attributes (weight, local pref, as-path) to select the best path marcelo.zilio@constel.com.br 44 posts since Jul 12, 2002 Re: Multihoming with ASA5500 Scenario Feb 8, 2010 4:05 AM Thanks for the input Very Helpfull I'll set up a lab to test your recommendation But it make sense to me Thanks Postings may contain unverified user-created content and change frequently The content is provided as-is and is not warrantied by Cisco .. .Multihoming with ASA5500 Scenario Thanks Marcelo Attachments: • as -with- asa.gif (19.0 K) Tags: ip_routing, ospf, bgp, eigrp, asa, asa5500, multihoming, multihome Reza... technologies_configuration_example09186a00800945bf.shtml#conf5 HTH Reza johnnylingo 458 posts since May 18, 2006 Re: Multihoming with ASA5500 Scenario Feb 5, 2010 2:50 PM 4) Since ASA5500 doesn't has BGP, we think to run OSPF/EIGRP between border... change frequently The content is provided as-is and is not warrantied by Cisco Multihoming with ASA5500 Scenario how this scenario could work I would like to hear your opinion if this is the best