This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Replacing Cisco HSRP Pair with Palo in Active Standby - 2x ISP Transit BGP

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Replacing Cisco HSRP Pair with Palo in Active Standby - 2x ISP Transit BGP

DunkleyG
L0 Member

‎06-20-2023 09:10 PM

Hi,

 

Currently we have a pair of Cisco routers each connected to a different ISP with static addresses. We have a public address range 203.x.x.x/24. The inside interfaces of these pair of routers are .2 and .3 of this public address range and the HRSP .1 between them.

 

Currently each router takes the full BGP tables from its connected ISP and we publish our AS number back to them identical to each ISP. The links are weighted at the moment towards one ISP as far as I can tell but that isnt a requirement.

 

Here is the BGP config from our current routers

Router 1 BGP:

 

router bgp 45xxx
bgp log-neighbor-changes
network 203.x.x.0
neighbor 203.x.x.3 remote-as 45xx
neighbor 203.x.x.3 description Internet Router
neighbor 203.x.x.3 next-hop-self
neighbor 203.x.x.3 soft-reconfiguration inbound
neighbor 210.x.x.53 remote-as 27x
neighbor 210.x.x.53 description ISP1
neighbor 210.x.x.53 password 7 bgppasswordhere
neighbor 210.x.x.53 send-community
neighbor 210.x.x.53 soft-reconfiguration inbound
neighbor 210.x.x.53 prefix-list rfc1918-filter in
neighbor 210.x.x.53 prefix-list OURRANGE out
neighbor 210.x.x.53 route-map ITPTransitOutbound out
distance bgp 210 200 200

 

Router 2 BGP:

router bgp 45xxx
no bgp enforce-first-as
bgp log-neighbor-changes
network 203.x.x.0
neighbor 144.x.x.237 remote-as 12xx
neighbor 144.x.x.237 soft-reconfiguration inbound
neighbor 144.x.x.237 prefix-list rfc1918-filter in
neighbor 144.x.x.237 prefix-list OURRANGE out
neighbor 203.x.x.2 remote-as 45xxx
neighbor 203.x.x.2 description Internet Router
neighbor 203.x.x.2 next-hop-self
neighbor 203.x.x.2 soft-reconfiguration inbound
distance bgp 130 200 200

 

I would like to move this to a pair of PA-850's that we are currently running in HA active/passive pair. I can present the outside ISP interfaces to the PA-850 pair each on their own vlan interface. My plan was to create a new VR for this as the PA-850s are already doing some other DMZ traffic and I don't want to break that. The current VR's default route points to the .1 HSRP of this Cisco pair I want to get rid of. I am a bit unsure of the BGP config to publish our AS45xxx (203.x.x.x/24) range out and just take the default routes from the ISP's instead of the full BGP tables as I am not sure the 850's would like that.

 

Outcomes:

 - ISP Redundancy

 - ISP Load balancing (outbound traffic evenly across the to ISP links)

 

Can someone point me in the right direction. I have attached a couple of pics on how i think it logically looks but a little unsure.

 

BeforeBeforeAfterAfter

 

Thanks,

 

Garrick

0 Likes Likes
1 REPLY 1

Pepen
L1 Bithead

‎06-21-2023 01:14 AM

I think the bes practice is to establish a BGP peer between 850's and ISP routers with only one VR with two peers, one by every Cisco Router.

850's redistribute DMZs addressings to the two peers (cisco Routers) and these DMZ's are not redistributed to the ISPs , only redistribute the actual supernet 203 containig all the DMZs addressing.

Cisco Routers must have a Default generate route to the 850s tracking the reception of almost three nets from ISPs one belongs to the proper ISP with the Cisco Router have pering.One for a route behind the isp in the internet (8.8.8.0/24 - google's best known) and the other can be a route belkongs to the other isp. This on all two Cisco routers.

At the 850's yo must configure in Import BGP Routers from peers Cisco Routers diferent local-preference fon the two default routers received by them. One will be prioritary for the other, but if in the prioritary Cisco Routers fails isp peering, 850s will use the other.

Balance traffic betwen the two Cisco Routers to the Internet is doing now by the proper bgp peerring btween them. If you have any asimetric traffic -Out by one ISP and In by the other with any AS you can take the additive comand to the BGP ISP peer to penalize the redistribution of your routes to this AS by your OUT ISPs 

0 Likes Likes
  • 832 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks