From the bottom up, a switch with the LAN hosts connected to a Firewall. The firewall is connected to 2 router's each with its own WAN access ( with 2 different ISP's).
For the routing there is eBGP from each routers to his ISP and iBGP between the firewall to the routers (there is no peer between the routers themselves).
I will post the configuration from a simulation I did to illustrate this using Cisco routers:
FW:
interface FastEthernet0/0
description To Router-1 ip address 192.168.12.1 255.255.255.0!interface FastEthernet0/0description To Router-2 ip address 192.168.12.1 255.255.255.0!router bgp 1 no synchronization bgp log-neighbor-changes neighbor 192.168.12.2 remote-as 1 neighbor 192.168.13.3 remote-as 1 no auto-summary
Router-1
interface FastEthernet0/0 description To FW ip address 192.168.12.2 255.255.255.0!interface FastEthernet0/1 description To ISP-1 ip address 172.24.24.2 255.255.255.0!router bgp 1 no synchronization bgp log-neighbor-changes neighbor 172.24.24.4 remote-as 2 neighbor 192.168.12.1 remote-as 1 no auto-summary
basically same thing on Router-2.
From the FW :
Gateway of last resort is 192.167.24.4 to network 0.0.0.0The issue occurred After a hardware failure one of the router's went down, as a result the firewall lost the wan access.
C 192.168.13.0/24 is directly connected, FastEthernet0/1C 192.168.12.0/24 is directly connected, FastEthernet0/0B 192.167.24.0/24 [200/0] via 192.167.24.4, 00:00:48B* 0.0.0.0/0 [200/0] via 192.167.24.4, 00:00:48
While debugging the issue found there is no default route on the firewall routing table, but there is one in its BGP table, the route being learned by the BGP was pointing to the IP of ISP2 (the one still up), later discovered there is no route for this destination as well.
The reason for this was very basic, we had a BGP peer that taught us both the default route and the path to the network in which it resides.
There was a few methods of solving this issue, adding "next-hop-self" to the neighbor settings of firewalls pear in the router.
Advertising the P2P network originating from the local router "redistribute connected" or just "network 172.24.24.0 mask 255.255.255.0" in the "router bgp 1"
And also there is a workaround solution – in the FW create a static route for network 172.24.24.0, "ip route 172.24.24.0 255.255.255.0 FastEthernet0/0 192.168.12.2"
Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR
This comment has been removed by a blog administrator.
ReplyDelete