advertise default route based on HSRP state

[Cooky]

I've got two Nexus 7010's running HSRP north bound to a pair of ASA's, and BGP south bound to four 6509's.

Is it possible to advertise default route to BGP neighbor (or prefer it via MED), only if the node is HSRP-active?
Essentially the goal is to create symmetry for inbound/outbound traffic.

Only way I can think of so far is via an EEM script, so that when I see HSRP go active via syslog, I'd kick off an action to remove ASN prepend, or reduce MED, and the opposite if HSRP goes standby.

Was wondering if anyone has done something similar w/ a better way.

thx

 

[sactwnguy]

If you are using bgp why do you need to use hsrp? Just use one of bgp's many methods to modify which route has preference. I generally only use hsrp when the downstream device does not have a routing protocol or I am doing wan interface tracking/IP SLA.

 

[Cooky]

ASA's don't support BGP

 

[sactwnguy]

HSRP IP SLA tracking does not work very well with ASA's due to how they fail over their ip addresses, there is no real ip on each device to track when a failover occurs. So your best choices would be eigrp on the ASA or BGP multihop to your edge routers if that is possible.

 

[Cooky]

Just to be clear:
My goal is not simply receive the default route, but to be able to ensure traffic symmetry for inbound and outbound traffic through the Nexus 7010's, between the ASA's and the core 6509's in an automatic fashion.
So running BGP multihop to Internet edge routers doesn't really help achieve my goal.

I can do it manually by peering w/ the ASA via eigrp or ospf, and just manipulate the metrics, which is another option besides doing HSRP & EEM.

 

[m1ldslide1]

Is it possible to advertise default route to BGP neighbor (or prefer it via MED), only if the node is HSRP-active?
Essentially the goal is to create symmetry for inbound/outbound traffic.

thx

Here's a thought:

Configure both BGP speakers to advertise a default route, with the 7010 that is the "HSRP Active" advertising a better default route than the backup. Then use a tracking object on the physical interface such that the default route is removed if the interface goes down. In normal operations all traffic will traverse the primary HSRP router, but when the interface is offline the default route is yanked and the backup default route (previously thought to be inferior) is the only one advertised downstream. Then traffic will traverse the backup HSRP router (now active). Make sure to turn on HSRP preemption and when the primary comes back online the better default route will resume.

I don't know the details of your BGP config wrt the default route, but there are several ways to do this. One might be a static default route to null0 (that uses a tracking object tied to physical interface) and then advertised via BGP, or just advertise a default-route with an attached route-map that verifies the presence of the route in the ip routing table before advertising.

 

[drebo]

Just set maximum paths to 2 and let CEF loadbalance the two equal cost routes for you.

The ASAs should be transparent to the entire thing.

If you need NAT, you should use some devices that speak HSRP or BGP (standard IOS routers, for instance) and use SNAT.

Being that the ASAs don't support any sort of real routing at all, they're a hindrance if used in any mode other than transparent. They can still operate as a failover pair in active/active, but NAT should be done by something that speaks properly with everything else and using SNAT to maintain state between them.

 

[m1ldslide1]

Just set maximum paths to 2 and let CEF loadbalance the two equal cost routes for you.

The ASAs should be transparent to the entire thing.

If you need NAT, you should use some devices that speak HSRP or BGP (standard IOS routers, for instance) and use SNAT.

Being that the ASAs don't support any sort of real routing at all, they're a hindrance if used in any mode other than transparent. They can still operate as a failover pair in active/active, but NAT should be done by something that speaks properly with everything else and using SNAT to maintain state between them.

Maximum path defaults to 4 - setting to 2 wouldn't accomplish anything here.

OP said he wants traffic symmetry in/out from HSRP primary, not equal-cost.

"ASA's don't support any sort of real routing"? Hyperbole - they support OSPF, EIGRP but no BGP. What do you consider "real" routing? IS-IS? How do you figure this is a "real hindrance"?

I have no idea what you are saying about NAT, or about using SNAT to maintain state between the two ASA's? If they're in a failover pair, then state is automatically maintained, so I'm not sure what you're getting at?

 

[drebo]

"ASA's don't support any sort of real routing"? Hyperbole - they support OSPF, EIGRP but no BGP. What do you consider "real" routing? IS-IS? How do you figure this is a "real hindrance"?

ASAs can't reliably act as a gateway between two networks. They don't route well enough. They work fine at injecting a type 7 LSA into a network or as part of a stub configuration, but they're aweful for edge routing and any other more advanced routing. This is supported by their data sheet and by Cisco's product placement with them.

Using them for NAT or edge routing services just isn't advisable if you require anything other than static default routing.

I have no idea what you are saying about NAT, or about using SNAT to maintain state between the two ASA's? If they're in a failover pair, then state is automatically maintained, so I'm not sure what you're getting at?

Maybe because you didn't read?

I said to use IOS routers and SNAT if NAT was necessary. The OP didn't state what the purpose of the ASAs was, but I imagine he's probably not using the Nexus 7010s for NAT, so it's likely he's using the ASAs for NAT. If he isn't, the ASAs should be completely transparent in this environment so the discussion is moot.

I'm simply providing a recommendation for one of the possible topologies the OP could potentially have based on the information that was provided.

 

[m1ldslide1]

ASAs can't reliably act as a gateway between two networks. They don't route well enough. They work fine at injecting a type 7 LSA into a network or as part of a stub configuration, but they're aweful for edge routing and any other more advanced routing. This is supported by their data sheet and by Cisco's product placement with them.

Using them for NAT or edge routing services just isn't advisable if you require anything other than static default routing.

Sorry, but "they don't route well enough" without any supporting details sounds like you have a prejudice rather than specifics. To be honest I wouldn't use an ASA for routing unless I needed to, but that's mostly because of lack of PIM support. I know the ASA data sheet pretty well, and I don't remember seeing that "they're awful for edge routing" or that it isn't advisable for NAT. Can you provide a link to back up your claim?

Maybe because you didn't read?

I said to use IOS routers and SNAT if NAT was necessary. The OP didn't state what the purpose of the ASAs was, but I imagine he's probably not using the Nexus 7010s for NAT, so it's likely he's using the ASAs for NAT. If he isn't, the ASAs should be completely transparent in this environment so the discussion is moot.

I'm simply providing a recommendation for one of the possible topologies the OP could potentially have based on the information that was provided.

I wouldn't assume that this environment includes NAT at all. Most enterprise data centers don't NAT at their core-facing uplinks... in fact that would be insane unless there were some kind of bizarre overriding factor. Most enterprises NAT at the Internet border, not the data center.

As an aside, keep in mind that the ASA can NAT in either routed or transparent mode. (Your second-to-last sentence implies that if NAT isn't necessary then neither is routed mode)

 

[drebo]

Oh for the love of god. Anyone who isn't a die-hard, card-carrying Cisco fanboy recognizes that ASAs are fucking terrible for anything requiring any sort of advanced routing.

Lack of BGP, lack of GRE, lack of ICMP redirect, insanely small RIB, no VRF support, etc, etc, etc.

But, go ahead and keep fucking over your employer/customers by recommending clearly inferior products. There is no good reason to use the ASA as a router or routed/NAT firewall over an IOS router. IOS routers tend to be cheaper up and down the line and are much more feature-rich.

ASAs are great as transparent firewalls and VPN concentrators (and even that's debatable in comparison to Checkpoint). Recommending them in any other situation is doing a disservice to whoever is paying the bills.

I must say, though, that Cisco's done a fantastic job brainwashing people.

 

[sactwnguy]

In my experience cisco does not win on features with the ASA, it is all about the price. it has been a while but the last time I looked Checkpoint was significantly more expensive. As for the original posters problem how about just setting up two hsrp groups on the 6500's with different priorities for each asa to point at? Can ASA's in active/active have different static routing tables? It has been a few years.

 

[m1ldslide1]

Oh for the love of god. Anyone who isn't a die-hard, card-carrying Cisco fanboy recognizes that ASAs are fucking terrible for anything requiring any sort of advanced routing.

Lack of BGP, lack of GRE, lack of ICMP redirect, insanely small RIB, no VRF support, etc, etc, etc.

But, go ahead and keep fucking over your employer/customers by recommending clearly inferior products. There is no good reason to use the ASA as a router or routed/NAT firewall over an IOS router. IOS routers tend to be cheaper up and down the line and are much more feature-rich.

ASAs are great as transparent firewalls and VPN concentrators (and even that's debatable in comparison to Checkpoint). Recommending them in any other situation is doing a disservice to whoever is paying the bills.

I must say, though, that Cisco's done a fantastic job brainwashing people.

LOLOLOL

I hope you're not actually employed in a decision-making IT role. I asked you for a link, or details supporting your claims, and you get swearing mad and accuse me of being the fanboy? Is this one of those "Well if you don't know already, then I'm not going to tell you!" kind of scenarios???

Haha, so now GRE and BGP are required to constitute "real" routing? Multi-VRF routing is accomplished via multiple contexts, dumbass.

I like how you proposed a completely asinine and non-intelligible solution re: NAT and then when called on it proceeded to put up a straw man about how shitty the ASA is for routing. What's funny is that I usually propose IOS devices to my customers for security (IOS firewall, DMVPN, now AVC, etc) but you just ASSume that since I'm pressing you for details I must be a brainwashed ASA hack.

Dude, P&N is over in Social. Please don't spew half-informed zealotry in here. Unfortunately it will probably get you a raise at work...

 

[m1ldslide1]

In my experience cisco does not win on features with the ASA, it is all about the price. it has been a while but the last time I looked Checkpoint was significantly more expensive. As for the original posters problem how about just setting up two hsrp groups on the 6500's with different priorities for each asa to point at? Can ASA's in active/active have different static routing tables? It has been a few years.

Excellent point. The ASA isn't traditionally the big swiss army knife of networking appliances, but rather does firewall stuff very cost-effectively. The new X-series (even the 5512) will do multiple gigs of firewalled traffic at almost the same price points as the last generation, and to get an IOS router that will do equivalent throughput will be many times more expensive.