3

At my company we have a single Cisco 3925sec/k9 router running BGP with 2 ISPs. Now we want to purchase a redundant router of the same model to eliminate a single point of failure.

I can set up BGP between routers and ISPs no problems. We plan to send out all traffic through ISP A and receive all traffic through ISP B (ISPs send us only default gateways and we can play around with as-prepends and local_pref attributes for that). enter image description here

So my question is, what is the best solution to make sure I keep the state of static NAT and stateful firewall rules (not ZBF) on both routers at the same time? Again, I want traffic to leave through ISP A and return through ISP B.

Is it possible at all or do you think it would be better to purchase a pair of ASA 5500 series with Active/Active support and do NAT and inspection on them?

Alec T
  • 463
  • 1
  • 9
  • 21

1 Answers1

3

I am curious as to why you would want to purposefully force asymmetric routing like this? Most of the solutions for this are going to based on using HSRP tracking to decide which router is actively processing NAT/firewall rules with the assumption that the same router is seeing both the egress and ingress traffic. Let me lab up the routing you're suggesting and see if the standby router will actually service requests that the active router initiated.

In the meantime, the features you're wanting are definitely available in IOS. An ASA pair is going to be more designed to do what you're wanting, but depending on how much control you need over the rules IOS may fit the bill fine.

Something like this should work to track your NAT states. It's from a CCIE study vendor, but is explained pretty well.

Also see Cisco's documentation for IOS Firewall Stateful Failover. The magic command is...

(config-if) ip inspect <cbac-name> {in | out} redundancy stateful <hsrp-name>

Edit: I've labbed this up in GNS3, and the results are a mixed bag. The short answer is that NAT will work fine. CBAC, however, will not.

You can use Redundant NAT to share states between both your routers, allowing states created on the "egress" router to create equal states on the "ingress" router. These states are active, and will work fine.

ip nat Stateful id <unique-router-num>
redundancy <hsrp-name>
mapping-id <mapping-id>

ip nat inside source list <acl> pool <pool> mapping-id <mapping-id> overload

However, CBAC is going to prove more of an issue. You can setup IPC between your two routers and get them to share states.

redundancy inter-device
scheme standby <hsrp-name>
<reboot required>

ipc zone default
association 1  //only 1 is supported
protocol sctp
 local-port <port-num>
  local-ip <my-ip>
 remote-port <port-num>
  remote-ip <my-ip>

interface <WAN interface>
ip access-group <acl> in
ip inspect <inspect-name> out redundancy stateful <hsrp-name>

Some major issues with this approach though...

  • the states are shared between the devices, but are only active on the HSRP active device
  • when a failover occurs, the old active device FORCES A RELOAD

So yes, CBAC does support some redundancy but it's pretty useless for your situation. Sure you can't do ZBF? Zone-Based Policy Firewall High Availability @ Cisco.com

I'm still curious to hear why you need this forced-asymmetric routing, as that is what prevents you from using CBAC.

Keller G
  • 644
  • 3
  • 6
  • Thanks a lot for the efforts Keller, I really appreciate it. The reason I use – Alec T Mar 28 '13 at 15:52
  • Thanks a lot for the efforts Keller, I really appreciate it. The reason I use asymmetric routing is because we have a slow ISP A, so I don't want to use it for the inbound traffic, because it can create the bottlenecks. And I guess on the other hand we could use ISP B for both traffics and let ISP A to sit idle, but the boss is happier when both ISPs are at work, so it's more of a human factor but it's not carved in stone of course. – Alec T Mar 28 '13 at 16:04
  • Regarding ZBF, I would love to use it, but for some reason I thought it's not possible. I will check you link. – Alec T Mar 28 '13 at 16:08
  • Ah, a Layer 8 consideration. =) How much traffic are you pushing into/out of this office? I know that ISPs will sometimes let you take a partial BGP table of just their direct customers. That would allow you to use a specific ISP when the customer is directly connected, but the faster ISP for all other traffic. Also keep in mind that you can influence but not guarantee which link traffic will return via. The only traffic you can control is your outbound. So 100% consistent async routing probably isn't going to happen. I would recommend using the ISPs as active/standby for a SOHO. – Keller G Mar 28 '13 at 18:11
  • Well that's true, but if I prepend my AS to an existing ASPATH when I announce my network, from my experience I would say it works pretty well. Lol on Layer 8. I've read your link on ZBF redundancy - they don't recommend it for highly assymetric traffic. I guess the best decision would be to purchase ASA in our case [because we can] :) Again I want to thank you Keller for putting in so much time into it! – Alec T Mar 29 '13 at 12:00