LAB - Recursive Routing

I would like to share an interesting case I encountered, I had a network that looks something like this  :

From the bottom up, a switch with the LAN hosts connected to a Firewall. The firewall is connected to 2 router's each with its own WAN access ( with 2 different ISP's).

For the routing there is eBGP from each routers to his ISP and iBGP between the firewall to the routers (there is no peer between the routers themselves).

I will post the configuration from a simulation I did to illustrate this using Cisco routers:


interface FastEthernet0/0
 description To Router-1 ip address!interface FastEthernet0/0description To Router-2 ip address!router bgp 1 no synchronization bgp log-neighbor-changes neighbor remote-as 1 neighbor remote-as 1 no auto-summary


interface FastEthernet0/0 description To FW ip address!interface FastEthernet0/1 description To ISP-1 ip address!router bgp 1 no synchronization bgp log-neighbor-changes neighbor remote-as 2 neighbor remote-as 1 no auto-summary

basically same thing on Router-2.

From the FW : 

Gateway of last resort is to network

C is directly connected, FastEthernet0/1C is directly connected, FastEthernet0/0B [200/0] via, 00:00:48B* [200/0] via, 00:00:48
The issue occurred After a hardware failure one of the router's went down, as a result the firewall lost the wan access.

While debugging the issue found there is no default route on the firewall routing table, but there is one in its BGP table, the route being learned by the BGP was pointing to the IP of ISP2 (the one still up), later discovered there is no route for this destination as well.

The reason for this was very basic, we had a BGP peer that taught us both the default route and the path to the network in which it resides.

There was a few methods of solving this issue, adding "next-hop-self" to the neighbor settings of firewalls pear in the router.

Advertising the P2P network originating from the local router "redistribute connected" or just "network mask" in the "router bgp 1"

And also there is a workaround solution – in the FW create a static route for network, "ip route FastEthernet0/0"

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N

LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

1 comment:

  1. This comment has been removed by a blog administrator.