HSRP used on WAN side (With BGP)

Is it good/bad design using HRSP for redundancy on the WAN. I've seen HRSP being used on 2 internet routers for IPSEC VPN's, but never for setting up BGP (1 BGP session to the VIP of HSRP).

Can anyone tell me if this is advisable or not and why? Is it a valid design or is it better to use 2 BGP session 1 with better metrics etc..?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

pevangel

To do this for the purpose of eliminating SPOFs, the ISP would have to deploy two PE routers or last mile switches. The cost of deploying, operating, and maintaining them would be reflected on your bill. Then, you'll have to get a couple of switches, stack them, and place between your perimeter routers and the PEs. You might already have the switches for your LAN so that saves you some money. But in the end it's still going to cost you a lot of money to have redundant connectivity in one location to the same ISP.

For redundancy at one site, it's better to have your second perimeter router connect to a different ISP. If a second ISP is not an option, then it's still better to directly connect your perimeter routers to the PE routers and setup 2 BGP sessions. Doing FHRP with the ISP would require putting a switch in between you and the ISP which adds another point-of-failure.

There's also the issue of the ISP doing FHRP for you. If it's not a standard configuration for them, then they most likely would not do it. ISPs have a bunch of customers and one-off solutions are typically avoided.

ccie14023

Hmmm, I don't think this would work. To establish a BGP session using a VIP, the session would have to be sourced from the VIP itself. However, when you pick the update source for BGP, the only choice is an interface. So if you point the other end to the VIP the session won't come up. The following is from a switch:

jemclaug-hh15-c3850-(config-router)#neighbor 1.1.1.1 update-source ?
ANI Autonomic-Networking virtual interface
Auto-Template Auto-Template interface
CEM-PG Circuit Emulation interface with Protection group
Capwap Capwap tunnel interface
GMPLS MPLS interface
GigabitEthernet GigabitEthernet IEEE 802.3z
InternalInterface Internal Interface
LISP Locator/ID Separation Protocol Virtual Interface
Loopback Loopback interface
Null Null interface
PROTECTION_GROUP Protection-group controller
Port-channel Ethernet Channel of interfaces
TenGigabitEthernet Ten Gigabit Ethernet
Tunnel Tunnel interface
Tunnel-tp MPLS Transport Profile interface
Vlan Catalyst Vlans

keenon

I have never seen or used hsrp on the wan side. as stated i would do 2 different isp connections with bgp with hsrp running on the back end ( Lan side of the router ). If possible get the LOA signed by both to allow you to advertise the blocks on both sides of course as primary/backup paths.

pevangel

You can make it work but you won't peer using the VIPs. Create loopbacks on each set of routers. Create a static route to the loopbacks of the other routers using the VIP as the next hop, then do ebgp multihop. We've had this setup for some cloud application but we were in control of all sides.