HSRP used on WAN side (With BGP)

FrankGuthrieFrankGuthrie Member Posts: 245
Is it good/bad design using HRSP for redundancy on the WAN. I've seen HRSP being used on 2 internet routers for IPSEC VPN's, but never for setting up BGP (1 BGP session to the VIP of HSRP).

Can anyone tell me if this is advisable or not and why? Is it a valid design or is it better to use 2 BGP session 1 with better metrics etc..?


  • pevangelpevangel Member Posts: 342
    To do this for the purpose of eliminating SPOFs, the ISP would have to deploy two PE routers or last mile switches. The cost of deploying, operating, and maintaining them would be reflected on your bill. Then, you'll have to get a couple of switches, stack them, and place between your perimeter routers and the PEs. You might already have the switches for your LAN so that saves you some money. But in the end it's still going to cost you a lot of money to have redundant connectivity in one location to the same ISP.

    For redundancy at one site, it's better to have your second perimeter router connect to a different ISP. If a second ISP is not an option, then it's still better to directly connect your perimeter routers to the PE routers and setup 2 BGP sessions. Doing FHRP with the ISP would require putting a switch in between you and the ISP which adds another point-of-failure.

    There's also the issue of the ISP doing FHRP for you. If it's not a standard configuration for them, then they most likely would not do it. ISPs have a bunch of customers and one-off solutions are typically avoided.
  • ccie14023ccie14023 Member Posts: 183
    Hmmm, I don't think this would work. To establish a BGP session using a VIP, the session would have to be sourced from the VIP itself. However, when you pick the update source for BGP, the only choice is an interface. So if you point the other end to the VIP the session won't come up. The following is from a switch:

    jemclaug-hh15-c3850-(config-router)#neighbor update-source ?
    ANI Autonomic-Networking virtual interface
    Auto-Template Auto-Template interface
    CEM-PG Circuit Emulation interface with Protection group
    Capwap Capwap tunnel interface
    GMPLS MPLS interface
    GigabitEthernet GigabitEthernet IEEE 802.3z
    InternalInterface Internal Interface
    LISP Locator/ID Separation Protocol Virtual Interface
    Loopback Loopback interface
    Null Null interface
    PROTECTION_GROUP Protection-group controller
    Port-channel Ethernet Channel of interfaces
    TenGigabitEthernet Ten Gigabit Ethernet
    Tunnel Tunnel interface
    Tunnel-tp MPLS Transport Profile interface
    Vlan Catalyst Vlans
  • keenonkeenon Member Posts: 1,922 ■■■■□□□□□□
    I have never seen or used hsrp on the wan side. as stated i would do 2 different isp connections with bgp with hsrp running on the back end ( Lan side of the router ). If possible get the LOA signed by both to allow you to advertise the blocks on both sides of course as primary/backup paths.
    Become the stainless steel sharp knife in a drawer full of rusty spoons
  • pevangelpevangel Member Posts: 342
    You can make it work but you won't peer using the VIPs. Create loopbacks on each set of routers. Create a static route to the loopbacks of the other routers using the VIP as the next hop, then do ebgp multihop. We've had this setup for some cloud application but we were in control of all sides.
Sign In or Register to comment.