We are going to configure VRRP between the 2 pairs of routers and the expected behavior, setup as per below:
Setup:
1. Routers PE1,PE2,FW1 and FW2 are connected to the same Layer 2 Switch and belongs to the same VLAN.
2. L2-Switch will just function as Layer 2 switch (subnet 192.168.2.240/29)
3. VRRP is configured between PE1 & PE2
3. VRRP is configured between FW1 & FW2
Fig.1
IP & VRRP Configuration:
L2-SWITCH
L2-SWITCH#conf t
a. Setup access VLAN
vlan 100
name VLAN100
b. Associate the interfaces
interface Ethernet0/0
switchport access vlan 100
switchport mode access
duplex auto
!
interface Ethernet0/1
switchport access vlan 100
switchport mode access
duplex auto
!
interface Ethernet0/2
switchport access vlan 100
switchport mode access
duplex auto
!
interface Ethernet0/3
switchport access vlan 100
switchport mode access
duplex auto
c. Verify
L2-SWITCH#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active
100 vlan LAYER2 active Et0/0, Et0/1, Et0/2, Et0/3
PE1
a. Configure the IP and VRRP (make PE1 as the active)
PE1#conf t
interface FastEthernet0/0
description Connect to L2-SWITCH e0/0
ip address 192.168.2.242 255.255.255.248
duplex auto
speed auto
vrrp 88 description PE1-PE2 VRRP
vrrp 88 ip 192.168.2.241
vrrp 88 priority 110
b. Verify VRRP
PE1#show vrrp
FastEthernet0/0 – Group 88
PE1-PE2 VRRP
State is Master
Virtual IP address is 192.168.2.241
Virtual MAC address is 0000.5e00.0158
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Master Router is 192.168.2.242 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
PE2
a. Configure the IP and VRRP
PE2#conf t
interface FastEthernet0/0
description Connect to L2-SWITCH e0/1
ip address 192.168.2.243 255.255.255.248
duplex auto
speed auto
vrrp 88 description PE1-PE2 VRRP
vrrp 88 ip 192.168.2.241
b. Verify VRRP
PE2#show vrrp
FastEthernet0/0 – Group 88
PE1-PE2 VRRP
State is Backup
Virtual IP address is 192.168.2.241
Virtual MAC address is 0000.5e00.0158
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 192.168.2.242, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 2.757 sec)
FW1
a. Configure the IP and VRRP (make FW1 as the active)
FW1#conf t
interface FastEthernet0/0
description Connect to L2-SWITCH e0/2
ip address 192.168.2.245 255.255.255.248
duplex auto
speed auto
vrrp 99 description FW1-FW2 VRRP
vrrp 99 ip 192.168.2.244
vrrp 99 priority 110
b. Verify VRRP
FW1#show vrrp
FastEthernet0/0 – Group 99
FW1-FW2 VRRP
State is Master
Virtual IP address is 192.168.2.244
Virtual MAC address is 0000.5e00.0163
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 110
Master Router is 192.168.2.245 (local), priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.570 sec
FW2
a. Configure the IP and VRRP
FW2#conf t
interface FastEthernet0/0
description Connect to L2-SWITCH e0/3
ip address 192.168.2.246 255.255.255.248
duplex auto
speed auto
vrrp 99 description FW1-FW2 VRRP
vrrp 99 ip 192.168.2.244
b. Verify VRRP
FW2#show vrrp
FastEthernet0/0 – Group 99
FW1-FW2 VRRP
State is Backup
Virtual IP address is 192.168.2.244
Virtual MAC address is 0000.5e00.0163
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 192.168.2.245, priority is 110
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.589 sec)
BGP Configuration:
PE1:
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.2.245 remote-as 65535
!
address-family ipv4
neighbor 192.168.2.245 activate
no auto-summary
no synchronization
exit-address-family
PE2:
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.2.246 remote-as 65535
!
address-family ipv4
neighbor 192.168.2.246 activate
no auto-summary
no synchronization
exit-address-family
FW1:
router bgp 65535
bgp log-neighbor-changes
neighbor 192.168.2.241 remote-as 65000
!
address-family ipv4
neighbor 192.168.2.241 activate
no auto-summary
no synchronization
exit-address-family
FW2:
router bgp 65535
bgp log-neighbor-changes
neighbor 192.168.2.241 remote-as 65000
!
address-family ipv4
neighbor 192.168.2.241 activate
no auto-summary
no synchronization
exit-address-family
Verification:
PE1#show bgp summ
BGP router identifier 192.168.2.242, local AS number 65000
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.2.245 4 65535 43 43 1 0 0 00:30:36 0
PE2#show bgp summ
BGP router identifier 192.168.2.243, local AS number 65000
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.2.246 4 65535 2 6 0 0 0 00:28:57 Active
FW1#show bgp summ
BGP router identifier 192.168.2.245, local AS number 65535
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.2.241 4 65000 44 45 1 0 0 00:31:03 0
FW2#show bgp summ
BGP router identifier 192.168.2.246, local AS number 65535
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
192.168.2.241 4 65000 3 3 0 0 0 00:31:53 Active
Observations:
1. Peering between PE’s VRRP IP and FW’s VRRP IP will not work. Based from the debug messages, you will see something like this “open failed: Connection refused by remote host, open active delayed ”
2.For BGP peering to establish, PE1 and PE2 should configure BGP neighbor to FW1 and FW2 physical IP address respectively. Then FW1 & FW2 can configure BGP peering with PE1 and PE2 VRRP IP.
3. Only the active or master VRRP router (PE1) will have the BGP neighbor established. Standby Router (PE2) BGP will be on Active state.
4. Regardless FW1 or FW2 is the active VRRP router, the BGP peering will still be established on the router where the active VRRP router (PE1) is configured. e.g. PE1 peer with physical IP of FW1 , while PE2 peer with physical IP of FW2. Since PE1 is the master VRRP router, thus BGP is established on FW1.
My environment is in the same ASN so can you establish an iBGP peering with the firewalls instead of a eBGP peering?