BGP routers using HSRP connecting to dual HSRP PIX 515

[442304]

Here is a challange to all. I've been searching all through the internet and on Cisco's website but found no solid or detailed explanation.

Currently we are going to build a data center in our building and host our e-commerce web site, and as for redundancy we will be connecting to two seperate ISP and run BGP from the ISP's routers to our 3660 routers (two
routers total for redundancy implementing HSRP between them).

Poposed solution:

(2) Cisco 3660 routers
(2) Pix 515E Firewall

Question: How will the routers connect, either to one another via secondary ethernet interface on each using
a crossX cable or a special redundant module (Fast serial)
for HSRP to work.

Once that's done, each router E0 interface will connect
to the outside interface on the PIX. The Pix with a failover card will be connecting to each other via a fast serial cable so it can run HSRP. One will be active the other will be passive using a VIP.

- If that's the case ISP-A connecting to Router A which
is than connect to PIX A, will this path be active or
will it be passive because HSRP can not both be active at the same time....If router A and PIX A will be in standby mode, will ISP-B ->Router B ->PIX B be the active point line due to the fact that HSRP can not be run on both
devices at the same time?

(how to connect router to router so to implement HSRP, and will one router be active and the other be passive?)

 

[tconn]

HSRP is only going to give the pixes a default gateway when sending traffic out to the world. You Need a switch, or better yet, two switches trunked together that the internal router interface and the external pix interface connect to. This needs to be in a common Vlan for both sides of the mesh so that HSRP will work. Your HSRP-active router will have a BGP session to its ISP and to the HSRP-standby router. This will allow the router to redirect traffic to the HSRP-standy router if it has a better BGP route. There is no magic here, so do yourself a favor and draw a network diagram. Let me know if you are still having trouble, I just implemented a network very similar to what you are describing and it works great.

 

[442304]

Please correct me if I'm wrong. Can I consolidate using one switch. For example plug e0 internal router interface on both routers to port 1 & 2 and assign the ports to VLAN 100, then plug in the outside interface of both pix into port 3 & 4 and also making them belong to VLAN 100 or, would it be better to get two 2912XL and trunking ports 21, 22, 23, 24 (create Fast EtherChannel) from Switch1 to Switch2, and on the first switch make the connected ports part of vlan 100, and the second switch part of VLAN 200?

(AS-100) ISP-A ISP-B (AS-200)
(RTR-A) (RTR-B)
| |
|s0 |s0
AS-300 Customer(RTR-1) (RTR-2)
|e0 |e0
| HSRP |
(VLAN 100)PORT1--SW1 2912XL--PORT2(VLAN100)
|
Ports 21,22,23,24 (FEC TRUNK TO SWITCH2
|
(VLAN 200)PORT1---SW2 2912XL --PORT 2 (VLAN200)
| |
| |
|(outside int) |(outside int)
PIX515 PIX515
|(inside int) | (inside int)
| |
PORT1 PORT2
Catalys 3550-12T -----HSRP ----3550-12T
| |
| |
-------------Internal Lan --------------