Failover

Unanswered Question
Jun 1st, 2008

From a core Layer 3 switch I have got two routes to the Internet via two different service providers who provide their own routers (Which i have no access to).

I have two routes as if I were to have a single line, I would pretty much saturate the firewall CPU between the router and core switch.

The scenario as it stands is, every time router02 fails (exclusively used to web traffic), i have to quickly telnet to the core switch and reroute the default route to firewall01 which is for router01.

I have to do this remotely and have to wait for my ITcontact at the office to reboot router02 before I can reroute traffic back to firewall02.

Now the question is, how can I automate this procedure? what protocols are there to automate this?

Basically I want to automate the change of default route's next hop address when the current next hop is down. (Routing to firewall PIX)

I know this may seem easy enough but because I'm working with pix firewall devices as my next hop i'm not too familiar with possible methods.

Please have a look at the attached picture to give a better understanding of the problem.

Kind Regards :)

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Sun, 06/01/2008 - 22:43

Hi

With the information provided by you i would suggest to have a routing protocol between the Internet router and the firewall and recieve the advertise the default route to the core switch.

in case of either the router or the wan link goes down the router should stop announcing the default route to the firewall and the firewall will in turn stop advertising the same to the core switch.

In you core switch you need to define a static default route with higher admin distance that of your routing protocol designed between the firewall and core switch so that your IGP's route take precedence in normal conditions and when the default route advertised by IGP goes off then the static route will come into effect.

You need to now check out the compatibiliy of the firewall installed out there with the routing protocols which you can run to achieve this.

You also need to make sure that you get a default route from the internet router which can be advertised to your firewall.

Also have you thought about the redundancy for the traffic flow for the services through the other firewall/router ???

regds

Mohan1983 Mon, 06/02/2008 - 13:37

I was thinking I would have to run another routing protocol to advertise. The only problem is I'm not really supposed to access the internet router. So need to find a way to do this without touching the internet routers.

Mohan1983 Tue, 06/03/2008 - 03:12

Also, just to clarify the Internet routers are provided by the ISP and are not CISCO devices.

bineshpsm Fri, 06/06/2008 - 03:11

U can never run a routing protocol unless there is equal contribution from the other end(ISP)router. What I suggest is same as Premkumar suggested.Put the below two routes in Layer3 switch:

ip route 0.0.0.0 0.0.0.0

ip route 0.0.0.0 0.0.0.0 100

this is the simplest way and reliable method with no dynamic protocol burden.

Actions

This Discussion