How do I Dual Home my network?

Unanswered Question

I have 2 sites:

North Plant

South Plant

These locations are only 1.5 miles apart and are connected via a point to point T1 as well as a 802.11G wireless bridge for redundancy. The bridge and point to point T1 are routed connections via my 2811 routers that are located in each building. Currently only the south plant has an internet connection via T1 which is protected by an ASA 55xx.

My boss wants me to install a second internet connection and to have it in the north building. He wants each internet connection used and if one would fail the other would take 100% of the load until the other would come back up.

I need the redundancy to be for both inbound and outbound connections. I have several VPN tunnels that I need to be able to fail over automatically. Some of these VPN tunnels are setup via from internal connections, external clients, as well as some site to site links.

I know this is a lot to ask for so I'm actually wanting to present 2 options for him. One that would fullfill everything he wants, and another that will only use the second connection should the primary fail.

Anyone that can provide some guidance on either of these objectives I would greatly appreciate since this is way over my head.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
julio.fojon Wed, 10/01/2008 - 08:06
User Badges:


I have done so with two offices one in Miami, the other one in Texas. Since you have ASA, I will use the routing protocol (EIGRP)to take care of this automatically.

What I did was to configure the backup route feature in the ASA and redistribute it with the routing protocol in each office. Therefore, the two offices had two different ways out to the internet. When one of them failed, it was removed from the routing table and all the traffic was redirected to my alternate location.

Let me know if it helps. Thanks

julio.fojon Wed, 10/01/2008 - 09:57
User Badges:


I am sorry I missed that part. I am going to assume that your outbound connections are made using VPN. If so, you would have to configure your ASAs with identical profiles for the outside users. Then, you will configure your VPN client with both ASA, one as a primary and the second one as a backup.

The VPN client is smart enough to switch over the backup connection if something happens to your primary connection. You might also be able to load balance your VPN traffic changing the primary and secondary VPN IP addresses.

If you are using some sort of web access you will have to update that information with your ISP so they can provide you with automatic traffic redirection if your device doesn't answer. In such a case you will probably have to create a NAT statement in each ASA to access the server using either connection.

Let me know if it helps. Thanks.

Willem de Groot Wed, 10/01/2008 - 21:45
User Badges:


Will you have twice the same ISP or are you thinking to have 2 different ISPs?

1. Case Talk with your ISP.

2. Case, you probebly need a BGP router at each site. In this case you'll need ISP Independent IP-Addresses and a own AS-Number.


Scott Cannon Wed, 10/01/2008 - 22:18
User Badges:

Willem is correct.

I suggest going with the same provider and requesting diversified paths (each connection terminates at an alternate exchange and aggregation router).

Most ISPs will then allow you to load balance using BGP or another IGP.

Since your links will be working in an Active-Active state and you want any 1 link to be able to handle 100% of the load it stands to reason that, optimally, each link should only carry 50% of the combined load, max. I would suggest you therefore ensure you have CIR for 50% of the maximum burstable bandwidth on each link to reduce costs.

Yes my second ISP will be different then my first. My first ISP is a Tier 1, the second is a Tier 2 provider.

I was thinking about getting a couple 2851's and running BGP and buy ARIN addresses. This is probably the best way to do it. Only problem is I have absolutely no idea how to run BGP. Do I need the full tables, can I get by running half or partial tables? How do I configure BGP? Any special config I need to put in my ASA's or do I just mirror the configs since each will have the same IP's?

If you can direct me to any documentation on any of the above I would appreciate it. Also if you have experience setting anything like this up, please share.


This Discussion