Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
7
Replies

How do I Dual Home my network?

jstull
Level 1
Level 1

‎10-01-2008 07:23 AM - edited ‎03-03-2019 11:45 PM

I have 2 sites:

North Plant

South Plant

These locations are only 1.5 miles apart and are connected via a point to point T1 as well as a 802.11G wireless bridge for redundancy. The bridge and point to point T1 are routed connections via my 2811 routers that are located in each building. Currently only the south plant has an internet connection via T1 which is protected by an ASA 55xx.

My boss wants me to install a second internet connection and to have it in the north building. He wants each internet connection used and if one would fail the other would take 100% of the load until the other would come back up.

I need the redundancy to be for both inbound and outbound connections. I have several VPN tunnels that I need to be able to fail over automatically. Some of these VPN tunnels are setup via from internal connections, external clients, as well as some site to site links.

I know this is a lot to ask for so I'm actually wanting to present 2 options for him. One that would fullfill everything he wants, and another that will only use the second connection should the primary fail.

Anyone that can provide some guidance on either of these objectives I would greatly appreciate since this is way over my head.

Labels:
0 Helpful
7 Replies 7

julio.fojon
Level 1
Level 1

‎10-01-2008 08:06 AM

Hi,

I have done so with two offices one in Miami, the other one in Texas. Since you have ASA, I will use the routing protocol (EIGRP)to take care of this automatically.

What I did was to configure the backup route feature in the ASA and redistribute it with the routing protocol in each office. Therefore, the two offices had two different ways out to the internet. When one of them failed, it was removed from the routing table and all the traffic was redirected to my alternate location.

Let me know if it helps. Thanks

0 Helpful

jstull
Level 1
Level 1
In response to julio.fojon

‎10-01-2008 09:09 AM

Thanks for the info but this only solves half of my problem. How did you handle inbound connections like your email, vpn clients, etc?

EIGRP would only handle communication for your internal network, not communication from an external source in.

0 Helpful

julio.fojon
Level 1
Level 1
In response to jstull

‎10-01-2008 09:57 AM

Hi,

I am sorry I missed that part. I am going to assume that your outbound connections are made using VPN. If so, you would have to configure your ASAs with identical profiles for the outside users. Then, you will configure your VPN client with both ASA, one as a primary and the second one as a backup.

The VPN client is smart enough to switch over the backup connection if something happens to your primary connection. You might also be able to load balance your VPN traffic changing the primary and secondary VPN IP addresses.

If you are using some sort of web access you will have to update that information with your ISP so they can provide you with automatic traffic redirection if your device doesn't answer. In such a case you will probably have to create a NAT statement in each ASA to access the server using either connection.

Let me know if it helps. Thanks.

0 Helpful

jstull
Level 1
Level 1
In response to julio.fojon

‎10-01-2008 11:35 AM

What about for in coming email and any other in bound traffic?

I thought about doing a round robin DNS for this, but I'm not sure if it would work if one link went down. I don't want to do it and end up only receiving half of my emails. :-)

0 Helpful

Willem de Groot
Level 1
Level 1

‎10-01-2008 09:45 PM

Hi,

Will you have twice the same ISP or are you thinking to have 2 different ISPs?

1. Case Talk with your ISP.

2. Case, you probebly need a BGP router at each site. In this case you'll need ISP Independent IP-Addresses and a own AS-Number.

Willem

0 Helpful

Scott Cannon
Level 1
Level 1

‎10-01-2008 10:18 PM

Willem is correct.

I suggest going with the same provider and requesting diversified paths (each connection terminates at an alternate exchange and aggregation router).

Most ISPs will then allow you to load balance using BGP or another IGP.

Since your links will be working in an Active-Active state and you want any 1 link to be able to handle 100% of the load it stands to reason that, optimally, each link should only carry 50% of the combined load, max. I would suggest you therefore ensure you have CIR for 50% of the maximum burstable bandwidth on each link to reduce costs.

0 Helpful

jstull
Level 1
Level 1
In response to Scott Cannon

‎10-02-2008 04:23 AM

Yes my second ISP will be different then my first. My first ISP is a Tier 1, the second is a Tier 2 provider.

I was thinking about getting a couple 2851's and running BGP and buy ARIN addresses. This is probably the best way to do it. Only problem is I have absolutely no idea how to run BGP. Do I need the full tables, can I get by running half or partial tables? How do I configure BGP? Any special config I need to put in my ASA's or do I just mirror the configs since each will have the same IP's?

If you can direct me to any documentation on any of the above I would appreciate it. Also if you have experience setting anything like this up, please share.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card