multihoming issue

Unanswered Question
Sep 16th, 2009
User Badges:

Hi guys I have a client who is applying for 2 internet leased line circuits from 2 different ISP's.


I have 2 - cisco 2800 router for the internet connectivity.


I have a L3 switch in the internal zones of the routers.


Both the ISP's have given /30 public network for the wan. I dont have any doubt on that.


But both the ISP's are giving different /28 networks for the internal usage. (for eg to host some servers)


I have 2 - ASA 5510 behind the routers which are going to use public ip addresses given by the ISP's.


The customer wants to use only 1 ISP at a time and if that ISP goes down I should be using the other ISP.


But my doubt is both the pulic ip addresses given by the ISP are of different network subnets and it wont be possible to manually change the IP ADDRESSES ON THE ASA 5510.


Please help me with some solution.


Thanks & Regards,

Jvalin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
jvalin__s Wed, 09/16/2009 - 03:03
User Badges:

well thanks for the message but this is not what I meant.


I have static ip addresses on both the routers and public ip address range is different from both the ISP's.

paolo bevilacqua Wed, 09/16/2009 - 03:08
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

That is exactly what the document takes into consideration.



Jon Marshall Wed, 09/16/2009 - 03:05
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jvalin


In addition to Paolo's post, it depends on whether or not you need to present internal servers to the Internet so that internet clients can access them eg. a web server/mail server.


If this is the case then you have a problem with your setup because what DNS entry would you use for your web server ie. you choose one of the ISP's public address to represent the web server. If that ISP link goes down it's not just the static NAT on the ASA that needs updating, it is also the public DNS with the new public address.


If you do need to present internal servers then you are going to need a provider independant public address space that both ISP's will advertise out.


Jon

paolo bevilacqua Wed, 09/16/2009 - 03:10
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

If you do need to present internal servers then you are going to need a provider independant public address space that both ISP's will advertise out.


Or get a regular hosting solution, easier to setup and manage. Really, BGP is not for everybody.

jvalin__s Wed, 09/16/2009 - 03:31
User Badges:

guys,


what will be my default gateway on the ASA??


how will i do the HSRP on the routers??

paolo bevilacqua Wed, 09/16/2009 - 04:18
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I suggest you do this with one router only. That is pretty much the only way you balance outgoing connections and keep things reasonably simple


If you want to use to, then yes you can use HSRP, but all the traffic will use a single ISP.


Or you can forget about the routers and just use the ASA:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml




jvalin__s Wed, 09/16/2009 - 04:24
User Badges:

so according to u and marshall. this is not possible rite from the view point of ISP??


if they are giving provider independent address space then only it is possible i guess. but do we get these type of address space from the provider thats the biggest question here.



paolo bevilacqua Wed, 09/16/2009 - 04:39
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

What exactly you understood to be "not possible" ? Clearly reaching internal server with a single Ip address resistent to failure it's impossible.


You need AS numbers and PI space for BGP, these things are obtained through ISP but are expensive. Most customers renounce immediately.


jvalin__s Wed, 09/16/2009 - 04:34
User Badges:

so according to u and marshall. this is not possible rite from the view point of ISP??


if they are giving provider independent address space then only it is possible i guess. but do we get these type of address space from the provider thats the biggest question here.



jvalin__s Wed, 09/16/2009 - 04:52
User Badges:

yes paolo, I clearly understood the servers hosting thing, thats is impossible.


but lets assume that I dont have any internal web-servers.


simple users want to have internet access through the firewall

if one isp fails other will be utilized.


lets forget the provider independent address space also here.


u said I can do HSRP. but how??both the isp's are giving different IP addresses I have to use them on the routers internal interfaces and asa's outside interfaces also.


how m i going to configure HSRP with this scenario??


i have to manually change the IP's of all the interfaces if one ISP goes down???plz correct me if m wrong.



paolo bevilacqua Wed, 09/16/2009 - 04:55
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

With no servers there isn't much of a problem.


As mentioned above either configure ASA for NAT for backup links, or with HSRP you track an object off the primary ISP/router, when it fails the other router will take over.


When configured correctly no manual intervention is necessary.

jvalin__s Wed, 09/16/2009 - 05:02
User Badges:

paolo, I understood the whole idea of yours but y r u suggesting me to use HSRP.

if ISP 1 gives 200.200.200.0/28

and ISP 2 gives me 100.100.100.0/28

then I can utilize only one network out of these two for the HSRP??? am I rite???



jvalin__s Wed, 09/16/2009 - 05:06
User Badges:

paolo, I understood the whole idea of yours but y r u suggesting me to use HSRP.

if ISP 1 gives 200.200.200.0/28

and ISP 2 gives me 100.100.100.0/28

then I can utilize only one network out of these two for the HSRP??? am I rite???



paolo bevilacqua Wed, 09/16/2009 - 12:58
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Yes, as mentioned before, with HSRP and NAT on the router is difficult to balance, so you will have just a primary and a backup.


For some sort of balancing use one router only and the first link referenced.

jvalin__s Wed, 09/16/2009 - 21:53
User Badges:

Hi paolo,


You have cleared all my doubts one last doubt still I am having though.


if I mention the 2 default routes on the ASA's one with default metric and one with a higher metric.


and If I configure sla on the firewall and track the first ISP/ROUTER will it work??

paolo bevilacqua Thu, 09/17/2009 - 00:58
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

To have the ASA decide on primary/backup links, simply follow the indications in the ASA document linked above.

Actions

This Discussion