Confused Design!

Unanswered Question

Hello

Please examine the attached diagram,

1)Let say I have this address space from ISP-1.[209.165.200.0/29] while I have [63.218.200.0/29] from ISP-2; so how can I allocate these address space according the diagram while taken into account the GLBP configuration and this scenario  to obtain high redundancy

2) Regarding the ASA’s, the static route should point to which address of these internet router (what virtual address could be should I point to in my route statement on each asa?) or should I have 2 route statements towards each ISP

3) On the outside switch do I have to configure SVI for related VLAN’S?

Thanks for Ur precious time

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Giuseppe Larosa Mon, 11/30/2009 - 11:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Alsayed,

if the ASA pair is the only client in the outside switch connected to border routers you have not benefits from using GLBP in comparison to HSRP.

You may want to use two HSRP groups one active on border router1 and one active on border router2.


On ASA you can have two default static routes using as next-hops the two HSRP VIP addresses.


I suppose border router1 is connected to ISP1 and border router2 is connected to ISP2.

Also I suppose you haven't your own public address space and that the two routers have to perform NAT using each the public address pool provided by directly connected ISP.


In this scenario you can have fault tolerance but load balancing is more difficult to achieve specially for servers that should be visible on the internet.


There is a white paper about multi homing with NAT and BGP that should apply to your scenario.


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml


Edit:

outside switches act only as L2 switches they just need a management IP address that can be a private IP address.



Hope to help

Giuseppe

Jon Marshall Wed, 12/30/2009 - 05:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Giuseppe


Apologies for resurrecting an old thread but i was hoping you could clarify something for me.


In the white paper about Multihoming they give a number of examples. I can see quite clearly how these would work with traffic initiated from the Enterprise. However where it is unclear to me is the case where there is traffic to your Enterprise to servers in your DMZ for example that are using public addressing.


Using the "auto route injection" example lets say you have 2 blocks of addressing BLK1 from ISP1 and BLK2 from ISP2. You want to present a web server to the Internet using an address from BLK1. This obviously needs to be added to the DNS records. Now in the example used if the link to ISP1 fails then you then begin to advertise out BLK1 via ISP2. But this is where it is unclear to me. BLK1 will only be a subset of ISP1s IP address allocation.  And it is unlikely that ISP2 will accept that advertisement from the enterprise.


So how does it work. Does this whitepaper assume that there is an agreement in place with both ISPs to allow advertisement of subsets of each other IP block for this enterprise ?


The alternative would be to manage your own DNS and update the records for the web server to NAT to an IP address from BLK2 but you would still have caching issues with the DNS records on internet DNS servers. I know that you can look to use GSS to dynamically change DNS records but there is no mention of that in this paper.


The real solution to this is obviously to have your own provider independant public addressing but again this is not what the whitepaper is referring to.


Any insights would be much appreciated.


Jon

Giuseppe Larosa Thu, 12/31/2009 - 14:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Jon,


>> Does this whitepaper assume that there is an agreement in place with both ISPs to allow advertisement of subsets of each other IP block for this enterprise ?


I do agree on this, this level of cooperation between the multihomed enteprise and the ISPs is needed or this auto-route injection would be defeated.


I cannot follow you on the DNS for my lack of knowledge on the features you mention.


There is a Cisco GSS configuration guide.


http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/configuration/guide/Intro.html


I will read on it as I should reread the whitepaper specially for the DNS aspects.


I can say that standard public DNS propagation is quite slow and at job we are sometimes challenged with a DNS change, but we can only try to "push" the update to the direct DNS peers, but with a limitated influence for  the overall convergence time that is still in the scale of several to many hours.


>> The real solution to this is obviously to have your own provider independant public addressing but again this is not what the whitepaper is referring to.


Yes, but the most missing resource was the public AS number before introduction of 4 byte AS number. This kind of documents try to illustrate what can be done without a public AS number.

We can guess that as 4 byte AS number becomes more common, getting a public AS number will become easier from RIPE and the other RIRs.


Hope to help

Giuseppe

Jon Marshall Mon, 11/30/2009 - 11:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


Hello

Please examine the attached diagram,

1)Let say I have this address space from ISP-1.[209.165.200.0/29] while I have [63.218.200.0/29] from ISP-2; so how can I allocate these address space according the diagram while taken into account the GLBP configuration and this scenario  to obtain high redundancy

2) Regarding the ASA’s, the static route should point to which address of these internet router (what virtual address could be should I point to in my route statement on each asa?) or should I have 2 route statements towards each ISP

3) On the outside switch do I have to configure SVI for related VLAN’S?

Thanks for Ur precious time


Ali


Are the ASAs running in active/standby or active/active mode ?

Where are you proposing to do the NAT.

The connections from the border routers to the switches and then to the ASAs, is this going to be out of the public address space allocated from each ISP or private addressing.


There are a number of issues you are going to face. As Giuseppe has noted presenting servers to the outside world is problematic because you need to use one or the other IP addresses. But there are other problems as well.


The ASAs only have one outside interface so your switches will need to route between the ASAs and the border routers if you want each border router to have redundant connections to each switch.


How are you proposing to use both Internet links. Is one meant to be a backup or are they both to be used ? If both then how will you dstribute traffic between the 2 border routers ?


You can run HSRP between the 2 border routers but if you are routing between the switches and the border routers you will have to use static routes pointing the VIP of the HSRP group.


Key thing to sort out though, is where are you going to use the ISPs natting and which ISPs address space are you proposing to use ?


Edit - ideally with this sort of design you would have provider independant addressing so you could advertise the same address space to both ISPs. This would simplify your setup quite a lot.


Jon

Giuseppe Larosa Tue, 12/01/2009 - 08:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Alsayed,

as Jon has explained the most important design choice is where to perform NAT.


once this choice is made all the rest of design follows.


in the link I've provided NAT should be performed on border routers



Hope to help

Giuseppe

Giuseppe Larosa Sat, 12/12/2009 - 09:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Alsayed,

NAT configuration is reported here


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml#wp30159


you just need to implement one nat pool on router1 and one nat pool on router2.


this should a good starting point.


On the internal LAN you can implement HSRP so that router1 is used when available (primary router).



Hope to help

Giuseppe

Rick Morris Mon, 12/14/2009 - 13:19
User Badges:
  • Silver, 250 points or more

Forgive me for coming in late, but this is a multi-homed design, if I am reading this correctly.  The issue may be with running BGP and having a smaller block than the required /24 this block will not be propogated as such and will be summarized to the peers, then aggregated in the ISP.


Would it make sense in this scenerio to get an AS and IP space, then run BGP which will simplify the design routing wise and allow for traffic shaping and sharing?

Marwan ALshawi Thu, 12/31/2009 - 17:26
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

Dear Alsayed


i think you have discussed this with me and Jon in other discussion about nating and the use of HSRP,   with nating config examples as well

https://supportforums.cisco.com/message/2011552#2011552


and here Giuseppe and Jon confirming to you hsrp will be better for your topology


the only thing you may need to discuss it with your ISPs is the public IP addresses to avoid issues mentioned above by Giuseppe and Jon


thnak you

Actions

This Discussion