cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1062
Views
30
Helpful
14
Replies

Confused Design!

alsayed
Level 1
Level 1

Hello

Please examine the attached diagram,

1)Let say I have this address space from ISP-1.[209.165.200.0/29] while I have [63.218.200.0/29] from ISP-2; so how can I allocate these address space according the diagram while taken into account the GLBP configuration and this scenario  to obtain high redundancy

2) Regarding the ASA’s, the static route should point to which address of these internet router (what virtual address could be should I point to in my route statement on each asa?) or should I have 2 route statements towards each ISP

3) On the outside switch do I have to configure SVI for related VLAN’S?

Thanks for Ur precious time

14 Replies 14

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Alsayed,

if the ASA pair is the only client in the outside switch connected to border routers you have not benefits from using GLBP in comparison to HSRP.

You may want to use two HSRP groups one active on border router1 and one active on border router2.

On ASA you can have two default static routes using as next-hops the two HSRP VIP addresses.

I suppose border router1 is connected to ISP1 and border router2 is connected to ISP2.

Also I suppose you haven't your own public address space and that the two routers have to perform NAT using each the public address pool provided by directly connected ISP.

In this scenario you can have fault tolerance but load balancing is more difficult to achieve specially for servers that should be visible on the internet.

There is a white paper about multi homing with NAT and BGP that should apply to your scenario.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml

Edit:

outside switches act only as L2 switches they just need a management IP address that can be a private IP address.

Hope to help

Giuseppe

Giuseppe

Apologies for resurrecting an old thread but i was hoping you could clarify something for me.

In the white paper about Multihoming they give a number of examples. I can see quite clearly how these would work with traffic initiated from the Enterprise. However where it is unclear to me is the case where there is traffic to your Enterprise to servers in your DMZ for example that are using public addressing.

Using the "auto route injection" example lets say you have 2 blocks of addressing BLK1 from ISP1 and BLK2 from ISP2. You want to present a web server to the Internet using an address from BLK1. This obviously needs to be added to the DNS records. Now in the example used if the link to ISP1 fails then you then begin to advertise out BLK1 via ISP2. But this is where it is unclear to me. BLK1 will only be a subset of ISP1s IP address allocation.  And it is unlikely that ISP2 will accept that advertisement from the enterprise.

So how does it work. Does this whitepaper assume that there is an agreement in place with both ISPs to allow advertisement of subsets of each other IP block for this enterprise ?

The alternative would be to manage your own DNS and update the records for the web server to NAT to an IP address from BLK2 but you would still have caching issues with the DNS records on internet DNS servers. I know that you can look to use GSS to dynamically change DNS records but there is no mention of that in this paper.

The real solution to this is obviously to have your own provider independant public addressing but again this is not what the whitepaper is referring to.

Any insights would be much appreciated.

Jon

Hello Jon,

>> Does this whitepaper assume that there is an agreement in place with both ISPs to allow advertisement of subsets of each other IP block for this enterprise ?

I do agree on this, this level of cooperation between the multihomed enteprise and the ISPs is needed or this auto-route injection would be defeated.

I cannot follow you on the DNS for my lack of knowledge on the features you mention.

There is a Cisco GSS configuration guide.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/gss4400series/v1.2/configuration/guide/Intro.html

I will read on it as I should reread the whitepaper specially for the DNS aspects.

I can say that standard public DNS propagation is quite slow and at job we are sometimes challenged with a DNS change, but we can only try to "push" the update to the direct DNS peers, but with a limitated influence for  the overall convergence time that is still in the scale of several to many hours.

>> The real solution to this is obviously to have your own provider independant public addressing but again this is not what the whitepaper is referring to.

Yes, but the most missing resource was the public AS number before introduction of 4 byte AS number. This kind of documents try to illustrate what can be done without a public AS number.

We can guess that as 4 byte AS number becomes more common, getting a public AS number will become easier from RIPE and the other RIRs.

Hope to help

Giuseppe

Jon Marshall
Hall of Fame
Hall of Fame

alsayed@litani.gov.lb

Hello

Please examine the attached diagram,

1)Let say I have this address space from ISP-1.[209.165.200.0/29] while I have [63.218.200.0/29] from ISP-2; so how can I allocate these address space according the diagram while taken into account the GLBP configuration and this scenario  to obtain high redundancy

2) Regarding the ASA’s, the static route should point to which address of these internet router (what virtual address could be should I point to in my route statement on each asa?) or should I have 2 route statements towards each ISP

3) On the outside switch do I have to configure SVI for related VLAN’S?

Thanks for Ur precious time

Ali

Are the ASAs running in active/standby or active/active mode ?

Where are you proposing to do the NAT.

The connections from the border routers to the switches and then to the ASAs, is this going to be out of the public address space allocated from each ISP or private addressing.

There are a number of issues you are going to face. As Giuseppe has noted presenting servers to the outside world is problematic because you need to use one or the other IP addresses. But there are other problems as well.

The ASAs only have one outside interface so your switches will need to route between the ASAs and the border routers if you want each border router to have redundant connections to each switch.

How are you proposing to use both Internet links. Is one meant to be a backup or are they both to be used ? If both then how will you dstribute traffic between the 2 border routers ?

You can run HSRP between the 2 border routers but if you are routing between the switches and the border routers you will have to use static routes pointing the VIP of the HSRP group.

Key thing to sort out though, is where are you going to use the ISPs natting and which ISPs address space are you proposing to use ?

Edit - ideally with this sort of design you would have provider independant addressing so you could advertise the same address space to both ISPs. This would simplify your setup quite a lot.

Jon

Guys

Thanks for all ur reply!

How to apply the design from ur point of view?

Thanks

Hello Alsayed,

as Jon has explained the most important design choice is where to perform NAT.

once this choice is made all the rest of design follows.

in the link I've provided NAT should be performed on border routers

Hope to help

Giuseppe

hello guys!

okay we perform NAT on Border routers,so how the config would be?

Pls list a simple also for 1 border router wit redundant link to each outside switch

Thanks

guys

pls follow up here for more technical advise

Thanks

Hello Alsayed,

NAT configuration is reported here

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml#wp30159

you just need to implement one nat pool on router1 and one nat pool on router2.

this should a good starting point.

On the internal LAN you can implement HSRP so that router1 is used when available (primary router).

Hope to help

Giuseppe

Hello freind

pls take into  account that i have 2 asa in my network and web server behind ASA...so the NAT on the router not on the ASA? moreover pls revise my diagram the ASAs must be active/active for better load balence or active/stanby

Thanks

hi

so here no load balence for ISPs links.i mean just we have a best path i.e  primary route

Thanks

Forgive me for coming in late, but this is a multi-homed design, if I am reading this correctly.  The issue may be with running BGP and having a smaller block than the required /24 this block will not be propogated as such and will be summarized to the peers, then aggregated in the ISP.

Would it make sense in this scenerio to get an AS and IP space, then run BGP which will simplify the design routing wise and allow for traffic shaping and sharing?

Dear Alsayed

i think you have discussed this with me and Jon in other discussion about nating and the use of HSRP,   with nating config examples as well

https://supportforums.cisco.com/message/2011552#2011552

and here Giuseppe and Jon confirming to you hsrp will be better for your topology

the only thing you may need to discuss it with your ISPs is the public IP addresses to avoid issues mentioned above by Giuseppe and Jon

thnak you

Hello marwan!

here another scenario,coz the i peer to ISP using bgp.

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: