address space allocations

Unanswered Question

Hello

is it possible to add redundant link on each router along with HSRP to acheive  load sharing?if so how to add ip address allocation would be  to the interfaces mentioned on the diagrams,also bear in mind that  a default route point from each asa to isp border router

N:B marwan and jon has been suggesting the nat on the router coz of the different address block from different ISPs

Thanks

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Marwan ALshawi Tue, 01/05/2010 - 01:35

from the routers perspective this is possible by using differnt hsrp group in each inside interface with a VIP address

but i think the problem is that the ASA will not do loadbalcing by using two equal cost routes !!!

not sure but almost this is the case

lets see if someone can confirm it

good luck

sachinraja Tue, 01/05/2010 - 14:43

Hello Sayed

Is there any reason to have dual links from the firewall to the routers ? I havent seen this kind of setup much ... Issue is, as marwan pointed out, having dual layer 3 links from the firewall, and to have default routes accordingly.. thats a big challenge.. If they are in the same network we can add 3 default routes, but how will the physical connectivity look like ? we should then introduce some layer 2 switch inbetween the firewall and router, which can complicate things... Do you want to use the WAN link on router A, even when the firewall 1 fails ? we should be using more functions of the router to do this, as firewalls have very limited functionalities on layer 3 as compared to a router..

if you are looking for load balancing, we need to have a different solution..

Let us know... Hope this helps.. all the best

Raj

Jon Marshall Tue, 01/05/2010 - 15:04

Ali

Raj is spot on with this. You don't normally have dual outside connections from the ASA to separate routers. In fact it won't use multiple default-routes if they point out of different interfaces.

If you want to use both links at the same time then you could conceivably run a dynamic routing protocol between the ASAs and the routers so that each ASA sees 2 routes to each destination. Trouble with this is that the standby ASA does not get the routing updates until the primary fails so there is a delay in failover.

With 2 active links you also need to take care of asymmetric routing ie. traffic out one interface and in another which will be dropped by the ASA.

As Raj says the load-balancing functionality should be done by the routers but this is still problematic because once one of the routers has received the traffic from the ASA it will see the best route as out to the internet unless you start manipulating the metrics. And to start manipulating traffic flows like this often requires BGP which you are not running with your ISP.

You could look at running active/active contexts on the ASA firewalls so in effect you have a context per ISP but this could get quite complex and the ISP links are not equal speed so if you wanted to take that into account it gets even more complex.

What exactly do you want to do in terms of both ISPs ?

Jon

Hello Jon and Ran

1)no, I Mean redundant link from each router  inside interface to outside swith while for ASA sure just 1 link from each  to outside switch

2)can we have it as  scenario so that we have the same speed from both ISPs,Default-route to both ISPs,so how it could be now?

3)how  it could be the deployment scenario at ASA for context per ISP?do y have a deploymnet scenario similar to my question?

4)does GLBP now comes in play ? or just as you advise me with HSRP?

any advise now

Thanks and realy Appreciate

N:B:::I build my experience using Netpro(Thanks netpro)

Marwan ALshawi Wed, 01/06/2010 - 02:08

i think multiple contexts will complicate the topology as you do not have any separation just one flat network

GLBP will make problems  for the VPN traffic you have, because it will make asymmetrical routing

as i remember you have now HSRP in the outside network configured on the inside interfaces of the routers

if you are looking to add additional interface in each router in the inside network that mean you will need to add additional hsrp group

this will be useful only in the case of router one ( active) inside interface fail in this way you will be able to use the other inside interface which is reside in the other hsrp group

in the ASA you will have two static default routes each one point to one of the hsrp groups VIP

not sure if this is what you were looking for !!

good luck

if helpful Rate

Marwan ALshawi Wed, 01/06/2010 - 17:20

lets say each router has two inside interfaces

router 1 active for group 1 and standby for group 2

10.1.1.1

20.1.1.1

router 2  active for gorup 2

10.1.1.2

20.1.1.2

router 1:

interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 1 ip 10.1.1.100
standby 1 priority 110
standby 1 preempt
standby 1 track 20
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 2 ip 20.1.1.100
standby 2 preempt

router 2:

interface FastEthernet1/0
ip address 10.1.1.2 255.255.255.0
shutdown
duplex auto
speed auto
standby 1 ip 10.1.1.100
standby 1 preempt
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 2 ip 20.1.1.100

standby 2 priority 110
standby 2 preempt

standby 2 track 20

in the ASA you will need to have two default route to outside one point to 10.1.1.100 and the other point to 20.1.1.100  ( IPs here for the example only )

good luck

Actions

This Discussion