address space allocations

Unanswered Question

Hello

is it possible to add redundant link on each router along with HSRP to acheive  load sharing?if so how to add ip address allocation would be  to the interfaces mentioned on the diagrams,also bear in mind that  a default route point from each asa to isp border router


N:B marwan and jon has been suggesting the nat on the router coz of the different address block from different ISPs


Thanks

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Marwan ALshawi Tue, 01/05/2010 - 01:35
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

from the routers perspective this is possible by using differnt hsrp group in each inside interface with a VIP address

but i think the problem is that the ASA will not do loadbalcing by using two equal cost routes !!!


not sure but almost this is the case


lets see if someone can confirm it


good luck

Marwan ALshawi Tue, 01/05/2010 - 02:16
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

have a look at the following discussion:


https://supportforums.cisco.com/message/1014567#1014567



that means if you use one interface in the ASA and two inside interfaces in each router you may be able to do what you looking for

i havn't tried it with ASA practically !

thank you

sachinraja Tue, 01/05/2010 - 14:43
User Badges:
  • Red, 2250 points or more

Hello Sayed


Is there any reason to have dual links from the firewall to the routers ? I havent seen this kind of setup much ... Issue is, as marwan pointed out, having dual layer 3 links from the firewall, and to have default routes accordingly.. thats a big challenge.. If they are in the same network we can add 3 default routes, but how will the physical connectivity look like ? we should then introduce some layer 2 switch inbetween the firewall and router, which can complicate things... Do you want to use the WAN link on router A, even when the firewall 1 fails ? we should be using more functions of the router to do this, as firewalls have very limited functionalities on layer 3 as compared to a router..


if you are looking for load balancing, we need to have a different solution..


Let us know... Hope this helps.. all the best


Raj

Jon Marshall Tue, 01/05/2010 - 15:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ali


Raj is spot on with this. You don't normally have dual outside connections from the ASA to separate routers. In fact it won't use multiple default-routes if they point out of different interfaces.


If you want to use both links at the same time then you could conceivably run a dynamic routing protocol between the ASAs and the routers so that each ASA sees 2 routes to each destination. Trouble with this is that the standby ASA does not get the routing updates until the primary fails so there is a delay in failover.


With 2 active links you also need to take care of asymmetric routing ie. traffic out one interface and in another which will be dropped by the ASA.


As Raj says the load-balancing functionality should be done by the routers but this is still problematic because once one of the routers has received the traffic from the ASA it will see the best route as out to the internet unless you start manipulating the metrics. And to start manipulating traffic flows like this often requires BGP which you are not running with your ISP.


You could look at running active/active contexts on the ASA firewalls so in effect you have a context per ISP but this could get quite complex and the ISP links are not equal speed so if you wanted to take that into account it gets even more complex.


What exactly do you want to do in terms of both ISPs ?


Jon

Hello Jon and Ran


1)no, I Mean redundant link from each router  inside interface to outside swith while for ASA sure just 1 link from each  to outside switch




2)can we have it as  scenario so that we have the same speed from both ISPs,Default-route to both ISPs,so how it could be now?





3)how  it could be the deployment scenario at ASA for context per ISP?do y have a deploymnet scenario similar to my question?




4)does GLBP now comes in play ? or just as you advise me with HSRP?





any advise now


Thanks and realy Appreciate


N:B:::I build my experience using Netpro(Thanks netpro)

Marwan ALshawi Wed, 01/06/2010 - 02:08
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

i think multiple contexts will complicate the topology as you do not have any separation just one flat network


GLBP will make problems  for the VPN traffic you have, because it will make asymmetrical routing


as i remember you have now HSRP in the outside network configured on the inside interfaces of the routers


if you are looking to add additional interface in each router in the inside network that mean you will need to add additional hsrp group


this will be useful only in the case of router one ( active) inside interface fail in this way you will be able to use the other inside interface which is reside in the other hsrp group


in the ASA you will have two static default routes each one point to one of the hsrp groups VIP


not sure if this is what you were looking for !!


good luck

if helpful Rate

Marwan ALshawi Wed, 01/06/2010 - 17:20
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

lets say each router has two inside interfaces


router 1 active for group 1 and standby for group 2

10.1.1.1

20.1.1.1


router 2  active for gorup 2

10.1.1.2

20.1.1.2


router 1:

interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 1 ip 10.1.1.100
standby 1 priority 110
standby 1 preempt
standby 1 track 20
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 2 ip 20.1.1.100
standby 2 preempt


router 2:


interface FastEthernet1/0
ip address 10.1.1.2 255.255.255.0
shutdown
duplex auto
speed auto
standby 1 ip 10.1.1.100
standby 1 preempt
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 2 ip 20.1.1.100

standby 2 priority 110
standby 2 preempt

standby 2 track 20


in the ASA you will need to have two default route to outside one point to 10.1.1.100 and the other point to 20.1.1.100  ( IPs here for the example only )


good luck

Actions

This Discussion