cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
733
Views
30
Helpful
11
Replies

address space allocations

alsayed
Level 1
Level 1

Hello

is it possible to add redundant link on each router along with HSRP to acheive  load sharing?if so how to add ip address allocation would be  to the interfaces mentioned on the diagrams,also bear in mind that  a default route point from each asa to isp border router

N:B marwan and jon has been suggesting the nat on the router coz of the different address block from different ISPs

Thanks

11 Replies 11

Marwan ALshawi
VIP Alumni
VIP Alumni

from the routers perspective this is possible by using differnt hsrp group in each inside interface with a VIP address

but i think the problem is that the ASA will not do loadbalcing by using two equal cost routes !!!

not sure but almost this is the case

lets see if someone can confirm it

good luck

hello marwan

Thanks and if u find any thing,pls get back

Thanks

have a look at the following discussion:

https://supportforums.cisco.com/message/1014567#1014567

that means if you use one interface in the ASA and two inside interfaces in each router you may be able to do what you looking for

i havn't tried it with ASA practically !

thank you

Hello marwan

could you please configure it for me as y did before in that threats accoriding attached diagrams in order to apply it to my scenario

thanks and appreciate

Hello Sayed

Is there any reason to have dual links from the firewall to the routers ? I havent seen this kind of setup much ... Issue is, as marwan pointed out, having dual layer 3 links from the firewall, and to have default routes accordingly.. thats a big challenge.. If they are in the same network we can add 3 default routes, but how will the physical connectivity look like ? we should then introduce some layer 2 switch inbetween the firewall and router, which can complicate things... Do you want to use the WAN link on router A, even when the firewall 1 fails ? we should be using more functions of the router to do this, as firewalls have very limited functionalities on layer 3 as compared to a router..

if you are looking for load balancing, we need to have a different solution..

Let us know... Hope this helps.. all the best

Raj

Ali

Raj is spot on with this. You don't normally have dual outside connections from the ASA to separate routers. In fact it won't use multiple default-routes if they point out of different interfaces.

If you want to use both links at the same time then you could conceivably run a dynamic routing protocol between the ASAs and the routers so that each ASA sees 2 routes to each destination. Trouble with this is that the standby ASA does not get the routing updates until the primary fails so there is a delay in failover.

With 2 active links you also need to take care of asymmetric routing ie. traffic out one interface and in another which will be dropped by the ASA.

As Raj says the load-balancing functionality should be done by the routers but this is still problematic because once one of the routers has received the traffic from the ASA it will see the best route as out to the internet unless you start manipulating the metrics. And to start manipulating traffic flows like this often requires BGP which you are not running with your ISP.

You could look at running active/active contexts on the ASA firewalls so in effect you have a context per ISP but this could get quite complex and the ISP links are not equal speed so if you wanted to take that into account it gets even more complex.

What exactly do you want to do in terms of both ISPs ?

Jon

Hello Jon and Ran

1)no, I Mean redundant link from each router  inside interface to outside swith while for ASA sure just 1 link from each  to outside switch

2)can we have it as  scenario so that we have the same speed from both ISPs,Default-route to both ISPs,so how it could be now?

3)how  it could be the deployment scenario at ASA for context per ISP?do y have a deploymnet scenario similar to my question?

4)does GLBP now comes in play ? or just as you advise me with HSRP?

any advise now

Thanks and realy Appreciate

N:B:::I build my experience using Netpro(Thanks netpro)

i think multiple contexts will complicate the topology as you do not have any separation just one flat network

GLBP will make problems  for the VPN traffic you have, because it will make asymmetrical routing

as i remember you have now HSRP in the outside network configured on the inside interfaces of the routers

if you are looking to add additional interface in each router in the inside network that mean you will need to add additional hsrp group

this will be useful only in the case of router one ( active) inside interface fail in this way you will be able to use the other inside interface which is reside in the other hsrp group

in the ASA you will have two static default routes each one point to one of the hsrp groups VIP

not sure if this is what you were looking for !!

good luck

if helpful Rate

Hello marwan

yes this what am looking for,pls post a config according the diagram

thanks

lets say each router has two inside interfaces

router 1 active for group 1 and standby for group 2

10.1.1.1

20.1.1.1

router 2  active for gorup 2

10.1.1.2

20.1.1.2

router 1:

interface FastEthernet1/0
ip address 10.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 1 ip 10.1.1.100
standby 1 priority 110
standby 1 preempt
standby 1 track 20
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 2 ip 20.1.1.100
standby 2 preempt

router 2:

interface FastEthernet1/0
ip address 10.1.1.2 255.255.255.0
shutdown
duplex auto
speed auto
standby 1 ip 10.1.1.100
standby 1 preempt
!
interface FastEthernet1/1
ip address 20.1.1.1 255.255.255.0
shutdown
duplex auto
speed auto
standby 2 ip 20.1.1.100

standby 2 priority 110
standby 2 preempt

standby 2 track 20

in the ASA you will need to have two default route to outside one point to 10.1.1.100 and the other point to 20.1.1.100  ( IPs here for the example only )

good luck

Thanks a lot marwan, I Do Appreciate ur support

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: