Want to add some redundancy, need help

Unanswered Question
Apr 11th, 2010

Hi,

Our current scenario is, we have a Router-A cisco 2821 that is connected with two ISPs in multihoming configuration through BGP, so that if one ISP gets down the other takes over, we are receiving just a default route from our ISPs, and PIX 515E have a default static router for internet to router-A. below is the picture of our current scenario

Current Scenario.png

Currently we are planning to add some redundancy in our network and at first stage we want to have another router Router -B parallel to Router-A as shown below.

Required Scenario.png

My Question is

1. if I configure two static routes in PIX 515E so that Router-A is my prefered route to Internet, but if ISP-1 gets down how will PIX come to know that it should forward the traffic to Router-B ?

2. Should I configure dynamic routing protocol like OSPF in between PIX, Router-A and Router-B in such a way that Router-A is my prefered router to Internet? in this case if ISP-1 gets down how OSPF will come to know that ISP-1 is down and now it should change its default route from Router-A to Router-B.

Regards,

Faisal Shahid

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Jon Marshall Sun, 04/11/2010 - 19:26

Faisal

Configure OSPF between your pix and the routers.

Then use the "default-information originate" command on the routers so that OSPF advertises the default-routes it learnt from BGP. When you use the "default-information originate" command you can also specify the metric and metric type. The default metric type when using the command is E2 but you can set the preferred ISP route to be E1. OSPF will prefer E1 over E2 routes so the pix will use the E1 route.

If the BGP default-route is lost ie. the link to the  preferred  ISP goes down then OSPF will stop advertising that default-route and the other default-route from the other router will be used until the original link comes back up.

Note , do not use the "always" key when configured the "default-information originate" command or the above scenario will not work.


Jon

Faisal Shahid Sun, 04/11/2010 - 23:05

Thanks for both of you Jon & Victor

I am thinking on one more scenario, if I can get guidance on it as well, if we change our scenario as shown in the picture below

1. in this case if we configure Router-B in some passive state, so that if Router-A get down, Router B takes over all the traffic, is their any active/active or active/standby we can configure ?

2. is there any risk involved in placing Ethernet from ISPs on L2 switch rather than router ?

3. ofcourse in this case we will not need OSPF, as Router-A & B will look their default primary secondary routes through BGP ?

lamav Mon, 04/12/2010 - 06:05

Hi, Faisal:

"1. in this case if we configure Router-B in some passive state, so that if Router-A get down, Router B takes over all the traffic, is their any active/active or active/standby we can configure ?"

The HSRP solution is Active/standby in the outbound direction. One router forwards traffic while the other is in standby mode. It is active/active in the inbound direction for traffic returning from the Internet.

The OSPF solution can be either active/standby or active/active in the outbound direction, depending on what the PIX sees as the lowest cost OSPF route to the Internet edge. It will also be act/act in the inbound direction for traffic returning from the Internet.

"2. is there any risk involved in placing Ethernet from ISPs on L2 switch rather than router ?"

I'm not sure what function this L2 switch on the Internet edge is supposed to serve. Routers A and B already have L2 adjacency to support HSRP from the southbound switch. If you want to create a L3 path between routers so that if, say, router A's ISP connection fails it can use router B's -- and vise versa -- the original L2 switch is sufficient. EDIT-- Or you can just run a dirct conection between both routers, of course.--EDIT You can create an iBGP connection between the two routers, so now each router will receive a default route from the eBGP ISP connection as well as the other router's ISP connection by using iBGP.

"3. ofcourse in this case we will not need OSPF, as Router-A & B will look their default primary secondary routes through BGP ?"

Jon's suggestion to use OSPF was not for the benefit of the routers, but for the PIX. It will receive OSPF default route advertisements from bouth Internet edge routers and make a routing decision accordingly.

By the way, you forgot to rate our posts to you before.

HTH

Victor

Faisal Shahid Mon, 04/12/2010 - 08:28

Victor,

I think I couldn't convey my point 1 correctly, let me explain it to you further.

We are connected to ISP-1 physically through Optical Fiber link and with ISP-2 through DSL.

Both ISPs have assigned /30 address for our router interface

Purpose of using L2 switch in the outer side of our router is to split the single optical fiber and single DSL (Ethernet) link into two physical links(please see the last diagram) so that each splitted branch can be connected with seperate router i.e. one with Router-A & the other with Router-B

the question that I want to ask is, is their any way that I can assign the same IP address on a Router A interface connected with branch-1 of Optical Fiber and Router B interface connected with branch-2 of Optical Fiber by keeping the Router-B in standby state, so that if router-A gets down Router-B takes over with the same IP and our ISPs do not need to change address space and neighbor entries in BGP configuraton. or can we configure HSRP on our routers outside interfaces, will bgp work with virtual router (HSRP) ?, is it possible that virtual IP address space can be different from physical IP address space ?

or the only way is that my both ISPs assigned us a /29 address and configure two neighbors in BGP configuration.

English is not our native language, hope that I get my point conveyed to you people.

BR,

Faisal Shahid

lamav Sun, 04/11/2010 - 19:28

Jon, I don't like your solution! OK!?

In fact, I'm not too crazy about you either, damn it.

Jon Marshall Sun, 04/11/2010 - 19:50

lamav wrote:

Jon, I don't like your solution! OK!?

In fact, I'm not too crazy about you either, **** it.

Victor

Fair enough

Only issue with your solution is if the connections to the ISP are ethernet. If they are and the ISP end goes down the router won't know because it's interface will stay up so the HSRP track will not work. That's why i suggested using OSPF because it will only advertise a default-route internally if it sees a default-route in the routing table and if the BGP neigborship fails because of a link loss OSPF will stop advertising the route.

You could use HSRP and IP SLA as another possible alternative if you wanted.

Edit - actually if memory serves me right you can track a route on the pix itself with v7.2(1) software or later, so if you didn't want to use a dynamic routing protocol between your pix and the routers you could do this instead.

There is always more than one way to get a solution

Jon

lamav Sun, 04/11/2010 - 20:01

Yup...You are quite correct. I was actually thinking SLA but typed tracking. Something got lost between my brain and my hands...could be the brain itself. lol

Jon Marshall Sun, 04/11/2010 - 20:06

lamav wrote:

Yup...You are quite correct. I was actually thinking SLA but typed tracking. Something got lost between my brain and my hands...could be the brain itself. lol

Kind of guessed that was what you meant, just thought i'd be a bit difficult

Like you say there is always more than one way to do it and some people don't like running a dynamic routing protocol on the outside of their firewalls even with md5 authentication.

Either of them would work i just thought of the OSPF one because the OP was talking about it.

Jon

lamav Sun, 04/11/2010 - 20:10

I totally agree that there is usually more than one viable solution. That is precisely why I said in my first post that what I was offering was "one possible solution." I thought of the dynamic routing solution -- in fact, I just finished implementing the exact same scenario described here at my last client. I used OSPF and the default information originate command to generate a default route...yadda...yadda...yadda...etc etc. Its just that the static route solution is what came to mind first.

I will say that I sometimes like a static solution if there is nothing gained from using a dynamic one. I like the inherently deterministic nature of static routes...

By the way, rated your post...

Victor

Jon Marshall Sun, 04/11/2010 - 20:14

I like the inherently deterministic nature of static routes...

will you please stop using words i have to look up in a dictionary....

just so i don't feel left out i rated yours as well

lamav Sun, 04/11/2010 - 19:26

HI, Im assuming that the switch is a layer 2 switch and that the outside interface of the PIX is on the same subnet as the LAN interface of the routers.

If so, one possible solution is to run HSRP between both routers' LAN interfaces and point the PIX's default route to the HSRP VIP.

Then you can set the priority on router A to make it the primary HSRP router and, by leveraging the tracking feature, you can have it decrement to a quantity lower than router B's HSRP priority in the event that router A's WAN interface to the ISP fails. Decrementing router A's priority will make router B the HSRP primary and it will forward traffic to the Internet.

Make sure you enable preemption on both routers.

HTH

Victor

Actions

This Discussion