Two ISP on Same Router

Answered Question
Aug 31st, 2010

Hi2All,


To have more flexibility and availability we planned to get another Internet Link from a different ISP.

My question is  : Can I terminate two ISP on the same Internet Router and make it act as failover for all services on primary link.


On Primary Internet Link we run the following services

  • End-user Internet Browsing
  • SMTP Gateway Relay ( Email Relay Server )
  • OWA hosting ( MS Exchange Web Mail )
  • Corporate Website
  • End-user VPN



  ISP

   ||

   ||

  Internet-Router

   ||

   ||

   ||

   Cisco ASA-Firewall

   ||

   ||

   ||

   ||

   Layer3Switch

   ||

   ||

   ||

   User-Switch



I would appreciate kind input with some config input.



Cheers

Anthony

Correct Answer by Richard Burts about 6 years 6 months ago

Anthony


The additional information is helpful. If the second ISP will deliver the connection as Ethernet and if your 2821 has an additional Ethernet interface then the physical aspects should work ok. I would think that a 2821 could handle both links, especially as long as they are handled as primary/backup (not trying to load share and use both at same time). And with a second Internet link you should be able to provide failover for user Internet browsing pretty easily.


That was the easy part. The hard part is the other things. The functions of SMTP relay, website hosting, corporate website, and OWA depend on how people from outside get to you. It is easy when you are dealing with a single ISP because they know how to get to your address space. It gets complicated when you deal with a second ISP. To solve the question of how to get to you via second ISP you either need to advertise one provider address space through the other provider or you need some kind of solution that provides both sets of addresses via DNS (and it gets tricky especially if you want to shift DNS when the primary provider is having problems).


I would suggest that it is helpful to think about why organizations bring in a second connection. The obvious answer is that a single connection is a significant single point of failure and the second connection relieves the single point of failure.


so then it is helpful to think about what the failures might be and how that impacts the choice of the second connection. It seems to me that there are two failure modes that you want to protect against:

A) failure of the primary connection

B) failure of the primary connection or failure of the primary provider

I would suggest that A) is unfortunately common while B) is not common.

This leads me to the suggestion that for most small to medium organizations (and I assume that your organization is small or medium sized) you get more effective redundancy if you get a second Internet connection from the same provider than if your second connection is from a second provider.


HTH


Rick

Correct Answer by Giuseppe Larosa about 6 years 6 months ago

Hello Anthony,

before attempting to provide a config template there is an important aspect to be clarified:


are you the owners of a public IP address block, or are you using public IP addresses given by ISP1?


Each ISP has its own IP address blocks and ISP2, generally speaking, is not allowed to advertise a prefix that belongs to ISP1.


if this is the case network address translation is part of the solution.


See the following whitepaper for multihoming with NAT


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml


IF you have your own public IP address block and your BGP AS number you qualify for a BGP multihoming solution


see


http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml



Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Giuseppe Larosa Tue, 08/31/2010 - 12:12

Hello Anthony,

before attempting to provide a config template there is an important aspect to be clarified:


are you the owners of a public IP address block, or are you using public IP addresses given by ISP1?


Each ISP has its own IP address blocks and ISP2, generally speaking, is not allowed to advertise a prefix that belongs to ISP1.


if this is the case network address translation is part of the solution.


See the following whitepaper for multihoming with NAT


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a0080091c8a.shtml


IF you have your own public IP address block and your BGP AS number you qualify for a BGP multihoming solution


see


http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml



Hope to help

Giuseppe

anthony.dyne Tue, 08/31/2010 - 12:25

Hi2All,


Correctly said. Each ISP has its own block of IP Address. i.e /29 , Both ISP wont advertise the block with each other.

I didnt get how can I configure both ISP on same router. Can you help with a working config


Cheers

Anthony

Richard Burts Tue, 08/31/2010 - 12:16

Anthony


There is much that we do not yet know about your network which would determine how feasible it is to add another ISP and to terminate it on the same router. My first instinct is to say that yes you can terminate a second ISP connection on the same router. But then I realize that we do not know what kind of connection the second provider offers and we do not know whether your router has a spare interface of the right type and we do not know whether your router could take an additional interface card or not. So we can not yet give you a good answer about whether it could be terminated on the same router.


You specify several services (and it is good that you are thinking this way and identifying what your requirements really are). Only one of them has an easy answer:

- end user Internet browsing is the easy answer. If you get a connection from a second provider then it should be possible to configure and use the second connection as a backup/failover to the primary connection. You probably have a static default route to the original provider. You could configure a floating static default route to the backup provider and your end user Internet browsing would fail over and it should work.

- SMTP gateway. we do not know where that is or how you get to it (is it in your address space, or in your provider address space, or in address space of some third party). and that makes it difficult to say whether it would work through the second provider.

- OWA hosting is also not a clear or obvious answer based on what we know currently. I assume that this is hosted in an address in your current address space. But is your current address space one that belongs to your first provider or is it provider independent address space. since most customer address space is provider dependent it gets a bit tricky figuring how you make an address that belongs to the first provider available through the second provider.

- corporate web site has much the same issue as OWA hosting. what is the address that is used and how do you make an address from first provider available through second provider. one option to consider is some kind of DNS solution that would resolve the name to the first provider in normal times and would resolve the name to the second provider when there is a problem. But then you have to figure out how to trigger the change, and you have the delay factor while name to address resolution that has been cached needs to time out.

- end user VPN has some similar issues. Your existing user VPN probably uses a VPN device whose address is in address space belonging to the first provider. so how do your make it available through the second provider. You may have a good alternative here. It may be possible to configure the user VPN with 2 profiles in which one profile would be primary and point to an address from provider 1 and the other profile might be backup and point to an address from provider 2.


Getting a second Internet provider frequently turns out to be more complex than people realize. These questions are one example of this principle. So perhaps if you can provide some information that fills in some of what we do not know we might be able to provide better answers.


HTH


Rick

anthony.dyne Tue, 08/31/2010 - 12:45

Hi2All,

Rick please check this input.


  • Block of Public IP are from ISP 
  • Internet Router 2821 with additional fastEthernet port
  • ISP2 will provide Internet over Ethernet with public ip Block /28
  • ISP1 internet bandwidth 7MB
  • ISP2 internet bandwidth will be 5MB
  • From ISP1 Public IP block we use for SMTP Relay, Website Hosting, Internet Browsing, OWA hosting.
  • We use ISP1 DNS Server to resolve dns queries, local DNS have a static nat with public ip to resolve dns queries and also have ISP dns address as forwarders.  DNS forwarders are configured on local DNS Server. Static NAT is configured on ASA Firewall
  • User VPN we use public ip from ISP1, user VPN is configured on ASA Firewall and authentication via Cisco ACS



Please tell me if I missed anything.


cheers

Anthony

Correct Answer
Richard Burts Tue, 08/31/2010 - 15:33

Anthony


The additional information is helpful. If the second ISP will deliver the connection as Ethernet and if your 2821 has an additional Ethernet interface then the physical aspects should work ok. I would think that a 2821 could handle both links, especially as long as they are handled as primary/backup (not trying to load share and use both at same time). And with a second Internet link you should be able to provide failover for user Internet browsing pretty easily.


That was the easy part. The hard part is the other things. The functions of SMTP relay, website hosting, corporate website, and OWA depend on how people from outside get to you. It is easy when you are dealing with a single ISP because they know how to get to your address space. It gets complicated when you deal with a second ISP. To solve the question of how to get to you via second ISP you either need to advertise one provider address space through the other provider or you need some kind of solution that provides both sets of addresses via DNS (and it gets tricky especially if you want to shift DNS when the primary provider is having problems).


I would suggest that it is helpful to think about why organizations bring in a second connection. The obvious answer is that a single connection is a significant single point of failure and the second connection relieves the single point of failure.


so then it is helpful to think about what the failures might be and how that impacts the choice of the second connection. It seems to me that there are two failure modes that you want to protect against:

A) failure of the primary connection

B) failure of the primary connection or failure of the primary provider

I would suggest that A) is unfortunately common while B) is not common.

This leads me to the suggestion that for most small to medium organizations (and I assume that your organization is small or medium sized) you get more effective redundancy if you get a second Internet connection from the same provider than if your second connection is from a second provider.


HTH


Rick

Actions

This Discussion