Dual ISP, Dual ASA, and BGP Redundant Load Balancing Design

Unanswered Question

Dual ISP, Dual ASA, and BGP Redundant Load Balancing Design Questions


Looking to have a complete Design with Hardware and Configuration to satisfy the following requirments:

1. Load Balancing between two ISPs (Outbound Traffic, Inbound Traffic???)
2. Redundancy/Failover between both ISPs (BGP, Outbound, Inbound Traffic)
3. Load Balancing/Redundancy between ASA (5520) for DMZ and Internal Interfaces.


What is the best total solution (HSRP, SVI, GLBP, Static Routes, etc).

High End Routers needed for multiple SVI HSRP?


Only parts of this scenario are covered in other documents.  Any books or whitepapers that address the entire scenario?


Thanks in Advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Sun, 10/24/2010 - 13:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


Dual ISP, Dual ASA, and BGP Redundant Load Balancing Design Questions


Looking to have a complete Design with Hardware and Configuration to satisfy the following requirments:

1. Load Balancing between two ISPs (Outbound Traffic, Inbound Traffic???)
2. Redundancy/Failover between both ISPs (BGP, Outbound, Inbound Traffic)
3. Load Balancing/Redundancy between ASA (5520) for DMZ and Internal Interfaces.


What is the best total solution (HSRP, SVI, GLBP, Static Routes, etc).

High End Routers needed for multiple SVI HSRP?


Only parts of this scenario are covered in other documents.  Any books or whitepapers that address the entire scenario?


Thanks in Advance.


Wesley


Few questions -


1) You are running your ASAs in active/active so you have contexts ? Is one context for the DMZ and one for internal ?


2) Public addressing, do you have priovider indepedant addressing or 2 blocks, one from each ISP ? Independant is much better because then if you are presenting DMZ or internal devices with public IP's through one provider and that link fails it is easy to then advertise through the other. If they provider specific you can ask each provider whether they would be willing to advertise the other block but often they are reluctant to do this so this can cause problems.


3) High end routers are not necessarily needed for multiple SVI/HSRP although were you referring to the switches eg SVI ? If so again you don't need high end switches, you should concentrate more on bandwidth requirements.  For the BGP routers depends on whether you are receiving full routes or not from ISP.


*** Edit, just noticed you are pushing default-route from BGP routers to firewalls. Does this mean you are only receiving default-route from ISP ?


4) I notice you only show one switch between firewalls and BGP routers. Is this accurate or are you actually installing 2. If you are running dual firewalls/BGP routers it makes no sense to only have 1 switch ie. 1 single point of failure. These switches between the firewalls and BPG routers don't need to be L3.


Edit 2 -


Couple more things -


5) do you want outbound traffic from either context to go via any ISP link ? Assuming you are using PAT on ASA outside interfaces for outbound traffic ?  Bear in mind you cannot have 2 default-routes on an ASA out the same interface or at least you couldn't last time i checked.


6) With multiple context i don't believe you can run a dynamic routing protocol on the ASA firewalls, i will check if this has been changed - what OS are you running on ASAs. If so then you you will need to use IP SLA on the ASA firewalls to track the availability of the links.


Jon

John,


Excellent Questions.


I will try to answer and fill in the details.


Just trying to put together a design and equipment at this point.  Setup does not exist, yet.


1.  It is my understanding that 2 seperate contexts are required in an Active/Active configuration.

     I assume some extra work is required to present the "seconday" context in case the primary fails.


2. Currently have provider specific addressing. We wish to move to a class C carrier independent block to have the ability to "failover" the external facing      IPs when needed.  As you mentioned.


3.  Thinking of using 2600 series routers. ISP Circuits are between 45Mb to 100Mb


4. I will make the change to the drawing with two switches.  It is my preferred setup.  As you mentioned it is a single point of failure.


Edit Note. Yes, Only receiving default route from ISP A and B.


5.  Yes, if possible.  I do undestand that some traffic may be forced though (single ISP) a certain way during normal operations.  But, during a failover situation this traffic should go out the "other" device/router/ISP.  Thought you could have 2 static routes on the outbound ASA interface.  Does the multiple contexts cause this to not work?

http://www.velocityreviews.com/forums/t562510-asa-with-two-default-routes.html


6.  The ASA 5520(s) are brand new.  I can/will run the best software for this design.




Thanks for you assistance.

Jon Marshall Mon, 10/25/2010 - 08:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

[email protected]


John,


Excellent Questions.


I will try to answer and fill in the details.


Just trying to put together a design and equipment at this point.  Setup does not exist, yet.


1.  It is my understanding that 2 seperate contexts are required in an Active/Active configuration.

     I assume some extra work is required to present the "seconday" context in case the primary fails.


2. Currently have provider specific addressing. We wish to move to a class C carrier independent block to have the ability to "failover" the external facing      IPs when needed.  As you mentioned.


3.  Thinking of using 2600 series routers. ISP Circuits are between 45Mb to 100Mb


4. I will make the change to the drawing with two switches.  It is my preferred setup.  As you mentioned it is a single point of failure.


Edit Note. Yes, Only receiving default route from ISP A and B.


5.  Yes, if possible.  I do undestand that some traffic may be forced though (single ISP) a certain way during normal operations.  But, during a failover situation this traffic should go out the "other" device/router/ISP.  Thought you could have 2 static routes on the outbound ASA interface.  Does the multiple contexts cause this to not work?

http://www.velocityreviews.com/forums/t562510-asa-with-two-default-routes.html


6.  The ASA 5520(s) are brand new.  I can/will run the best software for this design.




Thanks for you assistance.


1) Yes you do need contexts. I would look to have one context for the DMZ and one for the internal LAN. You can then use a default-route per context and configure IP SLA route tracking if they need to failover to other ISP.


2) Good, provider independant addressing will save you a lot of hassle.


3) 2600 routers will not keep up with those link speeds. How much of the 45 to 100Mbps do you realistically think you are going to use ?


4)  Agree


5) Sorry, my mistake. You cannot have 2 default-routes pointing out different interfaces. Don't know whether multiple contexts affects this, i expect not bnut worth checking.


6) Ok. As far as i know multiple contexts still don't support running a routing protocol which would have meant you did not need to run IP SLA.


Just to clarify on multiple contexts in active/active (apologies if i am telling you something you already know). Each context is still only active/standby on the firewalls it's just that you can load-balance contexts so one is active on asa1 and standby on asa2 and the other is active on asa2 and standby on asa1 ie. it's not true active/active per context.


Jon

Actions

This Discussion

Related Content