Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
6
Replies

Dual Internet connection advice

luke.cassar
Level 1
Level 1

‎02-22-2004 05:37 PM - edited ‎03-02-2019 01:46 PM

Hi,

we are setting up a secondary Internet connection in a seperate building with a seperate service provider, etc..

The main connection is through a PIX then into a 1600 series router and out to the frame relay Internet connection.

The secondary connection is via a seperate PIX firewall (non failover) and out to an ADSL Internet modem which connects to another ISP.

Both of these firewalls connect to a core consisting of a stack of 3750 switches. The firewall private IP addresses are on a seperate VLAN to the rest of the network (but the same VLAN as each other). These 3750 switches run EIGRP and are used as the default gateway by devices in the building.

We want the secondary Internet connection to pass traffic only when the primary Internet connection is offline (eg, line fault or ISP problems). It was recommended to us to put a floating static route on the 3750 stack with the IP deafault network set to 0.0.0.0

eg.

default-network 0.0.0.0

ip route 0.0.0.0 0.0.0.0 <PRIMARY ISP ROUTER>

ip route 0.0.0.0 0.0.0.0 <SECONDARY ISP ROUTER> 2

the addresses would be filled with the private IP of the primary and secondary PIX firewall.

Is this the best way to accomplish a non load balancing fault tolerant Internet connection via seperate ISP's?

Cheers

Labels:
0 Helpful
6 Replies 6

umedryk
Level 5
Level 5

‎02-26-2004 12:46 PM

Not sure if this is the best way, but this should work fine....

0 Helpful

tbaranski
Level 4
Level 4

‎02-26-2004 07:21 PM

The problem is that the 3750 has no way of knowing when the primary Internet link fails. So the floating static route will never kick in.

That there's a PIX in between the 3750 and the 1600 makes this somewhat complicated. But one way or another you're going to have to get a routing protocol involved here, because the 1600 needs a way of telling either the PIX or the 3750 when the Internet link is down so that traffic can be send via the ADSL link. One option is to run iBGP between the 1600 and 3750 (through the firewall). The 1600 would be configured to advertise a default route to the 3750, and remove it when the FR link goes down. The 3750 would have a floating static route pointing to the 2nd PIX, which would kick in when the 1600 withdraws the default route via BGP.

Another option is running a routing protocol on a PIX as well, though I don't know offhand with routing protocols the PIX supports. A possible implementation here is to have just the 1600 and PIX run the routing protocol so that the 1600 can tell the PIX when the FR link is down. The PIX could then route all outbound traffic to the 2nd PIX.

As you can see, things can get somewhat complex. The above suggestions may or may not be appropriate for you depending on the details of your network and requirements.

0 Helpful

luke.cassar
Level 1
Level 1

‎02-26-2004 08:58 PM

We tried the floating static routes and as mentioned, they do not work because the 3750 has no way to know the links are down.

An option that was later suggested to us was 'Policy Based Routing with Tracking' which I believe is a new feature in IOS 12.3(something). Implementing another router between the 3750 and the 2 PIX firewalls running this feature would see the new router pinging an Internet IP address (next hop router from the primary connection).

When that hop is up then the connection is considered up. When that is no longer responding, this router would change the route to send traffic via the other PIX on a backup connection.

Does anyone have any experience with this feature?

Thanks for the feedback thusfar :D

0 Helpful

ruwhite
Level 7
Level 7
In response to luke.cassar

‎02-27-2004 05:10 AM

Next hop tracking in Policy Based Routing relies on CDP to track the next hop, and thus doesn't work for multihop situations, such as what you have here....

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d1e95.html

The best bet is going to be to run BGP through the PIX, just taking in a default route. When the BGP session fails, you can switch over to the backup link.

http://www.cisco.com/en/US/tech/tk365/tk80/technologies_configuration_example09186a008009487d.shtml

:-)

Russ.W

0 Helpful

tbaranski
Level 4
Level 4
In response to luke.cassar

‎02-27-2004 07:56 AM

Ping-based PBR was introducted in 12.3(4)T. The details are here: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d1e95.html. (Incidentally, ping-based routing functionality is apparently a couple T-train releases a way and will help out a lot in these situations.)

It's a good feature and you could use it to acheive failover, but it involves inserting a new router in front of the 3750 which 1) is itself another point of a failure, and 2) costs money. So I'm in agreement with Russ that BGP is the best option here.

0 Helpful

luke.cassar
Level 1
Level 1
In response to tbaranski

‎02-29-2004 05:38 PM

Looking through the feature navigator I assume the reason a new router is needed is because PBR with multiple tracking is not a feature of 3750 IOS'seses

:(

Thanks a lot for the information, now we have a few options to work with. Much appreciated

Cheers to all :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents