Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
3
Replies

Failover two ISP connection.

l.ruiz
Level 1
Level 1

‎01-20-2007 09:56 AM - edited ‎03-03-2019 03:25 PM

Hello everyone,

Here my current situation.

I currently have 3 ISP providers, 2 of them are our own and the other is provide by our parent company through the WAN link, I also Have two Physical Segments, 10.10.4.x and 10.10.8.x each is assighed its own Internet connection, these two segments are connected via a router 2600(10.10.4.253, 10.10.8.253) currently 10.10.4.x get internet access from FW1 and 10.10.8.x gets internet access from FW2. What I would like to do, or find out if I can set up the router to failover to the opposite FW if one of the FW goes down. say if FW1 goes down 10.10.4.x internet traffic should get routed to FW2 and vice Versa. here is my current config.

ip access-list extended int_routes

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit ip any any

route-map groupa permit 10

match ip address int_routes

set ip address next-hop FW1

route-map groupb permit 10

match ip address int_routes

set ip address next hop FW2

interface gigabitEthernet 0/1

ip policy route-map groupa

interface gigabitEthernet 0/10

ip policy route-map groupb

I tried to add a second next-hop to group a with the ip address of FW2 but it did work. it just time out. let me know if i am missing something from in my config.

Labels:
Preview file
28 KB
0 Helpful
3 Replies 3

mounir.mohamed
Level 7
Level 7

‎01-20-2007 11:19 AM

Dear,

This issue because the outgoing interface facing multi access network (LAN segment)

It's give you timeout because the address still founded on the ARP even if it's incomplete the router will keep trying to find the ARP recored for the failed FW till find it or timeout(4 hours)during this the traffic routed to null, so the traffic never forwarded to the second FW address,

So i guess If you can use tow different HSRP groups on the firewalls and overlap both groups to be like that

(FW1=ACTIVE in group1 and standby in group2, FW2=ACTIVE in group2 and standby in group1)

Then set the next-hop ip to the active FW then standby address in each group (overlap)

So now you can solve the ARP issue as one of the firewalls must replay with the active group MAC address.

Please rate helpful posts

Best Regards,

Mounir Mohamed

0 Helpful

l.ruiz
Level 1
Level 1
In response to mounir.mohamed

‎01-20-2007 11:33 AM

Hi Mounir,

Thanks for your responce, but can you give me an example using the diagram for my environment. Both Physical segments are split by one router. so i dont understand how HSRP would work?? please elaborate.

thanks

0 Helpful

mounir.mohamed
Level 7
Level 7
In response to l.ruiz

‎01-20-2007 11:54 AM

Hi mate,

Sorry for that i understand your design wrong, i was think that your FW is IOS-FW, also i was think that both FWs connected to the same segment via different interfaces, HSRP is ideal solution if your firewalls supporting HSRP and both of them connected to the switch or at least both switches interconnected, if this matrix match your design so let me know and i will provide you with the design.

Please rate helpful posts.

Best Regards,

Mounir Mohamed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card