I have a problem to figure out how to configure a backup route to the internet. My client has 2 ISP and basically they want to use 1 ISP and in case the ISP fails, use the other one as backup route to the internet.
The topology looks like the one attached. The problem I’m facing is that each ISP is plugged to a dedicated ASA 5510, so 1 ISP in one firewall and 1 in the other.
Both ASA are plugged to an internal network in a dedicated VLAN with a L3 switch and that L3 switch manages the internal network.
My question is, how can I tell my switch to use ASA1 to go out to the internet and in case the ASA 1 OR THE LINK TO INTERNET used by ASA 1 fails, use ASA 2? It would be great if I can send traffic to the internet thru both connections at the same time. Also, I know the ASA has High Availability configuration, but that applies only if both licenses in the devices are the same and I have a mismatch with the SVPN license, and also I don't know if with my current topology I can use the High Availability model, so I think I can’t use that option and the solution must be applied in the L3 switch, but I don’t know how to tell it to use ASA1 and if failure of the device or the outside interface plugged to ISP 1, then use ASA2. Besides, I would like to know how to optimize this config to do the switch between internet connections seamless to the users if possible (there are VoIP calls on this floor, so I don't want to drop the calls). Thank you very much in advance.
When setting up the default route send to outbound interface(s)
ip route 0.0.0.0 0.0.0.0 G1/0/1
ip route 0.0.0.0 0.0.0.0 G1/0/2 100
By adding 100 you have added a weight. The lower the weight the more preferred connection. By using the outbound interface this will allow traffic to be route out an interface that is up. If for any reason G1/0/1 goes down either because bad cable, admin shut, or any other reason traffic will then choose the next best interface that is up and active.
One question regarding operation. If "ip route 0.0.0.0 0.0.0.0 G1/0/1" and then "ip route 0.0.0.0 0.0.0.0 G1/0/2 100", that means that I have to wait for failure on G1/0/1 in order to use G1/0/2, but what if G1/0/1 never fails and what actually fails is the device on the other end of G1/0/1 or perhaps a device beyond that before to reach the internet? I just want to know how it works. By the way, thank you very much for the answer.
This is one of the simplest ways with no extra work. With this static route, or floating static, the interface needs to go down before the second route is used. You could use a next hop address, for instance if the ISP assigns a /30 you could use their ip in the static route.
220.127.116.11/30 is assigned
18.104.22.168 is the ISP
22.214.171.124 is your interface
126.96.36.199 is the ISP
188.8.131.52 is your interface
Your static route would look like this then
ip route 0.0.0.0 0.0.0.0 184.108.40.206
ip route 0.0.0.0 0.0.0.0 220.127.116.11 100
Or if you want to do a bit more work and config you could set up IP SLA
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...