Our organization currently has a Cisco 4507 acting as our core switch and 2 ASA525 firewalls.
Our existing ISP runs into our 4507. Here is the port config.
switchport access vlan 10
no cdp enable
We have recently purchased a 5Mbit line with a second ISP and will have the line activated tomorrow.
In addition, we recently obtained our AS number through ARIN.
How would I configure the second ISP to be used for load balancing/failover?
Have a look at this link for config example for configuring your router to interface with 2 different service providers.
The link suggested by Reza (and the other link to which it points) are good. They focus on the aspects of how to configure BGP and especially on how to learn routes from the upstream neighbors. There are a couple of other things that I do not see discussed in the links which I think that you need to consider:
- are you planning to receive full routing table updates or only partial updates? (it partly depends on how much memory is available in your 4507 and I would suggest partial routes or only a default route from one or both of the upstream ISPs).
- will you be advertising any of your address space to the ISPs? If so will you advertise the same prefixes to both ISPs or will you differentiate what you advertise to each one?
- I am guessing that you are doing address translation on traffic being forwarded to the ISP. Doing address translation becomes a bit more complex when you are sending traffic out two different outbound interfaces. So you should prepare for this.
Thank you for the input. Although, after reading through a few links, I believe this might be a bit over my technical expertise. Or maybe the extensive documentation is just intimidating!
So, just to reiterate.
We currently have ISP-A statically routing our IP block to us. It is terminating in our Cisco 4507 and secured through our Cisco ASA 525.
There are serveral static NATs in place set up on our ASA for several servers. The rest of the traffic filters through one IP.
We just purchased a new internet line, ISP-B and would like to have our ISP-B set up using BGP in case of ISP-A downtime.
Here is the sh version info for our 4507.
cisco WS-C4507R (MPC8245) processor (revision 5) with 524288K bytes of memory.
Processor board ID FOX072302KJ
MPC8245 CPU at 333Mhz, Supervisor IV
To my understanding, I believe we have a fairly simple and straightforward set up here using only one site and 2 ISPs. But as I mentioned above, my technical expertise with BGP routing is very limited.
The situation where there is one site and 2 ISPs is frequently a situation where it makes sense to use BGP to achieve the dual homing. Conceptually this could be pretty simple - you configure BGP using the AS number that you recently received, you configure both ISPs as BGP neighbors using their AS numbers, and you put a network statement for your address space.
But there are some aspects which will probably make it a bit more complex:
- I am assuming that you want to use ISP-A as primary and ISP-B as a backup/fail over. So you need to configure BGP to prefer ISP-A, which probably would be accomplished by specifying local preference (there are other possibilities but local preference would be my suggestion).
- if ISP-A is currently static routing to you then you will need to work with them to change it to use BGP.
- you have not told us whether you have provider independent address space or whether your address space was provided by ISP-A (which would be the more common situation). If the address space is provided by ISP-A then it gets a bit complicated advertising that address space through ISP-B.
- you have not told us whether ISP-B is providing any additional address space to you. If so then the question come up whether you should dynamically advertise it to ISP-A.
- you mention that you have some static NATs configured. you would need to figure out what to do with them in the case of a failover to ISP-B (can they stay the same or should they change?).
- you will need to figure how to manage the dynamic address translation when the traffic switches from ISP-A to ISP-B.
Right now, we have a class C public range which is statically routed to us by ISP-A. The block is currently registered under ARIN and we are in the midst of transfering the block to our new ASN (our company took over services provided by another company that is no longer running).
All the static NATs would need to continue working during a failover to ISP-B as they were with ISP-A.
192.168.1.1 (external address) --> 10.1.1.1 (internal address)
192.168.1.2 (external address) --> 10.1.1.2 (internal address)
We have already initiated the BGP Setup process with both our ISPs.
I just want to know what will need to be configured on our Cisco 4507, along with the approrpriate port configuration where ISP-B is connecting into.
Another question I had, is how do I set up the second ISPs on our core 4507R? They are both plugging directly into the 4507R (Gi5/1 is the existing, Gi7/2 is the new ISP but isn't plugged in yet).
In your original post you gave the configuration details of the ISP connection. But then it was in Gig7/1. If it is now in Gig5/1 did things in the configuration change? If so it would help to know how ISP 1 is currently connected.
In general I would suggest that ISP 2 should be connected similar to the way that ISP 1 is. If ISP 1 still connects to a switch access port in VLAN 10 then I would suggest that ISP 2 should connect to a switch access port in some VLAN other than 10. So the VLAN would have a VLAN interface and the address to use with ISP 2 would be on the VLAN interface for the new VLAN.
Thanks for the response.
My apologies. It was a typo. ISP1 is connected to Gi7/1. ISP2 is connected to Gi7/2.
The way that we have our 4507 and ASA set up here, is as follows.
- Physical line for ISP1 connects into Gi7/1 of our core 4507R. (connected)
switchport access vlan 10
no cdp enable
- Physical line for ISP2 connects into Gi7/2 of our core 4507R (not plugged in as of yet)
switchport access vlan 10
We then have two ASA5520 Firewalls used as a redundant pair.
- Gi0/3 on our ASA is used for stateful failover, connected to Gi0/3 of the second ASA.
- Gi0/2 on our ASA is used for inside access, connected to our Core
- Gi0/1 on our ASA is used for our DMZ, connected to our Core as a trunk
- Gi0/0 on our ASA is used for our outside access (vlan 10), connected to our Core
What would my steps be ensure that ISP2 is connected appropriately prior to us starting BGP on the Core 4507?
Also, would there be an issue if we set up BGP with only ISP1 and then set up ISP2 later? Or, do both have to be set up at the same time?