Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Tiered internet design

Hi there. I'm trying to figure out how to setup a situation where we have two different internet providers, that provide two different SLA's for availability, uptime, etc. We want to provide access via the primary internet link to our premium customers, and have the standard customers access us via the second internet connection. The problem that I"m running into is that since both sets of customers are coming in from the internet, how do we setup return routing so that the traffic goes back over the link it came in on? It's my understanding that the PIX/ASA does not do Policy Based Routing, which I think is soomething that would help us out in this case. Does anyone have any ideas on how I could set this up? I'm using 4506 switches, PIX 535 firewalls, and CSS 11501 load-balancers.

Thanks

10 REPLIES
Silver

Re: Tiered internet design

Interesting set-up.

Traffic coming in will be based on many different things. But you want to specify traffic outbound based on some set of rules?

I am not clear on what you are wanting to accomplish.

Customer A - Premier customer has access to Permier Path

Customer B - Standard customer has access to Standard Path

How do these customers connect to you?

How do you know what Path they take to get to you?

I just need to understand your topology and requirement a little more.

Bronze

Re: Tiered internet design

Thanks for your response. You have it pretty correct -- We basically have 2 types of customers -- Premier and Standard. They will both be accessing us from the internet, although they will access different addresses that the providers are assigning to us. How do we know what path they will take to get to us? Well, that's definitely one of the issues. Our main provider connects directly to the outside interface of our firewall. We want to bring the other provider in on our DMZ space. We'd really like all traffic to go through the main (premium) internet connection by default, but if someone comes in via the standard internet they should be routed back the same way.

Thanks again for your help

Silver

Re: Tiered internet design

"How do we know what path they will take to get to us?"

One of the ways you can do this is with BGP.

You specify what route they will take by your announcement.

For example:

Rotuer A w/ 2 T-1's

Premier T-1 announces 208.76.20.0/24

Standard T-1 announces 208.76.21.0/24

In these announcements you tell the internet where to find their connection.

You can have failover set-up by having the other announcement advertised with a higher metric and in the event of a line failure or flap your announcement will be more preferred by the internet and injected in the table as the best path. Once the connection comes back up or the issue is resolved the lower weighted route will be injected in the table as the best route. You can do this with AS prepending or weights/metrics.

Bronze

Re: Tiered internet design

I'll apologize in advance because my BGP experience was just enough to pass the test -- I've never used it in production. I don't see how BGP would work for us because the last device on our network is the firewall. We connect directly to our provider's internet (not ATT or Verizon or anybody like that). Essentially, we are connecting into their LAN.

I've attached a diagram of how it looks right now: One thing I forgot to add is that the premium internet is coming in on the outside firewall interface, the standard is coming in on the DMZ interface that also connects out to other clients who have direct connectivity to us.

Thanks again for your help on this.

Silver

Re: Tiered internet design

Ok, from your picture your firewall sits right on the internet?

What is between your firewall and the internet?

Where is your provider in all of this?

Bronze

Re: Tiered internet design

We receive our premium internet from the facility we colocate with, so we aren't sitting directly on the internet, but we connect into their network before hitting the internet. The same with the other provider although we connect to them through a single DS3. Sorry the picture was not very good.

Silver

Re: Tiered internet design

Same thing applies. They are just providing Ethernet instead of a T-1.

I would recommend putting in a router, asking for 2 links and asking them to run BGP with you. That way you control traffic and ask them to just make sure they pass your advertisement upstream.

Silver

Re: Tiered internet design

I had a connection, much like what you have, at a data center.

We had a 10Mb Ethernet link to their Core, our ISP if you will.

Now this is one pipe. If we wanted to separate by type of connections you may need 2 pipes to specify your routes, for billing purposes or SLA purposes. You will need to have a router in between to control the routing between you and your provider, even at Ethernet level. You should always want to control it, unless it is a managed service. Otherwise you can ask your provider to run this for you.

Bronze

Re: Tiered internet design

That's where we are at -- a hosted datacenter. So yes, our "internet" connection is a certain amount of bandwidth provisioned to us from their network. We have a second internet provider who brought in an extension of their network (a single DS3) into the datacenter and we connect into their network much the same way as our datacenter internet. So for this to work with BGP we'd have to have a router on the outside of the firewall to direct traffic one way or the other, is that correct?

What about NAT'ing the incoming traffic from the standard internet provider? I don't think it's an elegant solution, but would that work?

Silver

Re: Tiered internet design

Yes, but you will have no way of shaping your traffic. The only way to do this is via routing. Either you do it or your "ISP"

Since you have two different Providers you would need your own ASN, and I would then recommend your own IP space so you will not have vendor routing issues. I have seen vendors block announcements that belong to another vendor that is not swiped to you.

145
Views
2
Helpful
10
Replies