we are setting up a secondary Internet connection in a seperate building with a seperate service provider, etc..
The main connection is through a PIX then into a 1600 series router and out to the frame relay Internet connection.
The secondary connection is via a seperate PIX firewall (non failover) and out to an ADSL Internet modem which connects to another ISP.
Both of these firewalls connect to a core consisting of a stack of 3750 switches. The firewall private IP addresses are on a seperate VLAN to the rest of the network (but the same VLAN as each other). These 3750 switches run EIGRP and are used as the default gateway by devices in the building.
We want the secondary Internet connection to pass traffic only when the primary Internet connection is offline (eg, line fault or ISP problems). It was recommended to us to put a floating static route on the 3750 stack with the IP deafault network set to 0.0.0.0
ip route 0.0.0.0 0.0.0.0 <PRIMARY ISP ROUTER>
ip route 0.0.0.0 0.0.0.0 <SECONDARY ISP ROUTER> 2
the addresses would be filled with the private IP of the primary and secondary PIX firewall.
Is this the best way to accomplish a non load balancing fault tolerant Internet connection via seperate ISP's?
The problem is that the 3750 has no way of knowing when the primary Internet link fails. So the floating static route will never kick in.
That there's a PIX in between the 3750 and the 1600 makes this somewhat complicated. But one way or another you're going to have to get a routing protocol involved here, because the 1600 needs a way of telling either the PIX or the 3750 when the Internet link is down so that traffic can be send via the ADSL link. One option is to run iBGP between the 1600 and 3750 (through the firewall). The 1600 would be configured to advertise a default route to the 3750, and remove it when the FR link goes down. The 3750 would have a floating static route pointing to the 2nd PIX, which would kick in when the 1600 withdraws the default route via BGP.
Another option is running a routing protocol on a PIX as well, though I don't know offhand with routing protocols the PIX supports. A possible implementation here is to have just the 1600 and PIX run the routing protocol so that the 1600 can tell the PIX when the FR link is down. The PIX could then route all outbound traffic to the 2nd PIX.
As you can see, things can get somewhat complex. The above suggestions may or may not be appropriate for you depending on the details of your network and requirements.
We tried the floating static routes and as mentioned, they do not work because the 3750 has no way to know the links are down.
An option that was later suggested to us was 'Policy Based Routing with Tracking' which I believe is a new feature in IOS 12.3(something). Implementing another router between the 3750 and the 2 PIX firewalls running this feature would see the new router pinging an Internet IP address (next hop router from the primary connection).
When that hop is up then the connection is considered up. When that is no longer responding, this router would change the route to send traffic via the other PIX on a backup connection.
Does anyone have any experience with this feature?
It's a good feature and you could use it to acheive failover, but it involves inserting a new router in front of the 3750 which 1) is itself another point of a failure, and 2) costs money. So I'm in agreement with Russ that BGP is the best option here.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...