Multiple Internet connections to provide redundancy - NO BGP
I have a scenerio where we have a network with two seperate Internet connections on different sides of a corporate WAN. Currently the connections are being used in isolation to save the internal corporate WAN bandwidth. We are interested in leveraging the fact that we have two Internet connections for redundancy to route users over the corporate WAN to the surviving Internet connection in the event that either one of them fails. Facts:
1) We are using Raptor (read - non cisco) firewalls between the EIGRP routed corporate net and the Internet connections
2) We are using Cisco routers at the very edge (screening router) to connect to the Internet WAN links - both of them
3) The internal routed network is Cisco based and we are running EIGRP here
4) The Raptor firewalls are not running routing protocols although it may be possible to enable RIP on them...
I've thought through this and the only thing I can come up with is running RIP from the screening routers to the NT based RAPTORS (which are NATing- not sure this is possible) and on in to the internal network. If I set up my default routes on the screening routers to point to the serial interface (or next hop IP address) and redistribute that route into RIP, the failure of either of the WAN Internet links or screening routers will flush the respective default route and send everyone running to the survivor... right? I know the metrics may need to be tickled to keep people on the correct Internet wire during normal ops but this might just work.... Any other thoughts???
(I understand that I would have to redistribute RIP->EIGRP to do this)
Any thoughts... anyone do anything like this before? Is there a simple solution that I am missing? Should I consider a career change?
Re: Multiple Internet connections to provide redundancy - NO BGP
This would work, but why use RIP ? As you know, RIP broadcasts every 30 seconds. That's going to use up traffic over the firewall and will impact your Internet traffic.
A better way is to use BGP, but just between your Screen routers and the first router on the clean side of the firewall. On the firewall, allow TCP port 169 and set your static routes for NAT. On the the routers, set the next hop for your BGP neighbors to be the interface of the firewall.
This way any traffic for TCP 169 from a predefined IP Address will be statically NAT'd to the other side. No other traffic will have to pass thru the FW (especially not RIP broadcasts).
For the BGP config, just advertise 0.0.0.0 after putting your static route on the screen router. If the link fails the router will not have a route to 0.0.0.0 and then will not advertise it via BGP.
On the clean side, redistribute BGP into EIGRP with a standard default metric and let EIGRP decide the best route.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...