Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

2 WAN ISPs: Backup

Hello,

I have one existing Internet connection to ISP1. Because of the ISP1 is not stable, so I decided to connect other ISP

as ISP2 for Backup. The problem now is that my Firewall Box1 is using Public ip address of ISP1, but when the ISP1 is getting

down,so the traffic wil be back to ISP2.

The questions are:

1- how to configure the static route to both ISPs in order to get backup as I above mention.

2- If the backup can be done, how about the public ip address of ISP1 in the WAN Interface of Firewall Box1, when the traffic go to ISP2?

Please find the attached file about the network digram.

Any feed back and solution is appreciated.

Regards,

sakdavin

3 REPLIES
Purple

Re: 2 WAN ISPs: Backup

Hello,

Here's what I would do:

Let's assume that your link to ISP1 is through Serial0 and the link to ISP2 is through Serial1.

First of all, in order to get a primary/backup setup working, create two static routes as follows:

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 Serial1 250

The AD of 250 on the second static route means that it will not be used until the first static route goes down. Instead of the interface id, you can also point the static routes to the actual next-hop IP addresses of the WAN links.

Secondly, I would setup the following NAT translations. The idea of the following is to NAT your traffic but only when you are routing your traffic through ISP2. Therefore, when routing via ISP2, you will use ISP2's assigned addresses.

ip nat inside source list 1 pool ISP2Pool

ip nat pool ISP2Pool netmask

!

int

ip nat inside

!

int Serial1

ip nat outside

!

access-list 1 permit

Hope that helps...pls rate the post if it does.

Regards,

Paresh/

New Member

Re: 2 WAN ISPs: Backup

Hello Paresh,

Thank for your reply.

I forgot to tell you one thing. We have a Mail Server in the DMZ site of the Firewall Box2. And this mail Server is pointing to the public ip address of the ISP1. Does it affect to the Mail Server when the ISP1 is getting down?

One more thing , I am going to increase bandwidth of the ISP2 to 512kbps, so I want to configure bandwidth sharing 50%/50% of the two ISPs, could you help and advise how to configure that?

Thanks.

Regards,

VIN

Re: 2 WAN ISPs: Backup

Hello,

did I get it right, the default gateway of your mail server is the LAN IP of the 1700 router? Then it will not create a problem to connect outside. For other mail servers to connect to your mail server the situation gets more tricky.

The first question is: do you have your own public IP provider independant address space?

If this is the case then let both ISPs route the address space to your router and you should be fine.

If you have only provider assigned IP addresses this will get tricky. Only ISP1 will announce his addresses to the internet. So in case his line goes down your mail server will be not reachable.

To load share both lines upstream (to the internet) can be done, however also some things need to be kept in mind.

First from an IP routing perspective you can configure on your 1751

ip cef

ip route 0.0.0.0 0.0.0.0 Serial0

ip route 0.0.0.0 0.0.0.0 Serial1

Both default routes will be installed in the IP routing table and used approximately 50-50.

As NAT is probably involved towards ISP2 you have to make sure, that all IP packets to a certain internet host will only take the path through one ISP. In case both pathes are used by one session the packets will arrive in the internet with two different source IPs, which doesn´t work. CEF by default does per session load sharing.

One more remark: doing NAT only on the firewall might not help. A "decent" ISP will check source IP addresses in customer packets and make sure they match the ISP assigned IP addresses of the customer. This will prevent a lot of DoS attacks as the past has shown. So sending ISP1 source IPs to ISP2 might immediately lead to dropped packets.

Summary: provider independant IP addresses are more simple when connecting to two ISPs. You will be able to achieve most goals even without, but with a more complex implementation.

Hope this helps! Please rate all posts.

Martin

92
Views
0
Helpful
3
Replies
CreatePlease to create content