These locations are only 1.5 miles apart and are connected via a point to point T1 as well as a 802.11G wireless bridge for redundancy. The bridge and point to point T1 are routed connections via my 2811 routers that are located in each building. Currently only the south plant has an internet connection via T1 which is protected by an ASA 55xx.
My boss wants me to install a second internet connection and to have it in the north building. He wants each internet connection used and if one would fail the other would take 100% of the load until the other would come back up.
I need the redundancy to be for both inbound and outbound connections. I have several VPN tunnels that I need to be able to fail over automatically. Some of these VPN tunnels are setup via from internal connections, external clients, as well as some site to site links.
I know this is a lot to ask for so I'm actually wanting to present 2 options for him. One that would fullfill everything he wants, and another that will only use the second connection should the primary fail.
Anyone that can provide some guidance on either of these objectives I would greatly appreciate since this is way over my head.
I have done so with two offices one in Miami, the other one in Texas. Since you have ASA, I will use the routing protocol (EIGRP)to take care of this automatically.
What I did was to configure the backup route feature in the ASA and redistribute it with the routing protocol in each office. Therefore, the two offices had two different ways out to the internet. When one of them failed, it was removed from the routing table and all the traffic was redirected to my alternate location.
I am sorry I missed that part. I am going to assume that your outbound connections are made using VPN. If so, you would have to configure your ASAs with identical profiles for the outside users. Then, you will configure your VPN client with both ASA, one as a primary and the second one as a backup.
The VPN client is smart enough to switch over the backup connection if something happens to your primary connection. You might also be able to load balance your VPN traffic changing the primary and secondary VPN IP addresses.
If you are using some sort of web access you will have to update that information with your ISP so they can provide you with automatic traffic redirection if your device doesn't answer. In such a case you will probably have to create a NAT statement in each ASA to access the server using either connection.
I suggest going with the same provider and requesting diversified paths (each connection terminates at an alternate exchange and aggregation router).
Most ISPs will then allow you to load balance using BGP or another IGP.
Since your links will be working in an Active-Active state and you want any 1 link to be able to handle 100% of the load it stands to reason that, optimally, each link should only carry 50% of the combined load, max. I would suggest you therefore ensure you have CIR for 50% of the maximum burstable bandwidth on each link to reduce costs.
Yes my second ISP will be different then my first. My first ISP is a Tier 1, the second is a Tier 2 provider.
I was thinking about getting a couple 2851's and running BGP and buy ARIN addresses. This is probably the best way to do it. Only problem is I have absolutely no idea how to run BGP. Do I need the full tables, can I get by running half or partial tables? How do I configure BGP? Any special config I need to put in my ASA's or do I just mirror the configs since each will have the same IP's?
If you can direct me to any documentation on any of the above I would appreciate it. Also if you have experience setting anything like this up, please share.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...