Greetings all. I had a question on a design and would appreciate some thoughts. The customer has a Cisco 2621 with one ISP link via frame relay. Behind this is an existing firewall (not Cisco) that has an address on the ISP1 segment. The customer is getting a second ISP connection to the 2621 with an Ethernet handoff. So the config will look like:
ISP2 (Eth)-> 2621 <-(F/R) ISP1
F/W (ISP1 addr)
I'd like to setup the 2621 for failover - probably using object tagging - so that ISP2 takes over when ISP1 goes down. However, I'm thinking I'd need to NAT everything going to ISP2 so that the return traffic actually makes it back otherwise traffic sent using the existing ISP1 address of the firewall will not return, correct?
Does this sound plausible?
The other option would be to connect ISP2 straight to the firewall but I'm not sure they can spare their DMZ interface for this purpose.
Thanks for the reply. I'm hoping this will work so we don't have to do major reconfigurations on the firewall or change addresses.
Just out of curiosity, have you seen any documents/examples that speak to the SMB case of a single router or firewall with two ISPs? I've seen docs covering the ASA/PIX but they are failover only - no load balancing. I also found a Small Branch note on two IPSec tunnels via two broadband connections and they note that a split tunnel will require PNat but that config involves four Cisco devices, EIGRP, etc, etc.
I can't believe that this is not a very common scenario these days - small customer with two inexpensive ISP links who wants to get the most out of both?
Hello again. I'm still working on this config and at the moment am wondering how to get all my inside IP addresses xlated to the secondary ISPs address? I had assumed an "ip nat inside" command on the ethernet port connecting to the second ISP would do the trick but it doesn't seem to be working.
On the router, the interface connecting to my 2nd ISP has the ip nat inside command.
I then added the ip nat inside source static interface fastethernet 0/1 command and can see that I get a translation for my laptop's inside address to the outside IP of my 2nd ISP. Is that all I need for this to work? I see nothing on the Outside local <-> Outside Global side as I thought I didn't need outside NAT in this case?
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...