Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7403
Views
5
Helpful
13
Replies

Cisco ASA 5515-X Dual ISP Load Balancing

Go to solution
m.back@aap3.com
Level 1
Level 1

‎03-04-2015 02:11 AM - edited ‎03-22-2019 03:01 PM

We are looking at implementing two ASA 5515-X firewalls (with IPS) at our UK office. We are ordering two new ISP circuits 20/100mbps with two different ISP's.

The business has requested that we load balance across both ISP links. The ISP's will manage the PE routers.

Can anyone help advise how load balancing can be achieved or if it is possible in this scenario?

Do we need to implement a switch stack at the internet edge between the PE routers and the ASA's?

Thank you.


Matt :-)



 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-05-2015 08:22 AM

Hi Matt

Some things to consider.

Just to clarify you mention ISP and then PE which is usually associated with MPLS but I'm assuming internet connectivity.

The first and most important thing to be aware of is that ASAs do not support PBR which allows you to direct traffic to different next hops (ISPs) based on source IP address among other things which can be useful in your setup.

If you want PBR then you would need either a L3 switch or a router to do this.

You are going to need some sort of switch between your firewalls and ISP routers anyway for connectivity assuming the firewalls are going to be run as a pair.

Ideally if you have a pair of firewalls you do not want to introduce a single point of failure by introducing a single router or single switch between you and the ISPs but obviously there is a cost associated with that.

L3 switches can do PBR in hardware but there are limitations with some of the options so it depends on how complicated it is going to get. They also for an equivalent router support a lot more throughput.

It also depends on what else you want to run eg. QOS on routers is usually more fully featured than on L3 switches and routers support a greater feature set overall than L3 switches.

The more common setup is to use routers but that doesn't mean you have to.

Using contexts on your ASAs is also another option which would allow you to have a context per ISP but this depends largely on how you want your internal traffic outbound and any inbound traffic to hosted servers to work so it may very well not be applicable.

IP addressing is the last but very important thing to consider in terms of how you are going to set things up. Are you getting a different IP block from each ISP or do you have provider independent addressing. If you do get a block from each ISP will each ISP advertise the other's block. This is important for hosted servers for example -

you use an IP for a hosted server from one of the ISPs and this is placed into the public DNS. The ISP link fails and your other ISP is not advertising that public block so connectivity to your server is lost until you either -

1) update DNS but that is an issue because clients cache entries

or

2) the ISP link is brought back up

I don't want to overload you with information and the above are just general considerations but it is a big subject and you need to be clear on what you are trying to achieve otherwise you may well end up with a solution that is not fit for purpose.

Hope some of that has helped.

Edit - one other thing about IP addressing I forgot to mention. If you are introducing a L3 hop between your ASAs and the ISP routers then you need another IP subnet specifically for the links between the routers/switches you introduced and the ISP routers. If you don't then what it means is you end up having to do the NAT on the routers/switches rather than the firewalls where ideally you want it. If you did then be aware that the only switch which supports NAT as far as i know is the 6500 and you don't need one of those. All routers support NAT as far as i am aware.

I also removed the part about using two default routes because they are different ISPs so i am assuming that their routers will not be in a common subnet which would mean you really do need a L3 device(s) between your ASAs and the ISP routers (contexts aside).

Again all the above is just general information. Without knowing the full details of addressing, firewall setup etc. it's difficult to be more specific.

One last thing. If you have more queries by all means post here but there is also a dedicated Firewalling forum that you can post into where the people who work with these devices answer questions as they may not see any questions in this forum.

Jon

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to m.back@aap3.com

‎03-05-2015 12:05 PM

Matt

If you are going to use L3 switches then you definitely need to sort out the IP addressing as i mentioned in my last post because the switches you mention (and virtually all switches) do not support NAT.

More on the addressing later.

The L3 switches would go between your ASAs and the ISP routers because your ASA outside interfaces need to be in common subnet for failover so you need a common vlan between the ASAs and the L3 switches.

Then on the other side of the switches you would have routed connections to each ISP router.

I haven't used 2960XRs so I don't know what they support. They may not do routed ports but you can always use SVIs for each link to the ISP routers.

And I don't know whether they support PBR or not and you really do want this option as I can't count the number of times people have asked about PBR for the ASAs and be told they can't do it.

The other thing I didn't mention was failover and the routing. If you are not running a routing protocol with your ISP routers then you need to either run a routing protocol between your ASAs and the L3 switches and inject a default route into that protocol on the L3 switches for the ASA or more likely have a static route on the ASA pointing to the L3 switch SVI because the ASA only has one next hop.

This would mean tracking on the switches because if an ISP link goes down they need to know to move all traffic to the other ISP. So the switches would need to support IP SLA as well which again I don't know whether the 2960XRs do.

Yes the multiple context option would mean exactly that but in addition I'm not sure how failover would work or even if it could because in effect each context would be directly connected to only one ISP ie. you would only use L2 switches between your ASAs and the ISPs and have two vlans one for each ISP.

I have never done that setup so I can't say for sure how well it would work.

Coming back to the IP addressing. Your ASA will have an IP on it's outside interface from one ISP and probably spare IPs from that block as well. You will also want to use the other ISPs block on your firewall as well. Which means you need two blocks from each ISP because you have to also address the links from the ISP routers to your L3 switches.

Unless you can subnet down each block.

It also means all your L2L VPNs would be coming in via that ISP because the VPN termination point is the outside interface of your ASA.

It is well worth deciding how you are going to do it before you decide on the addressing as this can be crucial in terms of what you can and can't do.

Jon

View solution in original post

0 Helpful
13 Replies 13

Go to solution
bsiapco
Level 1
Level 1

‎03-04-2015 09:10 AM

Hi, Matt.

Load balancing can be achived through your IOS based router. What router are you using or planning to deploy for the ASA 5515-X firewall?

Thanks!

0 Helpful

Go to solution
m.back@aap3.com
Level 1
Level 1
In response to bsiapco

‎03-05-2015 05:44 AM

Hi bsiapco!  I've emailed you privately, if you can get back to me, thanks! :-)

If anyone else has any ideas, please let me know! :-)

 

0 Helpful

Go to solution
bsiapco
Level 1
Level 1
In response to m.back@aap3.com

‎03-05-2015 07:14 AM

Hi, Matt.

I have not receive your PM. Can you please resend it?

Thanks!

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-05-2015 08:22 AM

Hi Matt

Some things to consider.

Just to clarify you mention ISP and then PE which is usually associated with MPLS but I'm assuming internet connectivity.

The first and most important thing to be aware of is that ASAs do not support PBR which allows you to direct traffic to different next hops (ISPs) based on source IP address among other things which can be useful in your setup.

If you want PBR then you would need either a L3 switch or a router to do this.

You are going to need some sort of switch between your firewalls and ISP routers anyway for connectivity assuming the firewalls are going to be run as a pair.

Ideally if you have a pair of firewalls you do not want to introduce a single point of failure by introducing a single router or single switch between you and the ISPs but obviously there is a cost associated with that.

L3 switches can do PBR in hardware but there are limitations with some of the options so it depends on how complicated it is going to get. They also for an equivalent router support a lot more throughput.

It also depends on what else you want to run eg. QOS on routers is usually more fully featured than on L3 switches and routers support a greater feature set overall than L3 switches.

The more common setup is to use routers but that doesn't mean you have to.

Using contexts on your ASAs is also another option which would allow you to have a context per ISP but this depends largely on how you want your internal traffic outbound and any inbound traffic to hosted servers to work so it may very well not be applicable.

IP addressing is the last but very important thing to consider in terms of how you are going to set things up. Are you getting a different IP block from each ISP or do you have provider independent addressing. If you do get a block from each ISP will each ISP advertise the other's block. This is important for hosted servers for example -

you use an IP for a hosted server from one of the ISPs and this is placed into the public DNS. The ISP link fails and your other ISP is not advertising that public block so connectivity to your server is lost until you either -

1) update DNS but that is an issue because clients cache entries

or

2) the ISP link is brought back up

I don't want to overload you with information and the above are just general considerations but it is a big subject and you need to be clear on what you are trying to achieve otherwise you may well end up with a solution that is not fit for purpose.

Hope some of that has helped.

Edit - one other thing about IP addressing I forgot to mention. If you are introducing a L3 hop between your ASAs and the ISP routers then you need another IP subnet specifically for the links between the routers/switches you introduced and the ISP routers. If you don't then what it means is you end up having to do the NAT on the routers/switches rather than the firewalls where ideally you want it. If you did then be aware that the only switch which supports NAT as far as i know is the 6500 and you don't need one of those. All routers support NAT as far as i am aware.

I also removed the part about using two default routes because they are different ISPs so i am assuming that their routers will not be in a common subnet which would mean you really do need a L3 device(s) between your ASAs and the ISP routers (contexts aside).

Again all the above is just general information. Without knowing the full details of addressing, firewall setup etc. it's difficult to be more specific.

One last thing. If you have more queries by all means post here but there is also a dedicated Firewalling forum that you can post into where the people who work with these devices answer questions as they may not see any questions in this forum.

Jon

0 Helpful

Go to solution
m.back@aap3.com
Level 1
Level 1

‎03-05-2015 08:28 AM

Hi Jon,


Apologies, I actually meant the CPE devices (not PE), but as the routers will be owned/managed by the two ISP's, we won't actually have any control over the routers I referred to them as PE. They are providing internet connectivity only on the circuits (so no MPLS).

At the moment the final device pair we own and manage is a single ASA5510, but for redundancy we are looking to migrate to x2 ASA5515-X firewalls, with the requirement of load balancing across the two links (just so one link isn't idle all of the time).

So as we don't manage the routers and i'm not sure it makes sense to have another pair of routers on the same site, am I right in understanding you that we would need a stacked pair of L3 switches to server as the 'Internet Edge' to provide, A) redundancy + B) to implement PBR for the load balancing?
If so, with a view to keeping costs would x2 2960XR's (with stacking modules) do this job ok?

Because we are just sending traffic over the internet (or S-2-S VPN, which is obviously over the internet as well), there is no QoS being carried over the WAN.

Re: The Multiple Context option
If we went this way and had a context per/ISP, does that mean we would have to agree which VLAN's (i.e End users Vs Servers) were routed out of which context? How much more complex is this to provision?

The IP addressing is obviously a good point, we haven't got to that level of detail yet, but i'm assuming we will have two public address blocks (one per/ISP). At the moment I'm just trying to understand at a high level if and how load balancing would be achieved with the ASA5515-X's we are looking to implement.

Thanks so much for your thoughts so far, any further clarification would be greatly appreciated!

Cheers,


Matt :-)

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to m.back@aap3.com

‎03-05-2015 09:28 AM

Matt

The only other thing I would add is that these are just my opinion based on what I have done or know.

As I mentioned before this isn't really the right forum for this so you may want to ask this question in the Firewalling forum as you may get other options I hadn't considered or may not be aware of.

You can always link back to this post if you wanted to give some context.

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to m.back@aap3.com

‎03-05-2015 12:05 PM

Matt

If you are going to use L3 switches then you definitely need to sort out the IP addressing as i mentioned in my last post because the switches you mention (and virtually all switches) do not support NAT.

More on the addressing later.

The L3 switches would go between your ASAs and the ISP routers because your ASA outside interfaces need to be in common subnet for failover so you need a common vlan between the ASAs and the L3 switches.

Then on the other side of the switches you would have routed connections to each ISP router.

I haven't used 2960XRs so I don't know what they support. They may not do routed ports but you can always use SVIs for each link to the ISP routers.

And I don't know whether they support PBR or not and you really do want this option as I can't count the number of times people have asked about PBR for the ASAs and be told they can't do it.

The other thing I didn't mention was failover and the routing. If you are not running a routing protocol with your ISP routers then you need to either run a routing protocol between your ASAs and the L3 switches and inject a default route into that protocol on the L3 switches for the ASA or more likely have a static route on the ASA pointing to the L3 switch SVI because the ASA only has one next hop.

This would mean tracking on the switches because if an ISP link goes down they need to know to move all traffic to the other ISP. So the switches would need to support IP SLA as well which again I don't know whether the 2960XRs do.

Yes the multiple context option would mean exactly that but in addition I'm not sure how failover would work or even if it could because in effect each context would be directly connected to only one ISP ie. you would only use L2 switches between your ASAs and the ISPs and have two vlans one for each ISP.

I have never done that setup so I can't say for sure how well it would work.

Coming back to the IP addressing. Your ASA will have an IP on it's outside interface from one ISP and probably spare IPs from that block as well. You will also want to use the other ISPs block on your firewall as well. Which means you need two blocks from each ISP because you have to also address the links from the ISP routers to your L3 switches.

Unless you can subnet down each block.

It also means all your L2L VPNs would be coming in via that ISP because the VPN termination point is the outside interface of your ASA.

It is well worth deciding how you are going to do it before you decide on the addressing as this can be crucial in terms of what you can and can't do.

Jon

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to m.back@aap3.com

‎03-05-2015 01:01 PM

Matt

I just reread what I wrote and realised I hadn't made clear how important the NAT and PBR are.

For outbound traffic if you just want to do simple load balancing ie. you don't care which ISP is used then you need the NAT on the L3 devices between the ASAs and the ISP routers. This is because the L3 devices will have equal cost default routes so the traffic could be sent to either ISP which means you need to do the translations on those devices so the traffic is routed back on the same link which means you need routers.

Unless you don't care about asymmetric traffic ie. the traffic could go out via one ISP and back in via the other in which case you could just do all the NAT on the ASAs.

But if you have different bandwidths you may well want to control which traffic is used on which link.

If you want to direct traffic then you can use PBR on the L3 devices and do the NAT on the ASAs and then you use PBR based on the source IP you have used in your NAT ie. the ISP public IP.

As I said before it comes down to how you want to utilise the links and the public IP addressing in use.

Jon

0 Helpful

Go to solution
m.back@aap3.com
Level 1
Level 1

‎03-06-2015 04:32 AM

Hi Jon,

Thanks so much for your information and perspective on this, let me digest what you've said and I'll let you know if i have any further questions / comments.

Have a great weekend!

Cheers,
Matt

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to m.back@aap3.com

‎03-09-2015 09:29 AM

Matt

I don't know whether you will see this but I just saw this thread in the Firewalling forums -

https://supportforums.cisco.com/discussion/12445851/asa-software-version-941-pbr

I don't know how accurate that information is in terms of release date and of course it may not have all the PBR commands or it may be buggy but if it is available it could affect your design decisions.

Just thought it would be worth knowing.

Jon

Go to solution
m.back@aap3.com
Level 1
Level 1
In response to Jon Marshall

‎03-30-2015 02:43 AM

Hi Jon,

 

Apologies for the delayed reply (I've been on leave), I'm waiting for a call with the primary ISP (this week), apparently they may be able to provide two diverse links and manage the load balancing for us, if so I think we probably need to have the two ASA's in Active/Standby with a pair of stacked 2960-X switches for the internet edge, in which case it may now be more straightforward than I anticipated.

I'll update the thread with the outcome so others know what route we took, will let you know if I need any more advice on this, thanks again for all your support so far!

Matt :-)

0 Helpful

Go to solution
m.back@aap3.com
Level 1
Level 1
In response to m.back@aap3.com

‎04-01-2015 09:00 AM

Hi Jon,


Just to update you we have had a discussion with the primary ISP and also discussed internally and based on a cost/complexity Vs benefits/risk, we've decided to scale back the requirements.

We are still going to have two internet circuits, but they will be with the same ISP.

The ISP will divide our existing /28 public allocation into x2 /29 blocks

The first /29 block would have a primary circuit of PE R1 and secondary circuit of PE R2, and visa-versa for the /29 second block.

Load balancing would occur only for traffic attached to a public IP address (i.e. VPN / NAT etc)

No load balancing would occur for general outbound traffic (i.e. user internet traffic).

The ISP would be responsible for implementing this load balancing option, but we would need to strategically select how the public addressing is allocated to benefit from load balancing this way.

The agreed architecture outline is to have two ASA firewalls in Active/Standby connected to a stacked Internet Edge switch block patched via diverse cross patched port-channels. The PE routers will be connected via trunk links to the Internet Edge Switch block on alternate switches with HSRP configured for failover.

Thanks for all your advice on this and I'm sure it will come in handy for other scenarios in the future.

Cheers,

Matt :-)

0 Helpful

Go to solution
carlos.perez1
Level 1
Level 1
In response to m.back@aap3.com

‎08-20-2019 01:41 PM

Hi experts,
I have the following scenario with some Cisco ASA 5525x

It turns out that our client has 2 Internet Outlets with 2 different internet providers,

We have an ASA 5525x and a Barracuda which is in charge of balancing the internet traffic, but lately it has had problems with its Barracuda and wants to take it out, but it informs us if the ASA has functionalities of doing load balancing towards the internet?

We want to put 2 ASA 5545 or a Firepower depending on the features it has, but I can not find a document in which they detail if the ASA do load balancing the internet?

Currently the barracuda you have if you balance the internet.
If I remove these barracuda, can the ASAs have that functionality?

I look forward to your valuable support.

regards
Carlos P.

0 Helpful
Customers Also Viewed These Support Documents