Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
5
Replies

Dual homing link for HA

imran_obaid
Level 1
Level 1

‎07-26-2004 07:32 AM - edited ‎03-02-2019 05:18 PM

Hi,

I have the following requirement. I have dual homing

ISP link. I have single router with 2 ethernet

interface and 2 serial interface. The ISP links are

connected to each serial link.

My requiremnet is HA of the link i.e if one link fails the other link should take over both the inbound and outbound traffic.

I have PIX behind the router and also in DMZ the web

server and mail server. I need 100% availability over

the inbound access to the web server and mail server

and also the outgoing traffic such as e-mail, internet browsing etc. I have both one to one and many to one NATing is configured at PIX.

Can anyone guide me to some sample config. Can I

implement this with out getting AS number. Do I need

to implement BGP. Request you to provide some sample

config.

regards

imran

Labels:
0 Helpful
5 Replies 5

vcjones
Level 5
Level 5

‎07-26-2004 10:13 AM

Inbound HA for web services requires that a single IP address can be reached using all routes. BGP and an ASN are only needed if you are multihomed to more than one ISP. With a single ISP, you can run BGP with a private ASN assigned by your ISP. Also, with a single ISP all sorts of workarounds to using BGP are possible, but they all depend on the ISP working with you so whether or not you can use them is up to your ISP.

E-mail does not need all ISP links to support the same address to provide HA.

Outbound HA is like inbound web services IF you are talking about a single transaction or TCP connection. However, browsing the web and similar applications are often supported with multiple outbound NATs. This assumes that it is acceptable for the user to get frustrated and hit the refresh button on the browser when a failover occurs.

There is a brief white paper outlines some of your connectivity options on my web site. There are also a number of example configurations and explanations of how they work in Chapter 8 of my book. The configurations (without the accompanying text) are also on my web site. Once you have a better idea of what you are trying to accomplish, you'll also find a range of materials here on CCO.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful

imran_obaid
Level 1
Level 1
In response to vcjones

‎07-26-2004 10:18 PM

Thanks for the input.

I have links from 2 different ISPs. In this case I have to implement BGP and need to take the AS number.

Since I have single router, what would be my router ethernet IP address. Will I be performing the NATing at the router level instead of PIX.

The primary requirement is inbound connections to the web server and e-mail server and then the outbound connection.

Basically I should perform NAT with ISP1 public address and ask the ISP2 to route the packets with this source address in case of ISP1 link failure. Is this correct?

Can you provide me some sample configurations?

regards

imran

0 Helpful

rwcrowe
Level 1
Level 1
In response to imran_obaid

‎07-27-2004 12:09 PM

If you are looking to not use BGP try Radware. www.radware.com . Their devices are pretty nice and achieve what you are trying to accomplish. Look at the Linkproof. http://www.radware.com/content/products/lp/default.asp

0 Helpful

imran_obaid
Level 1
Level 1
In response to vcjones

‎07-29-2004 03:50 AM

Will this config give high availbility of internet link for both inbound and outboudn traffic

int e0

ip address 192.168.1.1 255.255.255.0

ip nat inside

int s0

ip address ISP1_IP

ip nat outisde

int s1

ip address IPS2_IP

ip nat outside

access-list 101 permit ip 192.168.1.0 any

route-map ISP1 permit 10

match ip route-source 101

set next-hop ISP1-df-gw

route-map ISP2 permit 10

match ip address 101

set next-hop ISP2-df-gw

ip nat inside source static 192.168.1.10 ISP1_public_ip route map ISP1

ip nat inside source static 192.168.1.10 ISP2_public_ip route map ISP2

ip nat inside source list 101 route map ISP1 pool LAN overload

ip nat pool LAN ISP1_public_ip ISP1_public_ip prefeix_length 28

ip nat inside source list 101 route map ISP2 pool LAN overload

ip nat pool LAN ISP2_public_ip ISP2_public_ip prefeix_length 28

router EIGRP

network 192.168.1.0

redistrbute static

ip route 0.0.0.0 0.0.0.0 ISP1

ip route 0.0.0.0 0.0.0.0 ISP2 254

regards

imran

0 Helpful

vcjones
Level 5
Level 5
In response to imran_obaid

‎07-29-2004 05:23 AM

No, it will not. There are two problems which your configuration does not address:

1 - For external access to services you provide, each IP address is only useful if the link to the ISP who assigned that address is up. You need to get an ASN and run BGP for any resemblance of HA (hint: playing games with DNS entries only works to the extent that others honor your DNS expiration times, which excludes most of the users of some major ISPs).

2 - Internal users accessing external services will see all TCP connections hang when the primary link goes up or comes down. Reconnect attempts will only work when failing over from primary to backup. As currently configured, you'll need to manually clear the NAT translation table when switching from backup link to primary.

Set it up in a lab environment and start doing some testing so you can see what NAT can do to you when you're not looking, you would be amazed at the ways you can get burnt by NAT in a dual homed ISP setup like you are seeking.

Good luck and have fun!

Vincent C Jones

0 Helpful
Customers Also Viewed These Support Documents