Dear Paul,

Thank you so much for your prompt reply.

Please let me know what info are considered useful to help elaborate more the proposed answer.

Best Regards,

Dear Leo,

Thank you for your help.

Kindly note that both Main and Backup link are 55 Mbps.

Regards,

Hello

Well quite a few questions that can influence HA.

How are the wan rtrs connected at present ( network/routing protocols currently being used/envisage)
What other hardware is currently being used or envisaged ( Firewall, switches, Load Balancers, WAN optimiser etc..)
Are/will you be performing any Network/Port Translation, Port mapping Web caching ,Dns resolution, Dynamic address allocation or First hop routing protocols such as hrsp/vrrp/glbp )

We really need some clarification about the topology and the requirements to be able to provide good suggestions. The original poster tells us that they need "High-availability on my external routers".

For some of us external routers running some routing protocol to the upstream device would provide failover in the case one router failed and could be considered HA. And certainly the two platforms mentioned do support this. 

For some of us HA might mean using something like HSRP to provide first hop failover support. If the external routers are connected by a switch to their layer 3 upstream devices and if both layer 3 upstream devices would use the HSRP virtual address the HSRP is a solution that is supported on both platforms mentioned.

For some of us HA might be something like a pair of ASA configured and operating as a failover pair. This has some dependencies on how things are set up upstream and is certainly not a supported solution on the hardware platforms mentioned.

If the original poster can clarify some things about how the mentioned routers are connected upstream, and if they can clarify which type of redundancy they would want to achieve then we can provide better advice.

HTH

Rick

Dear Richard,

Firstly I would like to thank you for your time.

In the current topology, devices are connected as follows:

ISP-->WAN Router --> Switch-->Firewall--> Core-switch, in which WAN links are directly connected to the WAN router.

The main purpose is to eradicate the single-point-of-failure scenario and avoid any critical outage. 

The first proposed solution was to install a switch before the routers but nothing is applied yet.

Best Regards,

DIB.

DIB

Thank you for the additional information. Here is what I understand about your environment. Your WAN router has 2 Internet facing interfaces which connect to 2 ISPs and runs BGP with both providers. Your WAN router has 1 inside facing interface which connects to a switch. If any of that is not correct then please clarify. 

Based on that information there is a relatively simple solution which uses the platforms that you identified. Here is a brief description of what you would need to do:

- set up and perform basic configuration of the second router.

- move one of the Internet connections to the second router and configure the router for it. The result is that each router has a single outside connection.

- Run BGP on each router to the ISP (this would be EBGP sessions).

- Run BGP between your 2 routers (this would be IBGP session).

- you would probably keep the same relationship with each ISP (whether they advertise whole table routes, limited routes, only default route, whether you set any parameters such as local preference, etc, and how you advertise your address space to them).

- the nat rules that you have for the connection that moved would be transferred to the new router. Any other policies that you might have for the second provider would be transferred to the new router.

- the new router inside interface would connect to the inside switch, probably in the same subnet as the original router (depending on how your firewall is set up and what policies it enforces).

- the firewall might need some changes in its routing policies to reflect the fact that there are now 2 paths to the "outside router". There might also be some changes in its security policies (we do not know enough about your environment to be sure of this, so I mention it as a possibility).

- you can think about whether it is a good idea to run HSRP on the inside interfaces of the routers. It will depend on your policies. If you operate the 2 ISP as primary and backup then HSRP probably is good. If you load share to both ISP then HSRP probably is not good.

HTH

Rick

Dear Paul,

In the current Topology, I have one router (3925) on which WAN links are directly connected.

The WAN router is connected to a switch that serves the internal Network (Switch--> Firewall---> Switch)

The WAN router is just handling some static NAT rules and simple BGP configuration. 

The main purpose is to reach redundancy on the WAN level and to avoid the single-point-of-failure scenario.

Thank you so much for your help.

Best Regards,

DIB.