cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3172
Views
15
Helpful
16
Replies

Create redundant WAN router

Amafsha1
Level 2
Level 2

Hello, in the topology that I have attached, we currently have a WAN router model # ISR4451-X/K9 that is our way out to the MPLS cloud that we pay for.  We have BGP configured on the WAN Router to neighbor with our Service Provider.  The WAN router has routed links to our 2 nexus cores.  We are trying to figure out a way to not have a single point of failure; if the wan-router dies, we lose our connectivity to our other branches via the MPLS that we have.  What are some suggestions to make this more redundant?

1 Accepted Solution

Accepted Solutions

If you cannot obtain another WAN link, your second router would become a cold/warm spare. Not much of an advantage for some HA if you have to move the WAN link, assuming that's not what failed.

Regarding VSS for ISR, no, but as already suggested by others you can use HSRP (or GLBP or VRRP). However, if your router is "talking" with other routes, often you would allow a routing protocol to switch to a second router. Virtual gateway protocols are generally used for hosts not between routers.

BTW, if the issue with obtaining a second WAN link is due to cost, which it often is with private WANs, again, look into using VPN across the Internet. Private WAN vendors like to tout you have predicable bandwidth, and you do, but I've often found little issue using VPN across the Internet.

View solution in original post

16 Replies 16

mvsheik123
Level 7
Level 7

Hi,

 

Depends on your budget. If you are tight on budget, then get SmartNet on existing router (in case of no contract) and buy a used, lower end model and preconfigure the same emergency situation.

Thx

MS  

chrihussey
VIP Alumni
VIP Alumni

One suggestion would be to get another router and connection to the provider.

1- If this is a single location, the router should be on a separate power / breaker than the other.

2- The second provider link should be as diverse as possible. It should have a separate point of entry into the data center, not share the same physical route, terminate at a different provider POP, etc.

Some things may not be possible, but I'm sure you get the point.

A bit of networking would be involved to have the routers communicate and to enable preferences for traffic flow to and from the provider as well as dynamic failover, but accomplishing this shouldn't be an overly complicated task and a fairly common requirement.

As MS has stated, a lot depends on the available budget.

Hope this helps.

 

Julio E. Moisa
VIP Alumni
VIP Alumni

Hi

You could create HSRP or GLBP (depending the requeriments) on the Nexus and HSRP on the router having 2 Virtual IP address, one for the Nexus and one for the Router so the route manipulation will be easy as if you have 1 device on both sides, for example

 

 

Nexus 1 (192.168.0.2)                                                                            PRI- ROUTER (192.168.0.5)

 

             HSRP 1 (192.168.0.1)    ----------------  HSRP 2 (192.168.0.4)

 

Nexus 2 (192.168.0.3)                                                                         SEC- ROUTER (192.168.0.6)

 

The traffic from the external to the Internal network will have the next hop 192.168.0.1 and the traffic from internal to external will have the next hop 192.168.0.4. 

 

Now the routers facing to the ISP and the ISPs could be connected to switches or stack of switch using a VLANs. 

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Thank you.  Is their some sort of VSS option available for the ISR4451-X/K9 model.  Like some sort of HA pair possibility?  I mean like stacking the ISR4451 with another ISR4451?

There is HSRP running on the 2 cores currently.  If 1 of the cores fails, the vlans will failover to the other core and go up to the wan router just like you stated(so there's our inside-->outside failover.  So are you saying that I put in a second wan router ISR4451 and run the HSRP protocol on both the routers now for the outside--->inside.  Thank you, I will dig into that.

 

So now there is a new twist in this story:  Let's say that I can't afford another ISP and can only use the same one circuit I have, I guess my only option is to physically go to the location and connect the ISP connection to the secondary HSRP if the primary router was to fail, right?  Can you think of any other way to make that redundant?  Do you think the ISP will provide a failover link if they detect that the router on our end is down like down BGP neighbor?  I guess I just have to ask them.  Thanks for your input 

Joseph W. Doherty
Hall of Fame
Hall of Fame
As the others have already noted, it's often a question of how much you want to spend to increase your resiliency. As they've noted, one extreme you might just have a contract that expects "repair" within a certain time frame. The other extreme might insure there's no one single point of failure for anything.

Understand, different components have different probabilities of failures, different estimates for time to to repair, and different costs to deal with either. You need to weigh these factors, against their impact to your business.

For example, is the AC power to your router filtered? A power spike could drop your router, either transiently or permanently. As power filters are inexpensive, it's inexpensive "insurance". Or, next level, what's if there's a power interruption? Do you have some form of a UPS? Or, do you have a dual power option, etc.?

In a situation like yours, a relatively inexpensive option might be to use VPN tunnels across the Internet for backup path. Especially at the HQ, you'll probably want a second WAN router for this Internet connection.

Thanks everyone for the response. Let's assume I have ample budget.  What would on suggest ?

Hi,

 

'I have ample budget' -> All you need to do is contact (Cisco) partner.. rest assured :).

 

Come to your Q- Check other expert's suggestions- all got covered. In summary- make sure router connected to UPS,  buy another router with dual PS, get additional MPLS provider, BGP failover etc.

 

Thanks,

MS

Ok, let's say that I can't get a second ISP, but I can I have enough money to buy another router.  Could I VSS (aka HA) the 2 routers together and connect them with routing protocols to the core.?

If you cannot obtain another WAN link, your second router would become a cold/warm spare. Not much of an advantage for some HA if you have to move the WAN link, assuming that's not what failed.

Regarding VSS for ISR, no, but as already suggested by others you can use HSRP (or GLBP or VRRP). However, if your router is "talking" with other routes, often you would allow a routing protocol to switch to a second router. Virtual gateway protocols are generally used for hosts not between routers.

BTW, if the issue with obtaining a second WAN link is due to cost, which it often is with private WANs, again, look into using VPN across the Internet. Private WAN vendors like to tout you have predicable bandwidth, and you do, but I've often found little issue using VPN across the Internet.

Ok, I'm glad you brought that up because on the nexus core for the interface that goes up to the WAN router, we have EIGRP configured on that interface so routes can get advertised to the WAN router from the core.  Are you suggesting to not run HSRP on the WAN routers and just add an additional interface and configure EIGRP too on that one, and let EIGRP do the failing over in case one of the routers die or something?

 

 

 

Current core configuration for interface up to wan router

Core1#

interface Ethernet1/1
description L3 to WAN
no switchport
ip address 12.1.1.1/30
ip router eigrp 1
hsrp 1
ip dhcp relay address 10.51.3.3
no shutdown

Yup.

ok thanks for all the info.  I appreciate everyones input for a noob.  Now I'm wondering if ISP could possibly provide us with a failover link or a dual link in case there is physical problems or something on their end or maybe ours.  Since we don't have money for an additional ISP, I guess all we can do is configure that second router to be the EIGRP secondary failover guy.  I guess what still lacks is having to actually physically go to the location and actually move the uplink if the main router fails. Now I'm kind of where I was in the beginning but slightly better.  Thank you 

Hi Joseph I have a similar situation and I am not sure of many things and was wondering if you can help. Please see attached topology.

I want as much redundancy as possible but this is the only equipment I have now.

I only want to do inter-vlan routing on the Access switches with SVIs, and routing on the Internal Routers with sub-interfaces. I simply want to be able pass allowed traffic (from the different vlan subnets in the lan) up through the interconnecting switch (sits between Internal routers and FW) on out through the FW then to ISP.

The side of the interfonnect switch that connects to the routers is trunked and I can ping between them. The side of the switch that connects to the FW, I changed to switchport access vlan 10 and I could then ping the FW. My worry is will all traffic from the internal subnets pass-through since it is not a trunk?

I have a switch there because I did not see how I can connect both routers to the FW - or is there a way to do it? I would need same ACL applied to both inside interfaces. Once and if I am able to implement another FW then the interconnect switch could go away right since I would just connect each FW to each router but then how do I connect both FWs to on router again? I guess my main question is how do you connect redundant routers (HSRP, same sub-interfaces, etc.) to 1 FW or switch, and vice versa? I can't enter same IPs on interfaces of routers if each connection were to be used to connect to Access switch 1 and 2. If I had the Internal routers both connect to 1 FW, would I need to create let's say one interface as "inside" and another "inside2" and apply the same ACLs to them? This is why I added an interconnect switch.

Any advice or help is much appreciated.

I have attached my topology again.