Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
5
Replies

Internet Fail over setup

vinayak-nayak
Level 1
Level 1

‎07-22-2019 10:50 PM

Hi All,

 

Need is to build a fail-over mechanism between site A and Site B using the existing setup of stacked 3750 at each site. The sites are connected together by a 20Gig port channel and each has a link to the internet. Site A and Site B have a certain set of sites homed to it. The idea is to ensure that all sites homed to site A egress through it to get to internet and sites homed to site B egress through it to get to internet. But, there should be a fail-over mechanism between the sites as well such that site A homed sites get to internet through site B and vice versa. No extra device like router etc can be added, it has to be achieved using the existing 3750 stacks. Is it possible to do it using IP SLA and HSRP setup (Wherein a single VIP acts like the gateway for default route i.e 0.0.0.0 VIP) ?  I have attached the diagram for the setup.  (Just a note : there is an existing BGP peering between the two sites built over the layer 3 Port-channel). Please recommend...

 

 

 

Labels:
0 Helpful
5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-23-2019 12:03 AM

Hello Vinayak,

I don't see any attached network diagram to your initial post in this thread.

 

HSRP is not a routing protocol but a FHRP = First Hop Redundancy Protocol.

 

How are the satellite sites connected to Site A and to Site B?

 

Unless you have a VPLS service with remote sites of site A, site A, site B and remote site of Site B HSRP is unlikely to be a possible solution.

If you are using MPLS L3 VPN you should play with BGP on site A and site B.

 

Provide more details on how the remote sites connect to the main sites and a network diagram to get better help

 

Hope to help

Giuseppe

 

0 Helpful

vinayak-nayak
Level 1
Level 1
In response to Giuseppe Larosa

‎07-23-2019 05:01 PM

Hi Giuseppe,

 

Thanks for responding. I have attached the visio diagram for the setup. A quick brief about the how the traffic is flowing currently. All intranet and internet traffic from branch sites traverse to site A and site B respectively and then for site B there is no direct egress towards the AWS link or the internet rather all that traffic too comes to site A and then goes towards AWS or internet. (Thus the site B link to AWS and internet link is not in use).The site A and B is connected by L3 ten gig link which will be converted to 20 Gig L3 port-channel. Their is BGP peering between these two sites over this link. Currently, Site B has default route pointing to Site A thus all traffic comes to site A.  The internet links are on the juniper firewall and just have a static route pointing to the ISP HOP. The 3750's have a physical link to the firewall and static route pointing to ensure all traffic goes to the firewall.

 

The requirement is

>> to ensure that traffic coming to site B from its branch sites egress to internet or AWS directly 

>> to ensure that traffic coming to site A from its branch sites egress to internet or AWS directly (this is in place)

>> implement a fail-over mechanism between sites A and B such that either side branch traffic should     continue to flow either through two sites towards internet or AWS. 

 

Note : The existing setup may be a bit strange but there is no such option of revamping it completely..

 

Can combination of Policy based routing and IP SLA be used to implement this solution ? Please guide.. 

setup.jpg

 

 

Preview file
62 KB
0 Helpful

vinayak-nayak
Level 1
Level 1
In response to vinayak-nayak

‎07-23-2019 06:44 PM

To add i was speculating if the following can be an approach... Not sure just bouncing ideas....
create one hsrp group on both the 3750'S on site A and site B
point all site traffic on both sites to this hsrp vip (0.0.0.0 0.0.0.0 VIP)
ip sla tracking through juniper firewall for failover mechanism
0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to vinayak-nayak

‎07-23-2019 10:58 PM

Hello Vinayak,

can we assume that remote branch sites connect to each main site with dedicated L2 links?

 

You are running BGP between Site A and Site B over the tengiga direct link (that will be a port-channel with 2 x 10 GE links)

Each site C3750 stack will have a static default route pointing to the local Firewall for Internet Access.

In case of failure of the local internet link the C3750 stack should use the other main site for Internet Access.

This calls for using IP SLA to track if the local internet link is alive.

The backup default route can be provided by BGP on the link between the sites.

Primary default route will use IP SLA and a track for IP SLA will be associated to the primary default static route so that if the IP SLA fails it will remove the primary default route.

each main site needs to advertise in BGP ( iBGP or eBGP between the two stacks ?) a default route if the local primary default route is alive -> command network 0.0.0.0 under router bgp can do this.

Each main site needs to advertise in BGP all the IP subnets related locally connected branch sites.

The firewalls need to be aware of all IP subnets of both sets of remote branch sites by adding appropriate static routes.

 

From the point of view of the branch sites they just need to point to the local main site using a default static route may be enough or a routing protocol like OSPF or EIGRP if desired.

 

Same reasoning should work also for the AWS connections.

 

Hope to help

Giuseppe

 

0 Helpful

vinayak-nayak
Level 1
Level 1
In response to Giuseppe Larosa

‎07-24-2019 07:00 PM

Hi Giuseppe,

 

Thanks for replying, Yes each branch site is connected by point to point tengig L3 links. There is no routing protocol running on any of the branch sites. They have static default routes pointing to either site A 3750 stack or site B 3750 stack depending on where they are homed.

 

Yes each site 3750 has a static default route pointing to their respective firewalls (internet links will be on firewall while the links to AWS will be on the 3750 stacks respectively). There is IBGP between the two stacks. So you suggest that i setup IP SLA with track on the Cisco stack itself OR should it be on the Juniper firewall ?

 

At the branch level this how the setup is, each branch has got its own set of vlans and one tengig routed port that plugs into the stack tengig routed port on the Cisco stack. Thus each branch site has just a default route pointing to that routed port ip on the Cisco stack. 

 

The BGP peering that exists between the these two stacks share just 3 prefixes (one is the default route and other two are the routes catering to AWS cloud).

 

My questions are:

The backup default route can be provided by BGP on the link between the sites. -- How to achieve this ?

 

> each main site needs to advertise in BGP ( iBGP or eBGP between the two stacks ?) a default route if the local primary default route is alive -> command network 0.0.0.0 under router bgp can do this -- Did not understand this

 

> Each main site needs to advertise in BGP all the IP subnets related locally connected branch sites -- Why would this be needed, i didn't understand

 

> The firewalls need to be aware of all IP subnets of both sets of remote branch sites by adding appropriate       static routes -- This looks to be already in place

 

Pls guide.

 

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card