cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
927
Views
0
Helpful
3
Replies

ISP level failover for LAN based outbound and DMZ inbound traffic

satya.singh
Level 1
Level 1

Hi, I need help on how to achieve ISP level failover for LAN based outbound and DMZ inbound traffic.

Scenario (attached diagram)

LAN -> Firewal1 (in HA) -> WAN Routers (1&2) (in HA using HSRP) -> ISP-01 (Using two different Last miles)

LAN -> Firewal2 (in HA) -> WAN Routers (3&4) (in HA using HSRP) -> ISP-02 (Using two different Last miles)

Incase one last mile fails for any ISP, the second last mile takes over smoothly. However, in case there's outage in ISP itself, there's complete outage for outbound as well as inbound (to DMZ) traffic.

Is there a tested method for failover between ISP implemented to figure out the pro's and con's and if it can be implemented so that the complete traffic from WAN Routers 1 & 2 can be shifted to WAN routers 3 &4 and vice-versa. This would primarily help save outage in all inbound traffic to DMZ as the outbound can still be shifted from the LAN source.

Did some research and found BGP prepend working for some n/w's, looking for suggestions n inputs.

Thanks in advance.

Cheers,

Satya

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Satya,

you need a routing protocol here:

there are multiple devices involved and it is also a multivendor context:

I would use BGP sessions between the LAN switches on the left of the picture and the C3800 WAN routers:

this allows LAN distribution switches to detect if a router fails or its eBGP connection fails.

Devices in the middle FW pair1 and FW pair2 need to have static routes pointing to the inside/outside.

Another possible solution but I don't know if Fortinet supports it is to use OSPF between LAN switches, FWs, and C3800s.

The problem here is that without object tracking static routes are not enough to detect possible failures.

Hope to help

Giuseppe

Thanks Giuseppe, there are 2 L-2 switch between FW and Router, using different VLAN's. I guess BGP would be a feasible option, though not sure of the downside if any.

Hello Satya,

be aware that any L2 device in the middle has the capacity to keep up/up the interface of the device even if the other L3 device is down.

An alternate way to do this is the usage of reliable static routing:

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html#wp1043334

However, you should permit the SLA probes packets through the firewalls so I would prefer to allow the BGP session(s).

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: