ISP Setup - Dual homing

Mikey John · ‎11-03-2011

Hello everyone,

I have Internet links from two different service providers. These ISP links are terminating on two different 2911 routers. I need to give Internet access to the users behind the switches (Sw1 and SW2).

Proposed Setup (Diagram is attached)

===============

SW1 ---> (Default route) FW1------>Default route to R1---->EBGP to ISP 1

SW2 ---> (Default route) FW2------>Default route to R2---->EBGP to ISP 2

With this design, only the ISP 1 link is going to be utilized since all packets will traverse the active FW and reach R1 and go out.

Please let me know

1) Is there a way for me to use both the ISP links? Some kind of load sharing?

2) Should there be a IBGP between the routers? If yes, what networks should be advertised between them?

Please suggest.

Thanks

Mikey

ajay chauhan · ‎11-03-2011

Hi,

are you going to run full bgp with SP or just default gateway ? if full bgp table then rotuing decesion will be taken on R1 where the active FW is connected and traffic will go out based on best route based on SP whoever is giving best. Also you can tweak traffic based on prefixes.For this yes IBGP will be there between routers.

Thanks

Ajay

Mikey John · ‎11-03-2011

Hi Ajay,

Iam going to have a default routing with the service provider. With HSRP running between the routers, at all times the traffic would go out via R1. right? It would take the R2 route only if R1 goes down.

Is there any way to load share the outbound traffic?

Thanks

MIkey

ajay chauhan · ‎11-03-2011

Hi,

I dont think we can do it this way but i guess using some NAT policy can be done but it wont be pure load balancing.

Thanks

Ajay

fb_webuser · ‎11-03-2011

Can you put the Firewalls in Active Active mode? (I'm assuming that both switches are connected.)

If you could this will solve all your problems...

---

Posted by WebUser Ahmed Rasmy

Marwan ALshawi · ‎11-03-2011

hi

FW in active-active will require separation of internal subnets and having one subnet to use one FW as active and the other subnet will use the other firewall as active

the other option you do not use failover however you use bot firewalls to work separately this way you can load balance between the two routers

and in the switch you can configure some IP SLA to monitor the availability of the firewall if it gose down then it removes the default route to that firewall and use another default route point to the other SW and up to the other FW-Router

hope this help

if helpful rate

Kishore Chennupati · ‎11-03-2011

Hi Mikey,

1) Is there a way for me to use both the ISP links? Some kind of load sharing?

2) Should there be a IBGP between the routers? If yes, what networks should be advertised between them?

1. In your current scenario it highly unlikely you can load share as you have rightly mentioned that everything goes via FW1 since its Active. In my opinion if you want to load share both the ISP links go for stand alone FW's. Lets says your internal subnet is 192.168.1.0/24.

a. . Split it into 2x /25's say 192.168.1.0/25 and 192.168.1.128/25.

b. users in 192.168.1.0/25 use FW1 as their GW

c. users in 192.168.1.128/25 use FW2 as their GW

d. On R1 you advertise 192.168.1.0/25(High LP) and 192.168.1.128/25(AS prepend) to the ISP1

e. On R2 you advertise 192.168.1.0/25(As prepend) and 192.168.1.128/25(High LP) to ISP2

f. Put a static route on R1 for 192.168.1.0/25 next hop FW1

g. Put a static route on R2 for 192.168.1.128/25 next hop FW2

h. Default routes on FW's to the routers.

2. yes there should be iBGP between R1 and R2 for redundancy. In case the link to ISP1 fails then ISP2 will start routing the traffic across the link via IBGP. If you follow my setup above then you only redistribute static routes.into BGP

Note: Active/Active FW also is a good idea but you need to be cautious of any misconfig and you will end up creating blackholes

HTH

Kishore

fb_webuser · ‎11-04-2011

I have the same scenario applied except having an active standby FWs on each link.

I configured OSPF and IP SLA on firewalls and the tracked route is distributed by the firewall to the internal network which give me a per session load balance between both links.

so in your case I would put both firewalls in Active Active with 2 contexts on each one failing over each other, you can't do OSPF in Active/Active mode, so you will just have to do it somewhere before the traffic reaches the ASAs

---

Posted by WebUser Ahmed Rasmy

Mikey John · ‎11-05-2011

Hi All,

Thanks for your inputs. I cannot have 2 x /25 subnets as of now. There are only 15 users connected to both these switches (future growth).

I guess we will have to settle with sending the outbound traffic through one link (R1 most of the times). But the return traffic can come in through any way.

1) If I configure IBGP between the routers, how can i pass the defualt route from r1 to r2 if the ISP 1 link fails? Iam running EBGP on both routers towards the ISPs.

2) Is it possible for me to configure HSRP on the routers for the FW to point the default route to the VIP? IF yes, on which ports should i be configuring them?

Thanks

Mikey

Marwan ALshawi · ‎11-05-2011

If you configure HSRP on the routers you be using your gateways in active standby again you just move the active standby from the fw to the routers now

Unless you setup two HSRP groups and use group 1 for fw 1 on router 1 as active router

And HSRP group 2 on router 2 as active router for fw 2

Using same shared subnet between the routers and outside interfaces of the fw but you will need a L2 switch between the routers and firewalls in this case for a shared LAN

HOPE THIS HELP

plz rate the helpful posts