Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1400
Views
0
Helpful
6
Replies

Load sharing between 2 ISP

jeromesky
Level 1
Level 1

‎03-17-2019 10:41 AM

I've got a Stackwise Virtual Core (VSS) Connected on two separate ASA Firewall and behind the firewalls are my routers that would be connected to ISPs to access the internet.

 

       INTERNET

    /               \

  |                   |

ISP1            ISP2

  |                  |

Gi0/0/1       Gi0/0/1

Router 1         Router  2

Gi0/0/0          Gi0/0/0

     |                     |

     |                     |

    outside          outside

  ASA1               ASA2

    inside             inside

     |                        |

      \                      /

        \                   /

      Gi1/1/0/1     Gi2/1/0/1

CORE Switch l3 (stackwise virtual)

 

I have SVIs on the core, one is on vlan 302 (10.28.2.0/24)

Ip routing is enabled so i dont have any problem with my intervlan routing on other subnets like - vlan 305, vlan 307

 

 

My Core switch Gi1/1/0/1 and Gi2/1/0/1 is configure on vlan 302

My ASA1 inside is 10.28.2.10/24, outside 50.50.50.1 /24 (Natted dynamically)

My ASA2 inside is 10.28.2.11/24, outside 60.60.60.1 /24 (Natted dynamically)

 

Router1 Lan IP thru Gi0/0/0 is 50.50.50.2 /24 (Provided by ISP1)

Router1 WAN IP thru Gi0/0/1 80.80/80.1/24 (Provided by ISP1)

 

 

Router2 Lan IP thru Gi0/0/0 is 60.60.60.2 /24 (Provided by ISP2)

Router2 WAN IP thru Gi0/0/1 90.90/90.1/24 (Provided by ISP2)

 

both ISP advertised internet using static routes.

 

 

With this in Hand, what methodology should i use to achieve load sharing between ISP1 and ISP2.

I dont like to use PBR route maps to manually define which source vlans goes to ISP1 and ISP2, as much as possibel I want my topology to decide automatically.

 

Hope someone can help me, been struggling so badly

 

 

 

 

 

 

 

Labels:
0 Helpful
6 Replies 6

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-17-2019 11:33 AM

Hi,

 

Before Starting an Answer I have a few questions:

1. Have you configured BGP between ISP and Router or is it a default route?

2. How ASA configured? 

 

But as per your basic diagrams:

As both ASAs are working as standalone devices and handling sperate ISP connections so you have below options:

 

There are multiple options but I am not recommended to configure any HSPR, VRRP, or GLBP at all. Since firewalls have all sorts of state tables, connection tables, translation tables. 

 

So current design Options:

 

Option 1:

Design Changes: Both ASAs LAN (Inside) interface will configure in the different subnets as

Current Design:

                         ASA1 (Inside) 10.28.2.10 --->Core Switch VLAN 302

                         ASA2 (Inside) 10.28.2.11 --->Core Switch VLAN 302

 

Required Design: 

                          ASA1 (Inside) 10.28.2.10 --->Core Switch VLAN 302

                         ASA2 (Inside) 10.28.3.10 --->Core Switch VLAN 303

Configure Two Default route on the Core switch towards to the each Cisco ASA and you must monitor those routes using the IPSLA and Track. So if any of connection or ISP will face downtime then all traffic will redirect on another ISP.

 

Configuration as below on the Core switch:

 

IP route 0.0.0.0 0.0.0.0 10.28.2.10 track 1

P route 0.0.0.0 0.0.0.0 10.28.3.11 track 2

 

ip sla 1
icmp-echo 8.8.8.8 source-interface VLAN 302
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now

!

track 1 ip sla 1 reachability

!

ip sla 2
icmp-echo 8.8.8.8 source-interface VLAN 303
timeout 1000
threshold 2
frequency 3
ip sla schedule 2 life forever start-time now

!

track 2 ip sla 2 reachability

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

jeromesky
Level 1
Level 1
In response to Deepak Kumar

‎03-18-2019 08:11 AM - edited ‎03-18-2019 08:17 AM

Hi Deepak,

 

1. I only use default route between router and ISP

2. ASA is only using static and default route

 

Ex .For Fw1

route outside 0.0.0.0 0.0.0.0 50.50.50.2

route inside 10.28.0.0 255.255.0.0 10.28.2.254

 

May i know what would be the difference if i change the ASA2 inside with different vlan? other than inside the same subnet of vlan 302?

 

Actually i tried these two default routes on Core before without IP SLA tracking but is not working, If both static default routes are present on my routing table in core I can only ping ISP 2 and ISP 1 is unreachable since based on my understanding it follows the highest next hop IP address which is the 10.28.2.11

 

Ip route 0.0.0.0 0.0.0.0 10.28.2.10

Ip route 0.0.0.0 0.0.0.0 10.28.2.11

 

....

 

 

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to jeromesky

‎03-18-2019 09:54 AM

Hi,

Actually, With the same VLAN IPSLA will not work properly.  And the same issue will appear which you had faced.

 

Actually i tried these two default routes on Core before without IP SLA tracking but is not working, If both static default routes are present on my routing table in core I can only ping ISP 2 and ISP 1 is unreachable since based on my understanding it follows the highest next hop IP address which is the 10.28.2.11

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

jeromesky
Level 1
Level 1
In response to Deepak Kumar

‎03-19-2019 11:54 PM - edited ‎03-19-2019 11:56 PM

Hi Deepak,

 

I tried to change the subnet of firewall 2 to other vlan and also put ip sla’s on my static default routes but still same behavior, if two default routes are present on Core’s routing table i can only ping 1 router which is the router behind fw 1 since it has the higher inside ip which is the next hop of my core switch..

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to jeromesky

‎03-20-2019 01:05 AM - edited ‎03-20-2019 04:29 AM

Hi,

Are you tested with tracert on two different systems to any public IP as 8.8.8.8 and 1.1.1.1? Is ECMP working correctly?

 

I tried to change the subnet of firewall 2 to other vlan and also put ip sla’s on my static default routes but still same behavior, if two default routes are present on Core’s routing table i can only ping 1 router which is the router behind fw 1 since it has the higher inside ip which is the next hop of my core switch..

If ECMP is working fine then it seems normal behavior because " default is CEF which load-shares per session( src-dst IP pair)". As some of the IPs or Services are especially available through the Specific Gateway. As  Firewall 2 is only available through Router 2 then there is a specified solution for you.

 

1.  Assign a Static route on Core switch for particular subnet/IP address (Firewall 2 IP) toward to the Router.

 

Example: 

ip route 10.28.2.0 255.255.255.0 60.60.60.2

 

2. Go with PBR solution as Well.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

paul driver
VIP
VIP
In response to jeromesky

‎03-20-2019 04:24 AM

Hello

PBR would be the suggest approach here unless you implement some IGP between the fws and the core and manipulate the metrics for certain prefixes ad desired


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents