cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
868
Views
0
Helpful
5
Replies

Multiple ISP - Need Solution Guidance

Cisco Customer
Level 1
Level 1

Hello Everyone,

 

We need guidance on the best path forward to providing ISP redundancy with *outbound* ISP load balancing (no need for inbound - don't want to use BGP).

 

We presently have 2 x ASA 5516-X units in a stateful Active/Standby HA configuration.  They are connected to a stack of 3850 Catalyst switches.

 

We have had a 100 Mbps DIA ISP circuit from one provider and we just brought in a second 100 Mbps DIA circuit.  The first circuit still has a managed router from the ISP which we would like to take in-house with our own managed router.  The second just has an Ethernet hand-off, but we need to provide a router.  Both ISPs drop us Gigabit hand-off's.

 

Additionally, we would like to have the ability to have an LTE circuit as a worst-case-scenario backup.

 

We have been looking at the ISRs - specifically, the 4331, 4351 and the 4431.  While we presently only have 100 Mbps from each ISP, we would like to have room for growth on each, while keeping ISR costs down.

 

The ideal setup would have a single ISP on each ISR with an LTE NIM on one of them.  The ASA's would sit behind the ISRs and would still be performing NAT.  We are considering using PBR (Policy Based Routing) on the ASAs for load balancing, but the solution does not appear to be as elegant as competitors (e.g. Palo).  It seems doing load balancing on the routers won't work unless we put both ISPs on one ISR router and then we have a 'warm' spare ISR with an identical config ready to go, but it requires intervention and some downtime.

 

I'm also considering in-place of ISRs to just upgrade our IP Base license on our Core 3850 switch stack to IP Services so we can use VRF for the routing portion of this.  Connecting both ISPs hand-offs to their own VRFs and then have the ASA's peering with the respective VRFs on the switch stack.

 

Please provide your feedback and thoughts.  I've got my CCNA with skills of a CCNP and have been using Cisco products for >20 years, but I would like to avoid complicating this configuration to the extent of needing to bring in a CCIE level individual.

 

Thanks!

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

While we can give you some advice based on what you have told us so far, there are some other things that it would help if we knew them. It seems that the second circuit is from a different provider but is not explicit. Can you confirm that you will have two separate providers? Are you using the same IP address space in your network to use both circuits (one aspect of this is whether you will be doing the exact same address translation for both circuits, or will traffic on the second circuit use a different translation)? If you send traffic to the Internet using circuit 1 and the response comes back using circuit 2 will the asymmetry be an issue?

 

I would think that you will want both circuits terminating the same way, either both terminate on an external router, or both terminate on a switch in a vlan/vrf environment to keep the traffic separated. If you do not want to use BGP then it seems to me that using PBR to achieve load sharing would be preferable to the alternative of having two default routes (especially on the ASA).

 

HTH

 

Rick 

HTH

Rick

Rick,

 

Thanks for your response.

 

Yes, two completely *separate* ISPs, each with their own set of NAT mappings.

 

We were initially thinking to do BGP, but after experiencing one DoS, we would rather not have to pay for [D]DoS mitigation from both ISPs if we do BGP and since we do not need inbound load balancing and availability from a single IP space, we are good with just outbound load balancing/PBR.

 

Can SLA monitors in ASA be placed on BOTH ISP interfaces or would this cause problems?

 

We're thinking the switch vlan/vrf approach for the edge and ASA/NGFW with PBR (can the newer Firepower NGFW's do PBR or do they offer something better?)  I would imagine this would lead to symmetric responses with no concern about asymmetry.

 

Thanks,

Darius

Darius

 

What we are talking about so far addresses initiating traffic from inside your network to outside and receiving responses to it. I have another question. Is there need for anything in the Internet to initiate traffic to anything inside your network? (any web server or any public facing services?)

 

HTH

 

Rick

HTH

Rick

Rick,

 

Inbound, we just have end-user, dial-in VPN termination which we could just have the Cisco Anyconnect have a Primary and Secondary configured for each ISP.  There are a couple things we could expose through static NAT which are mostly IT resources, but no need for employees or other external users to access.

 

Anything we expose over static NAT we could have a second DNS entry for (e.g. somehost-isp1.domain.com, somehost-isp2.domain.com).  No web servers or customer-facing resources.  All of that is in the cloud.

Glad to see that you understood my question about access to resources from the Internet was about dynamic nat vs static nat. And glad that you have little or nothing that requires static nat.

 

The good thing about your requirement being inside access to Internet (and not Internet to inside) is that you will do one translation for traffic going out circuit 1 and do a different translation for traffic going out circuit 2. And that addresses the concern about asymmetry. Anything you send out using ISP 1 will have its response come back to ISP 1 = symmetric traffic.

 

I think that PBR would be your best alternative for load balancing. And that the PBR and the address translation should be done on the ASA. I do not have experience with SLA on the ASA and am not prepared to address potential issues with SLA on both connections. I hope that someone else in the forum may be able to address that.

 

HTH

 

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card