Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2506
Views
0
Helpful
0
Replies

Multiple ISPs on an ISR 4331

Michael Pare
Level 1
Level 1

‎10-30-2015 08:11 AM - edited ‎03-05-2019 02:38 AM

Folks - got a bit of a complex setup here and looking for some advice.

We are in the beginning stages of a migration from an ASA 5510 config with a Radware Linkproof internet load balancer with several ISPs - going to an ASA 5515 X config mated with an ISR 4331.

We don't need fancy load balancing features - round-robin is OK for us.

On the ISR 4331, we have added a new ISP (we'll simply call ISP A) that is BGP-enabled, we are multi-homed with a DR site with an identical configuration (ASA 5515 X and ISR 4331).  We do not have/need enough public IP addresses to justify getting a full /24 network from ARIN, so, we are doing BGP within the ISP only with a /28 network, and still achieve what we need for DR site fail-over needs (same ISP is providing our service at the DR site).  Disadvantage being we can't do BGP across ISPs because we do not have our own ASN - and are using a private ASN within ISP A - but this is fine for us.  

I have not yet migrated the existingISPs over from the ASA 5510/Radware config - but let's call them ISP B and ISP C.  We are not doing BGP on either of those ISPs as they are not available at the DR site.  Therefore, in a full site loss scenario (once we are all up and running on the ASA 5515/ISR 4331 config) I would manipulate DNS records to remove DNS entries for the two other ISPs (B and C).

Problem I see - is that since we are receiving the full Internet routing table on our ISR, I can't do "simple" load sharing/balancing on the ISR because of this.  I've found many configuration examples for multi-home ISP on an ISR, but none are using BGP.  Therefore, specifying multiple 'ip route 0.0.0.0 0.0.0.0 (ISP gateway) metric' won't work.  I could implement a "failover" scenario using route-maps but this would leave my other ISP links dormant unless ISP A went down.  This, in our configuration, would not be ideal (and, in fact, quite a waste especially given we have a DR site and a dedicated private line).

So, I see 2 options and I'm looking for some feedback:

1. Set an Internet load balancer outside of our ASA 5515 X (actually it's an active/passive failover pair but that's not really relevant).  Then, attach the ISR (ISP A) to the load balancer, and attach the other two ISP routers (ISP B and C) to the load balancer.  This seems like the best option

2. Leave the ISR attached to the ASA.  Attach the other two ISP routers (ISP B and C) to available interfaces on our ASAs (either dedicated interfaces, or sub-interfaces on a trunk, whatever, it doesn't matter but we have available physical interfaces) and configure the interfaces as outside (security level 0) interfaces.  

3. Use VRFs on the ISR?

1 seems to be the most simple.  2 - we wouldn't achieve true load balancing but that's fine.  For outbound connections from inside the network - this doesn't really matter - I'll just select one of the ISPs to handle that traffic.  Inbound connections can use DNS round-robin.  Although I have approval to purchase a load balancer - we wouldn't need to do so.

Thoughts?  Thanks!

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents