Re: Next Hop test Lab

stein9700 · ‎04-13-2019

I needed to test dual ISP configuration on a firewall, I was able to setup a quick lab with a set of Cisco 2901 ISR to test the fail over scenario. This got me to thinking could I also test VPN but how do I route traffic once I go past the WAN interfaces.

Right now I just have the 2nd interfaces on the 2901 set to DHCP and I pick up an address from comcast. This gives me the internet I need to test fail over.

I was thinking of putting a layer 3 on the LEFT side of the routers and either changing the IP scheme or just extending like its the real world.

If anyone has any ideas I would greatly appreciate it.

balaji.bandi · ‎04-13-2019

yes that is reasonable approach, since you have only 1 IP coming from ISP.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

stein9700 · ‎04-14-2019

So I was thinking about this, I think I need another router behind the other 2 doing OSPF or some type of Routing protocol.

Technically speaking how are ISP1 and ISP2 going to know about the IP on ge 0/1?

Update: My Lab 3560V2 can do OSPF this might solve my problem

Thanks

paul driver · ‎04-14-2019

Hello

Could you elaborate on a few things please?
In your topology it looks like you have connected two isp rtrs into a switch both receiving dhcp from comcast router however the addressing on the interface of both rtrs gig0/0 shows the subnet address which is not valid or is this just a typo?

Are these rtrs managed by you, meaning the naming convention is just stating that they are connected into your isp?

If you put an additional router in front of the two isp routers it will still become a single point of failure, just like your switch is at present.

If applicable adding a direct physical connection between the two isp rtrs and if then possible introduce an IGP such as ospf between these rtrs and the fw could be another alternative?

You could then conditionally advertises a default route from each isp ospf router into the fw with preferred metric-type preference on that advertised default.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

stein9700 · ‎04-14-2019

This is a test lab, the IP's on Ge0/0 are real enough for the firewalls, all of this equipment is mine, in fact I just broke down the lab and put in my car for work in the morning.

My goal for this Lab is to have a closed loop network that I can test Dual ISP, VPN tunnels, different Routing, etc

Minus the IP's address this is how I would envision it. I do a lot of remote work, I like to pre-build and test the configurations.

I was thinking of OSPF this morning, unfortunately none of the hardware i have at home has enough ports or can do OSPF.

Should I use an actual router or you think Layer 3 switch with OSPF is good enough?

thanks

joseph.h.nguyen · ‎04-16-2019

It depends on your criteria. You have to consider cost, network performance standard, interoperability, and administration efficiency. You can read about an existing topic about layer 3 vs router, https://learningnetwork.cisco.com/message/494519#494519

For me, considering this is a small network, not enterprise or midsize company, I would use layer 3 for cost, comparable performance, interoperability and ease of use.

Keep in mind, when using OSPF, your firewall has equal cost path selections between next-hops. By default, it may load share between paths causing asymmetric routing which can be nothing or bad depending on the outcome. You can manipulate the path cost by changing the OSPF parameter to define your end-to-end deterministic routing.