Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
5
Helpful
1
Replies

Redundant Routing Lab - how to ?

antony63593
Level 1
Level 1

‎05-23-2021 02:52 AM

Hello everyone,

I am a stundent working a lab, i am wondering how to implement the following scenario : 

I have 2 ISP router connected to the internet, behind which i have 2 cisco routers handling firewall and vpn connections. Thoses routers are themselves connected to a collapse core LAN infrastructure. Each Cisco router is connected to both ISP routers.

How do i go about making my internet connection highly available in case one router (either ISP or Cisco) goes down (either the router or the internet connection by itself) ?

By that i mean, what kind of protocol should i implement ?

 

Hope you can help me have a better picture of what i should do.

 

Thanks a lot !

 

 

Labels:
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-23-2021 12:39 PM

Hello @antony63593 ,

I would suggest you to provide a network diagram with the physical links between ISP routers and Cisco routers and between the Cisco routers and the core switch(es).

 

>> I have 2 ISP router connected to the internet, behind which i have 2 cisco routers handling firewall and vpn connections. Thoses routers are themselves connected to a collapse core LAN infrastructure. Each Cisco router is connected to both ISP routers.

 

Let us forget  for the moment about site to site VPNs and other firewall related features, but some choices have to be done later for this.

 

Which routing protocol can be used between ISP1, ISP2 routers owned by ISP and Cisco1, Cisco2 owned by the enterprise ?

 

The only possible answer is BGPv4, and actually assuming there are dedicated links between ISP1,Cisco1 ISP1,Cisco2 and betwern ISP2,Cisco1 and ISP2,Cisco2 all this lead to configuration of four eBGP sessions.

ISP1-Cisco1

ISP2-Cisco1

 

ISP1-Cisco2

ISP2-Cisco2

 

on each eBGP session the ISPx router provides at least a default route 0.0.0.0/0 and the Ciscoy device advertise the public address block(s) of the enterprise ( note these address block can actually belong to the ISP or it can be owned by the enterprise).

 

b) what routing protocols should be spoken between Cisco1, Cisco2 ?

an iBGP session over loopbacks advertised over an IGP could be used even if given the specific design is not strictly necessary as each Ciscox device peers directly with both ISP1 and ISP2.

An IGP like OSPF should be spoken on internal LAN interfaces

 

c) what routing protocol should be spoken between Cisco1, Cisco2 and Core1, Core2   ( if there are two different core devices)

 

OSPF is enough with Cisco1 and Cisco2 injecting a default route in OSPF based on the fact of receiving one via eBGP either from ISP1 or from ISP2

To be more precise is possible to check if at least one eBGP route 0.0.0.0/0 exists in the local table, but it is not easy to discriminate if two paths are working ( one via ISP1 and one via ISP2)  or only one is available.

 

What is more important is that Cisco1 and Cisco2 must act as a stateful pair for :

NAT

and site to site VPN.

 

This means that you need to build a hierarchy Cisco1 and Cisco2 cannot be active/Active at the same time.

 

The first consequence of this fact from internal network to internet Core devices must prefer the default route generated by Cisco1 when it is present.

This can be achieved having Cisco1 to generate a default route of type O E1 with a lower seed metric

ip prefix-list DEFAULT  permit 0.0.0.0/0

access-list 11 remark eBGP next-hops of cisco1

access-list 11 permit host <ISP1-toCisco1-ipaddress>

access-list 11 permit host<ISP2-toCisco1-ipaddress>

route-map DEF-CISCO1 permit 10

match address prefix DEFAULT

match ip next-hop 11

set metric type 1

set metric 50

 

router ospf 10

default-information originate route-map DEF-CISCO1

 

similarly on Cisco2 but with a seed metric of 1000

 

ip prefix-list DEFAULT  permit 0.0.0.0/0

access-list 12 remark eBGP next-hops of cisco2

access-list 12 permit host <ISP1-toCisco2-ipaddress>

access-list 12 permit host<ISP2-toCisco2-ipaddress>

route-map DEF-CISCO2 permit 10

match address prefix DEFAULT

match ip next-hop 12

set metric type 1

set metric 1000

 

router ospf 10

default-information originate route-map DEF-CISCO2

 

In the same way you need to make the return paths via Cisco1 preferred when alive.

You can achieve this by using MED

On Cisco1 MED 50 for outgoing advertisements

On Cisco2 MED 1000 for outgoing eBGP advertisements

 

route-map EBGP-CISCO1 permit 10

set metric 50

 

router bgp 65000

neighbor  <ISP1-toCisco1-ipaddress> remote-as 7600

neighbor <ISP1-toCisco1-ipaddress> route-map EBGP-CISCO1 out

neighbor  <ISP2-toCisco1-ipaddress> remote-as 7600

neighbor <ISP2-toCisco1-ipaddress> route-map EBGP-CISCO1 out

On cisco 2:

 

route-map EBGP-CISCO2 permit 10

set metric 1000

 

router bgp 65000

neighbor  <ISP1-toCisco2-ipaddress> remote-as 7600

neighbor <ISP1-toCisco2-ipaddress> route-map EBGP-CISCO2 out

neighbor  <ISP2-toCisco2-ipaddress> remote-as 7600

neighbor <ISP2-toCisco2-ipaddress> route-map EBGP-CISCO2 out

 

I think for the moment this enough.

 

Until Cisco1 is alive or it has at least one exit link to ISP it is the preferred exit point and the preferred entry point.

This provides symmetric routing and it is very important for NAT and firewall features that need to see both directions of a session to handle it correctly.

 

Hope to help

Giuseppe

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card