08-12-2020 08:46 AM - edited 08-12-2020 08:49 AM
I know about floating static routes and how they works.
I want to have default or static route to same destination over two different interfaces towards different gateway. One will be active and other will be passive. But both needs to be in routing table.
Floating routes does not work because route with higher admin distance does not inserted into routing table.
I am using another non Cisco product when I can configure two static routes to same destination but with different priorities. Because admin distance is same, both routes come into routing table, but only one is used which has lower priority value.
Does Cisco have something similar?
Not looking for any solution through policy routing.
For example remote end has two internet connection. That remote side runs ipsec tunnel mode towards a central side which has one public IP address. Remote take two default route from ISP. But remote will connect to same public IP of central side. Then without both routes to central ip through different interfaces in remote router routing table, I cannot even start ipsec negotiation.
Regards,
Solved! Go to Solution.
08-13-2020 09:48 AM
Hi,
Many thanks for your reply.
More example,
Two default routes from two internet facing interface. The backup internet line is using default route with higher admin distance so not in routing table.
Now try a ping to 8.8.8.8 sourced from backup interface ip. What Cisco router will do,
Internally switch that packet from backup interface to primary interface and exit out. Asymmetric routing even though there is default route out through backup line.
From home you want to reach the backup line ip. Traffic enters through backup line interface, but reply exit through primary interface, as there is not default route through backup interface entered into routing table.
This is my problem at least for traffic to or from router own ip adress which is backup.
I want to achieve traffic addressed to router own ip in backup line enters and exit same interface, not through that primary interface.
Regards.
08-13-2020 10:36 AM
08-14-2020 02:50 AM
When traffic comes from internet through primary line, but destination is backup line Ip adress - there is nothing I can do. This is the source's ISP responsibility. But for me, I will send out reply through backup interface, as the traffic is addressed to the router itself and I have two default route in the routing table. Even through backup line default route has low priority, it will be used because the traffic is to the router itself and to it's backup IP and there is a default route through that interface in the routing table.
Cisco's solution of floating route solves most of the problem, user data will always go through the primary line. But from me it is most important the traffic addressed to the router itself from or to internet.
Somebody here in the forum mentioned to be, give HUB another IP to run two IPsec towards it. Why would I do that if my setup looks like this -
I am running BGP with two different routers with two upstream ISPs. I am announcing my IPV4 routes through BGP. Those two routers are already taking care of my network redundancy. Behind those I have two firewalls in active/passive and they are running IPSec with branches over single IP. There is no need to taking another public IP just for creating IPSec backup tunnels.
With Cisco solution of floating routes IKE/IPSec negotiation happens over always primary line, even though it is sourced from backup line's IP.
But with my other device, primary ipsec is sourced from primary interface and secondary IPSec is sourced from secondary interface. But users who are sitting behind firewall, their data never goes out via backup line, as long as the primary line is active.
08-14-2020 03:31 AM - edited 08-14-2020 03:32 AM
It looks like in Cisco I can only achieve that by using local policy routing.
Traffic addressed to / from backup ip will use local policy routing. This solves problem of the traffic for the router itself.
And backup line will have a floating static route which will take care of user data, when primary link goes down.
Many thanks others for their inputs.
08-14-2020 07:22 AM - edited 08-14-2020 07:24 AM
Ok, I understand. Interesting difference in other vendor's approach. I think I prefer Cisco's approach, because, philosophically, if secondary router is a part of a topology that for all traffic preferred path is via primary, unclear why there should be an exception for IPs on the secondary device.
An example of why Cisco's approach might be better, consider if the secondary path had an added cost to utilize. (Often a good reason why secondary is a "backup" path.) Then, suppose you're running SNMP queries against that device. Do you want that stream of data running up a "backup" extra usage cost bill?
BTW, I once designed and managed a build-out for a large call center. We had two gig (or was it dual 10g?) primary/dedicated links, and a secondary path, using a tunnel, also gig capacity, across the internet. The latter had very costly usage charges, which were, of course, acceptable, if that path was the only way to keep the whole call center on-line. That said, we still ran up some usage on that link, as we were using dynamic routing (including passing the default route) across the tunnel. Those too were acceptable, but no other traffic, normally, used that path.
So, just being curious, what's the benefit, to you, for it to work the way it does on the other vendor's device?
BTW, perhaps the closest Cisco would work like that, using the secondary path while primary is active, if the other side used IPs (source and destination) on the shared WAN link. The connected route would take precedence.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide