Backup route issue

Jesse Mendez · ‎07-25-2012

Hello,

I have a problem to figure out how to configure a backup route to the internet. My client has 2 ISP and basically they want to use 1 ISP and in case the ISP fails, use the other one as backup route to the internet.

The topology looks like the one attached. The problem I’m facing is that each ISP is plugged to a dedicated ASA 5510, so 1 ISP in one firewall and 1 in the other.

Both ASA are plugged to an internal network in a dedicated VLAN with a L3 switch and that L3 switch manages the internal network.

My question is, how can I tell my switch to use ASA1 to go out to the internet and in case the ASA 1 OR THE LINK TO INTERNET used by ASA 1 fails, use ASA 2? It would be great if I can send traffic to the internet thru both connections at the same time. Also, I know the ASA has High Availability configuration, but that applies only if both licenses in the devices are the same and I have a mismatch with the SVPN license, and also I don't know if with my current topology I can use the High Availability model, so I think I can’t use that option and the solution must be applied in the L3 switch, but I don’t know how to tell it to use ASA1 and if failure of the device or the outside interface plugged to ISP 1, then use ASA2. Besides, I would like to know how to optimize this config to do the switch between internet connections seamless to the users if possible (there are VoIP calls on this floor, so I don't want to drop the calls). Thank you very much in advance.

cadet alain · ‎07-25-2012

Hi,

you can configure static routing with EOT on the L3 switch if it has the correct IOS image( IP security or more)http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

Regards.

Alain.

Don't forget to rate helpful posts.

Jesse Mendez · ‎07-26-2012

Thank you very much. It is a lot of information and I need to understand it, but I think this is the way to go. Thank you very much again.

Rick Morris · ‎07-26-2012

Simplest way is via static routes.

When setting up the default route send to outbound interface(s)

ip route 0.0.0.0 0.0.0.0 G1/0/1

ip route 0.0.0.0 0.0.0.0 G1/0/2 100

By adding 100 you have added a weight. The lower the weight the more preferred connection. By using the outbound interface this will allow traffic to be route out an interface that is up. If for any reason G1/0/1 goes down either because bad cable, admin shut, or any other reason traffic will then choose the next best interface that is up and active.

Jesse Mendez · ‎07-26-2012

Hello Rick,

One question regarding operation. If "ip route 0.0.0.0 0.0.0.0 G1/0/1" and then "ip route 0.0.0.0 0.0.0.0 G1/0/2 100", that means that I have to wait for failure on G1/0/1 in order to use G1/0/2, but what if G1/0/1 never fails and what actually fails is the device on the other end of G1/0/1 or perhaps a device beyond that before to reach the internet? I just want to know how it works. By the way, thank you very much for the answer.

Rick Morris · ‎07-26-2012

This is one of the simplest ways with no extra work. With this static route, or floating static, the interface needs to go down before the second route is used. You could use a next hop address, for instance if the ISP assigns a /30 you could use their ip in the static route.

For instance

65.100.100.0/30 is assigned

65.100.100.1 is the ISP

65.100.100.2 is your interface

Second ISP

72.100.100.0/30

72.100.100.1 is the ISP

72.100.100.2 is your interface

Your static route would look like this then

ip route 0.0.0.0 0.0.0.0 65.100.100.1

ip route 0.0.0.0 0.0.0.0 72.100.100.1 100

Or if you want to do a bit more work and config you could set up IP SLA