Dual ISP load balancing with 2 routers and 2 FW without using BGP

steven.pw.lau · ‎10-10-2006

Hi all,

Based on the attachment diagram, is the design viable?

Do anyone has a similar deployment before and can you share with me the config guide to this because I'm at lost on a few configs:

1. On core switch A and B, I understood we need to have a default route pointing to the firewall interface. For this case, I have different IPs for the same context on both the firewalls.

So, how should the config be?

CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.110

CoreSW_A(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.111

I don't think the above will work as the core switch will load balance the traffic to both firewalls even if one of the context is on standby mode?

2. The area from the firewall to the internet would all be public IP. Thus, if i put a switch in between the firewall and the router, then i would waste some public IP addresses but if i remove the switch, I would not have enough ports on the ASA firewall. What is the best recommended solution for this?

3. How do I load balance traffic to both R1 and R2 to their respective ISPs without using BGP? I may be using only a 2811 router.

Thanks alot!!.. really much looking forward for some guidance and tips on this as I havent found any guides on this deployment yet.. mostly are LAN HA.

farkascsgy · ‎10-10-2006

Hi,

To do the load balancing you can use policy based routing and with this you can route one half of your IP range to the first ISP and the other half to the second...

I don't think so that you waste IP on the switch what you plan install between the FW and Border router since you need only L2 VLANs instead of L3 so the management VLAN of these swithces could be 10.x.x.x or any private IP, just create two separate l2 VLAN for the two ISP.

Why don't you use BGP? 2811 can handle BGP, and only accept default route from your IPSs, anyway dou you use PI or PA IP range for this task?

bye

FCS

Please rate me if I helped.

steven.pw.lau · ‎10-10-2006

For policy based routing, I would need to create route maps on the core switch itself right?

Correct me if I'm wrong, if i use route-maps, i would be assigning e.g. internal network A to go through firewall context A and internal network B to go through firewall context B.

Context A will only have path to Router A and context B will only have path to Router B. But if router B goes down, network B won't be able to access the Internet, right?

I'm not sure whether it's a PI or PA for this as the ISP will assign us a block of IP address, for example 202.111.1.8/29 (these IPs can be used for webservers, etc). There will also be a public IP of /30 on the serial interface to connect to their router.

Thanks alot..

farkascsgy · ‎10-10-2006

Hello,

As I know in case of PBR when the next hop is not available you the routing process goes back to the normal way.In case all of your traffic will go on the active link.

If your ISPs provide the IP range these are PI IP addresses and in this case you need to create last resort NAT on your border routers since ISP A only accept and advertise his PI IP range and B only accept and advertise his... Just NAT on A router the B address to A nad vica versa on the other site...

Yes you are right you need PBR on the core router.

Bye

FCS

Please rate me if I helped.