Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1857
Views
5
Helpful
7
Replies

WAN redundancy

Tuckertimmy
Level 1
Level 1

‎04-09-2022 02:54 PM - edited ‎04-10-2022 10:47 AM

Hello everyone,  

 

I'm tasked with finding the best way to add redundancy to our two data centers.   

 

Data center A is the main data center, and has an internet connection.  

Data center B is primarily a WAN backup with no internet connection, but has the majority of our servers.   

 

The Edge configuration (outside -> in):   

     ISP

     Outside switches

     HA pair firewalls

     Inside switches

     Router for Data center A

     Router for Data center B is reachable via core 7Ks

          Data center A's router and data center B's router are also connected via point-to-multipoint circuits  

 

The only way to reach the internet for both Data centers is through the router at Data center A.  

If the router at Data center A is not available (down or maintenance) there is no internet access (Oh, I forgot to mention that this is a hospital, and that is greatly frowned upon).  

 

I'm thinking about connecting Data center B's router to the Inside switches.  

     (there is a fiber-ring in this part of the city that allows me direct fiber connection)

 

this will give Data center B internet access, but I do not want it to have internet access unless Data center A's router is unreachable

 

What is the best switch configuration to obtain this?   

cisco community diag.PNG

I'm proposing to connect Router B to the Inside switches 

But only as a failover when Router A is unreachable

 

config

 


ASA

!
interface GigabitEthernet0/0
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif Inside
security-level 100
ip address 192.168.1.5 255.255.255.224 standby 192.168.1.6
!
!
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 1.1.1.112 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route Inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled
nat (Inside,Outside) source dynamic any pat-pool PAT_POOL flat include-reserve round-robin

========================================================

INS-SW-3850-1#
!
interface Port-channel1
description connection to INS-SW-3850-2
switchport mode trunk
!
interface Vlan100
ip address 192.168.1.3 255.255.255.224
!
interface GigabitEthernet1/0/39
description connection to primary sourcefire port 1 (OARnet)
switchport access vlan 100
switchport mode access
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 3
switchport port-security aging type inactivity
switchport port-security
no logging event link-status
no snmp trap link-status
snmp ifindex persist
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
!
interface GigabitEthernet1/0/41
description connection to primary sourcefire port5 (Spectrum)
switchport access vlan 100
switchport mode access
switchport port-security maximum 3
switchport port-security violation restrict
switchport port-security aging time 3
switchport port-security aging type inactivity
switchport port-security
no logging event link-status
no snmp trap link-status
snmp ifindex persist
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/46
description Uplink to ASR1 int gi0/0/4
switchport access vlan 100
switchport mode access
no logging event link-status
no snmp trap link-status
snmp ifindex persist
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree link-type point-to-point
spanning-tree guard root
!
interface GigabitEthernet1/0/47
description uplink to Edge-Block-2 (rack Edge 1, RU27) int Gi0/47 (member of Po1)
switchport mode trunk
no logging event link-status
no snmp trap link-status
snmp ifindex persist
channel-group 1 mode active
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
interface GigabitEthernet1/0/48
description uplink to Edge-Block-2 (rack Edge 1, RU27) int Gi0/48 (member of Po1)
switchport mode trunk
no logging event link-status
no snmp trap link-status
snmp ifindex persist
channel-group 1 mode active
spanning-tree portfast trunk
spanning-tree link-type point-to-point
!
ip default-gateway 192.168.1.1

=====================================================

ASR#
!
interface GigabitEthernet0/0/4
description *** to Primary Inside Switch ***
backup interface GigabitEthernet0/0/5
ip flow monitor MONITOR output
ip address 192.168.1.2 255.255.255.224
ip wccp 91 redirect in
ip wccp 96 redirect in
ip pim sparse-mode
standby 1 ip 192.168.1.1
standby 1 priority 200
standby 1 preempt
delay 10
negotiation auto
end
!
interface GigabitEthernet0/0/5
description *** to Secondary Inside Switch ***
ip address 192.168.1.10 255.255.255.224
ip wccp 91 redirect in
ip pim sparse-mode
standby 1 priority 200
standby 1 preempt
delay 10
negotiation auto
end
!

 

Labels:
Preview file
4 KB
0 Helpful
7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

‎04-09-2022 03:23 PM

Hi,

The issue with this design is that you are relying on one router and one service provider for Internet access. A better design would be to have one router in each location with its own Internet access using different service providers. For example; site A would have its own Internet access using ISA-A (primary) and will use site-B as backup Internet access with its own ISP (ISP-B). This way for example, if the provider on A site has a maintenance window, a fiber cut, a power outage, etc., you simply shift all your traffic to B site, or if the router on A site fails, all traffic would be rerouted to B site. Hospital networks are 24x7 and very critical, so you really want to have the most redundant design in place. 

A much better design would be to have 2 different SPs connecting to 2 different routers in each location.

HTH

 

 

0 Helpful

Tuckertimmy
Level 1
Level 1

‎04-09-2022 04:00 PM

I would agree, but this is what I have to work with.  

Until they integrate another ISP at Data center B, I have to find the best way to configure things as they are.   

Thanks

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Tuckertimmy

‎04-09-2022 05:07 PM

I understand.

If Internet access is the highest priority, I would at least have 2 routers in location A connecting to 2 different providers until they can integrate another ISP at data center B. This will give you local redundancy in case of an ISP outage, problem (which is not uncommon), or a router failure.

 

HTH

0 Helpful

David Ruess
VIP
VIP

‎04-09-2022 04:41 PM

Hello,

 

There are plenty of ways to establish redundancy to reach the internet. Could you provide a basic drawing from internet to switches that you want to configure?

0 Helpful

Georg Pauwen
VIP
VIP

‎04-09-2022 10:32 PM

Hello,

 

so basically if Router B cannot reach Router A, the next hop for Router B should be the firewall pair ? That should be fairly easy to accomplish by using an IP SLA. Can you post the configuration of Router B ? Put a description on the interfaces that connect to Router A and the inside switches.

0 Helpful

paul driver
VIP
VIP

‎04-10-2022 12:46 AM

Hello

@Tuckertimmy wrote:

I'm proposing to connect Router B to the Inside switches 

But only as a failover when Router A is unreachable

Given your current setup this is the most applicable option, but you shouldn't have to wait for a router A to fail to manually do this, it may be possible to setup this up in dynamic way.

If you could physically attach Router B into the inside switch's (maybe via the 7ks) and depending on your current routing design it may be possible to traffic engineer route metrics so as/when router A loses reachability to the internet, route forwarding for DCB would converge via rtr B towards your internet circuits.

It could be as simplistic as appending conditional default route to router B so it only uses this default route as/when router A loses reachability to the internet, this could be accomplished with IPSLA and object tracking or even a EEM script, this should then provide some degree of internet resiliency, however without knowing how you have routing setup its hard to provide a viable solution.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

balochkhan1234
Level 1
Level 1
In response to paul driver

‎04-10-2022 10:24 AM

It involves the interconnection of multiple WAN links onto one or more SDN (software-defined networking) devices. The SDN device employs algorithms to appropriately distribute WAN traffic across all links, which results in both load balancing and redundancy. Multiple WAN connection scenarios. Seehttps://community.cisco.com/t5/network-security/query-regarding-result-bfd/td-p/1493452

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card