Options

ASA 5520... with two exits to Net

mikearamamikearama Member Posts: 749
in CCNP Security
I've read with interest the new features of the ASA's, particularly regarding load balancing with dual ISP's. The conditional static route feature, via SLA monitoring and tracking, is sweet.

I have a situation that a bit different... we have a single ISP with whom we've recently negotiated a backup link, over wireless. The ISP currently provides us a 50Mb connection coming into our external ASA. We will soon have a backup 25Mb link for our use when the 50Mb line goes down.

Our topology then, will become:

ISP RouterA (50Mb)
3750 Switch Stack
ISP RouterB (25Mb)
3750 Switch Stack ---- Ext-ASA1

So both routers connect to the switch stack, but a single link from the stack to the ASA.

RouterA will be the active link, though when it goes down, RouterB will become active. The ISP says they can handle the flipover of our public IP range to the other link... we just need to focus on now routing out to the backup router.

We do no want to loadbalance between the routers, so I'm not certain that the SLA and track process will do what we need. I'd appreciate if you ASA techies could suggest a way to focus on RouterA while it's up, but then point to RouterB when a failure occurs.

Much obliged.
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.

CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
· Share on FacebookShare on Twitter

Comments

  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Can the ISP also configure the routers to run VRRP or HSRP an track on the upstream link to their network? That would be the easiest because your configuration would not change.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    mikearamamikearama Member Posts: 749
    Good call dt... I called and asked them why they hadn't planned on HSRP (or VRRP), and the PM had no reason. Just thought we might want control of failover.

    So, HSRP it is. And you're right... it's no longer an issue for me to contend with. Just got to keep the ISP on their toes.
    There are only 10 kinds of people... those who understand binary, and those that don't.

    CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110

    Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    If you really wanted to control it yourself you could use multiple static default routes and object tracking, but they may use BGP between the two routers which will ultimately control how it gets routed upstream regardless of which router you send it to.
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Not to pull you too far off topic, but I recently designed my dual ISP, dual Border Router, dual ASA scenario and was limited to HSRP on the the devices I was using as my border routers in the test lab. My production border routers are going to be 3825 and 3725 which I believe will both support both VRRP and GLBP. ISP 1 is going to be a 100 meg pipe and ISP 2 is 25 but is going to be upgraded at some point to 50. With my ASAs being in Active Standby configuration, I have two scenarios I am still tinkering with:

    In Scenario 1 I run BGP peer with both ISPs and receive a certain set of routes for frequently accessed networks. I run iBGP between the two border routers and may the best path win. I use HSRP (or VRRP) on the border routers and that virtual address becomes the gateway for my firewalls.

    In Scenario 2 I BGP peer with both ISPs and receive default routes from both. I don't bother with running iBGP between the border routers because I'm not taking any routes anyway. I use GLBP on the border routers and use a weighted rotation. I send more traffic out the 100 meg pipe than I do the 25 meg (or soon to be 50) pipe.

    I'm just curious about your opinions as to which scenario may be best. I have already labbed up and tested Scenario 1 and it works fine. I couldn't do scenario 2 because I don't have a device in the test lab to support GLBP, but I see no reason why this wouldn't work equally well, or even better than the first scenario.
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Dang. No one cares about me or what I have to say..... icon_lol.gif
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Nope icon_wink.gif

    I am assuming you have your own provider independant address space

    If you use static routes to alter how your border routers will forward from you network to remote destinations, the remote routes will still use BGP to find a path out and path back which could lead to sub-optimal routing. A better choice would to be to use AS path prepending.

    If you don't peer via BGP your provider independant address space will need to be advertised by the ISP. If this is not done correctly then you you could end up black-holing you traffic if the link is down (don't assume the ISP knows what they are doing!)
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Thanks DT, that just subtely brought something to my attention regarding my GLBP scenario...but enough said on that.

    Yep, I fully intend to BGP peer with both ISPs whether I decide to take routes or not. I am leaning toward scenario 1 at this point.

    I do have a question about the address space. We have received our IPs already, but I want to VERIFY they are provider independent before I start migrating our services over. Are there any online resources for doing this sort of thing or will I need to be in contact with my ISP(s)?? The reason I ask is because my boss is taking care of all that so I don't know for certain what discussions have taken place...
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    OK. Sweet Jesus. I'm logged on to a route server right now looking at the BGP tables, and there is a /15 out there that would aggregate my /24. Soooo....my initial thought is that this can NOT be good IP-wise. I don't know for sure what part of multi-homing and provider independent people don't understand but I just might go smooth off on someone real soon...

    icon_evil.gif
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    OK, calming down now...I do see some more specific /24s from within that /15 so it may be ok. Man I was about to freak.
    · Share on FacebookShare on Twitter
  • Options
    dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    PC +1 icon_wink.gif

    If the addresses are not yours and you don't have your own AS number and you are using IP addresses from 2 different providers then you will need to configure the routers running BGP to handle NAT for you otherwise you could end up sending a packet sourced from ISP1's address space out ISP2's link, that is generally frowned upon (= usually doesn't work)
    The only easy day was yesterday!
    · Share on FacebookShare on Twitter
  • Options
    cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Yeah man I know. If these are not our addresses then we will be getting our own. This will be mandatory or they can find a new engineer. I just looked at ARIN, it's $1250 for a /24. That's less than my weekly paycheck so they better get this stuff straight. I'll be using an AS-PATH filter to insure I only advertise my own IPs to the ISPs.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.