Solved

Cisco Internet Router Failover

Posted on 2004-07-30
18
475 Views
Last Modified: 2012-08-13
We have a T1 with a 2651 Cisco router connecting us to the Internet. We are looking to install an additional Internet T1 with another 2651 router at one of our other branch locations. Both T1's will point to the same ISP, but differnt POP's.

I would like to know what is the best way to configure the routers for Internet failover? We want to use our main site as the main internet connection, but if that goes down we want the other router to come up from hot standby.

What would be the best protocol to use BGP, HSRP?

We talked with out ISP and they suggest just switching DNS records but that would take at least a day. There has to be a better way.

Any suggestions?
0
Comment
Question by:bdragun
  • 6
  • 5
  • 3
  • +3
18 Comments
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11680207
I'm (maybe) helping someone else with a somewhat similar question
http://www.experts-exchange.com/Hardware/Routers/Q_21077139.html

You might read what  I've written there so far and see what you get from it. It's definitely best to use BGP for that sort of thing.
0
 
LVL 4

Expert Comment

by:bfarmer
ID: 11682470
You can use BGP if you're connecting to the same ISP, but you'll need to get a private AS from the ISP.  Since you're not multihomed you'd just need default gateway from them.  You might want to ask them as well about running another routing protocol such as RIP or OSPF (or EIGRP).

The DNS option is not a bad way to go.  Basically what you do is set the TTL on the DNS to something like 5 minutes instead of the one day default.  

There are products such as the F5 3DNS or the Cisco LocalDirector that do this without requiring manual intervention.  Though with two sites, you'd need a pair of them...

We looked heavily into this before taking the BGP route.  The only real drawback I found is that IE will cache DNS for 30 minutes, regardless of what the DNS server is doing.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11684184
If the two routers are separated by a WAN link, then it is the WAN router that needs to change it's default gateway if the T1 goes down. This is very simple with OSPF.

On Inet Router #1, all you need is a static default to your ISP, an OSPF on the internal LAN with "default-information originate"

On the WAN router, make sure there is no static default, and it participates in the same OSPF process. It will learn a default from R#1

Branch R#2 router does the same thing, only the metrics are adjusted so that that routes learned from it (only the default) have a higher metric than 110 - say 115 and it also has default-originate statement with just a static default to the ISP.

If T1 #1 goes down, all routers now immediately change their default gateway.

As long as you continue using registered IP's from the same ISP, I don't see what the issue is with DNS, or why that would have to change except for inbound traffic going to a different public IP natt'ed back to the same host. Email is a no brainer, just have two MX records. If you have a web server that serves the public that you need to keep up, then you might look at Cisco Distributed Director. This is like an intelligent DNS in that you can have multiple host A records, but only resolve to the one that's reachable at the time. You would  only need one, hosted somewhere outside your network.

0
 
LVL 1

Author Comment

by:bdragun
ID: 11692848
Would HSRP not work in this situation? I don't think we need to use BGP just yet, maybe as a last resort because we will have to upgrade routers. We would like our websites to be up as much as possible. I will look into Cisco Distributed Director.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11692941
HSRP routers need to be local to each other, on the same internal subnet. If I understand you correctly, your failover site is at another branch, on another subnet?
OSPF is your friend!
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11695284
As lrmoore said, if you are using public IP addresses that you own then DNS isn't an issue. And no matter what you do with DNS, it won't help your routers decide which ISP has a good T1 into your network. And HSRP is a LAN technology to pick a default gateway for hosts, it is not a routing technology. You can only use it between directly-connected routers on the same subnet.

You don't need to upgrade your routers for BGP, the ones you have are fine. Plain old IP software will work. What you need to do is tell your ISPs to only send you a default route and then memory usage on your routers is minimal. You don't need the whole internet routing table. As with OSPF, you use the default-information originate command on both routers. The 2 routers run IBGP between them and lyou set "local preference" higher on your main router than on the backup one. Then they determine between themselves which will advertise the default route into your network.

Then you redistribute that default route into your IGP (OSPF, EIGRP, whatever) and the default route will move around as needed, automatically.

The problem with doing it in OSPF only is, how do you determine whether the primary default route is good? Just because the link is up doesn't mean that the layer 3 connectivity is there. BGP makes a positive, reliable determination. The ISPs could also send you the route with RIP, but the failover will happen in minutes instead of a fraction of a second. They won't do OSPF or EIGRP with you.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11695507
>The problem with doing it in OSPF only is, how do you determine whether the primary default route is good?
Assuming that BGP with the provider is available and no cost, then I agree that is the best way, but you still need the IGP, or OSPF, to communicate between your internal routers to determine the best route to a default gateway. Plain old static routing does depend on the T1 going hard down, not if there is a route flap or other issues with the ISP upstream from you. However, there is another zero-cost way to set that up as well - using saa
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca71a.html

You basically set up a process to ping an external host (like a dns cache server at the ISP). If that ping fails, regardless of the status of the T1 interface, the route drops and your IGP will learn to send traffic the other way..

0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11695672
>you still need the IGP, or OSPF, to communicate between your internal routers to determine the best route to a default gateway.
Absolutely. that's why I said you redistribute BGP into the IGP.

SAA sounds like an interesting alternative if BGP won't work for some reason... although the only useful thing to ping would be the other end of the T1.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 1

Author Comment

by:bdragun
ID: 11695704
OK I will look this up, I thought that if you used BGP you needed to cache the internet routing tables twice. So even though our ISP is doing our routing we will still be able to use BGP? Also I am going to search the net for some docs on how to do this but if you know of any off the top of your head I would appreciate it.
0
 
LVL 28

Expert Comment

by:mikebernhardt
ID: 11696275
You don't need to cache the internet routing tables at all. Most ISPs have specific policies that they will offer you. One option is ALWAYS "default route only." This means that they only send you the one route 0.0.0.0/0 and not the whole internet. For your own protection, you also can create a route map so that you only accept the default route. Even if they sent you everything, the route map processes and rejects all routes other than the one you want so you still aren't caching anything but the default route.

It's a whole different ballbark if you are an ISP, but you're not. I've run BGP on a 2621 with absolutely no problems doing what I suggested above.

This link tells you everythying you could ever want to know about configuring BGP. you won't need 80% of it though.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca763.html
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11696626
Mike, I'm not disputing the use of BGP at all here, only presenting an alternative.
There is absolutely nothing wrong with using BGP and redistributing to the IGP. That's just how it's done.
BGP "usually" costs extra money for the ISP to set up for you, even with the default route only option, using a private ASN. If they force you to get your own AS number, the costs can skyrocket.

> although the only useful thing to ping would be the other end of the T1.
Not at all... Any system on the Internet can be used as a ping target to determine if the link should be used or not. I tend to use a well-known UUNET cache server that is redundent and always alive. This makes sense to cross ISP borders. If I'm on an AT&T connection and can't ping UUNET, then perhaps there is a peering connection down somewhere and I should try the other link through the different POP. Same goes if my local T1 is from MCI, I can ping a known entity on AT&T to check inter-isp routing issues and use a different path if need be. I think this is a very handy tool to have in the old toolchest. It has definately increased our uptime on numerous T1's that stay up, but the ISP loses routes (not top-tier ISP), even though BGP is still working between me and the next hop peer, and I'm still getting the default route, it is of no value if the ISP has lost peering.
0
 
LVL 1

Author Comment

by:bdragun
ID: 11697130
I am reading over your suggested docs and others that i have found.

Thanks for your help guys.

 I will let you know if i have any more questions
0
 
LVL 28

Accepted Solution

by:
mikebernhardt earned 63 total points
ID: 11697174
lrmoore, good points. It sounds like you use both BGP and SAA together?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 62 total points
ID: 11697863
>It sounds like you use both BGP and SAA together?
You can, but it is not required.
The best of both worlds, yes, use them together.
In the cost-saving world, just a default with SAA..
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 11707331
HSRP is for failing over the outbound gateway for a single subnet/segment.  It won't do anything for Internet traffic trying to come back to you, and with two locations it's unlikely that both routers are on the same internal segment anyway.

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13688737
Do you need more information?
Have you resolved this problem?
Can you close this question?
Thanks!
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 15628585
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

RECOMMENDATION: Split points between mikebernhardt & lrmoore

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

donjohnston
EE Cleanup Volunteer
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now