Cisco Internet Router Failover

We have a T1 with a 2651 Cisco router connecting us to the Internet. We are looking to install an additional Internet T1 with another 2651 router at one of our other branch locations. Both T1's will point to the same ISP, but differnt POP's.

I would like to know what is the best way to configure the routers for Internet failover? We want to use our main site as the main internet connection, but if that goes down we want the other router to come up from hot standby.

What would be the best protocol to use BGP, HSRP?

We talked with out ISP and they suggest just switching DNS records but that would take at least a day. There has to be a better way.

Any suggestions?
Who is Participating?
mikebernhardtConnect With a Mentor Commented:
lrmoore, good points. It sounds like you use both BGP and SAA together?
I'm (maybe) helping someone else with a somewhat similar question

You might read what  I've written there so far and see what you get from it. It's definitely best to use BGP for that sort of thing.
You can use BGP if you're connecting to the same ISP, but you'll need to get a private AS from the ISP.  Since you're not multihomed you'd just need default gateway from them.  You might want to ask them as well about running another routing protocol such as RIP or OSPF (or EIGRP).

The DNS option is not a bad way to go.  Basically what you do is set the TTL on the DNS to something like 5 minutes instead of the one day default.  

There are products such as the F5 3DNS or the Cisco LocalDirector that do this without requiring manual intervention.  Though with two sites, you'd need a pair of them...

We looked heavily into this before taking the BGP route.  The only real drawback I found is that IE will cache DNS for 30 minutes, regardless of what the DNS server is doing.
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

If the two routers are separated by a WAN link, then it is the WAN router that needs to change it's default gateway if the T1 goes down. This is very simple with OSPF.

On Inet Router #1, all you need is a static default to your ISP, an OSPF on the internal LAN with "default-information originate"

On the WAN router, make sure there is no static default, and it participates in the same OSPF process. It will learn a default from R#1

Branch R#2 router does the same thing, only the metrics are adjusted so that that routes learned from it (only the default) have a higher metric than 110 - say 115 and it also has default-originate statement with just a static default to the ISP.

If T1 #1 goes down, all routers now immediately change their default gateway.

As long as you continue using registered IP's from the same ISP, I don't see what the issue is with DNS, or why that would have to change except for inbound traffic going to a different public IP natt'ed back to the same host. Email is a no brainer, just have two MX records. If you have a web server that serves the public that you need to keep up, then you might look at Cisco Distributed Director. This is like an intelligent DNS in that you can have multiple host A records, but only resolve to the one that's reachable at the time. You would  only need one, hosted somewhere outside your network.

bdragunAuthor Commented:
Would HSRP not work in this situation? I don't think we need to use BGP just yet, maybe as a last resort because we will have to upgrade routers. We would like our websites to be up as much as possible. I will look into Cisco Distributed Director.
HSRP routers need to be local to each other, on the same internal subnet. If I understand you correctly, your failover site is at another branch, on another subnet?
OSPF is your friend!
As lrmoore said, if you are using public IP addresses that you own then DNS isn't an issue. And no matter what you do with DNS, it won't help your routers decide which ISP has a good T1 into your network. And HSRP is a LAN technology to pick a default gateway for hosts, it is not a routing technology. You can only use it between directly-connected routers on the same subnet.

You don't need to upgrade your routers for BGP, the ones you have are fine. Plain old IP software will work. What you need to do is tell your ISPs to only send you a default route and then memory usage on your routers is minimal. You don't need the whole internet routing table. As with OSPF, you use the default-information originate command on both routers. The 2 routers run IBGP between them and lyou set "local preference" higher on your main router than on the backup one. Then they determine between themselves which will advertise the default route into your network.

Then you redistribute that default route into your IGP (OSPF, EIGRP, whatever) and the default route will move around as needed, automatically.

The problem with doing it in OSPF only is, how do you determine whether the primary default route is good? Just because the link is up doesn't mean that the layer 3 connectivity is there. BGP makes a positive, reliable determination. The ISPs could also send you the route with RIP, but the failover will happen in minutes instead of a fraction of a second. They won't do OSPF or EIGRP with you.
>The problem with doing it in OSPF only is, how do you determine whether the primary default route is good?
Assuming that BGP with the provider is available and no cost, then I agree that is the best way, but you still need the IGP, or OSPF, to communicate between your internal routers to determine the best route to a default gateway. Plain old static routing does depend on the T1 going hard down, not if there is a route flap or other issues with the ISP upstream from you. However, there is another zero-cost way to set that up as well - using saa

You basically set up a process to ping an external host (like a dns cache server at the ISP). If that ping fails, regardless of the status of the T1 interface, the route drops and your IGP will learn to send traffic the other way..

>you still need the IGP, or OSPF, to communicate between your internal routers to determine the best route to a default gateway.
Absolutely. that's why I said you redistribute BGP into the IGP.

SAA sounds like an interesting alternative if BGP won't work for some reason... although the only useful thing to ping would be the other end of the T1.
bdragunAuthor Commented:
OK I will look this up, I thought that if you used BGP you needed to cache the internet routing tables twice. So even though our ISP is doing our routing we will still be able to use BGP? Also I am going to search the net for some docs on how to do this but if you know of any off the top of your head I would appreciate it.
You don't need to cache the internet routing tables at all. Most ISPs have specific policies that they will offer you. One option is ALWAYS "default route only." This means that they only send you the one route and not the whole internet. For your own protection, you also can create a route map so that you only accept the default route. Even if they sent you everything, the route map processes and rejects all routes other than the one you want so you still aren't caching anything but the default route.

It's a whole different ballbark if you are an ISP, but you're not. I've run BGP on a 2621 with absolutely no problems doing what I suggested above.

This link tells you everythying you could ever want to know about configuring BGP. you won't need 80% of it though.
Mike, I'm not disputing the use of BGP at all here, only presenting an alternative.
There is absolutely nothing wrong with using BGP and redistributing to the IGP. That's just how it's done.
BGP "usually" costs extra money for the ISP to set up for you, even with the default route only option, using a private ASN. If they force you to get your own AS number, the costs can skyrocket.

> although the only useful thing to ping would be the other end of the T1.
Not at all... Any system on the Internet can be used as a ping target to determine if the link should be used or not. I tend to use a well-known UUNET cache server that is redundent and always alive. This makes sense to cross ISP borders. If I'm on an AT&T connection and can't ping UUNET, then perhaps there is a peering connection down somewhere and I should try the other link through the different POP. Same goes if my local T1 is from MCI, I can ping a known entity on AT&T to check inter-isp routing issues and use a different path if need be. I think this is a very handy tool to have in the old toolchest. It has definately increased our uptime on numerous T1's that stay up, but the ISP loses routes (not top-tier ISP), even though BGP is still working between me and the next hop peer, and I'm still getting the default route, it is of no value if the ISP has lost peering.
bdragunAuthor Commented:
I am reading over your suggested docs and others that i have found.

Thanks for your help guys.

 I will let you know if i have any more questions
lrmooreConnect With a Mentor Commented:
>It sounds like you use both BGP and SAA together?
You can, but it is not required.
The best of both worlds, yes, use them together.
In the cost-saving world, just a default with SAA..
HSRP is for failing over the outbound gateway for a single subnet/segment.  It won't do anything for Internet traffic trying to come back to you, and with two locations it's unlikely that both routers are on the same internal segment anyway.

Do you need more information?
Have you resolved this problem?
Can you close this question?
Don JohnstonInstructorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

RECOMMENDATION: Split points between mikebernhardt & lrmoore

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

EE Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.