firstheartland
asked on
Capabilities of the Cisco 2600 series router.
Hello,
We currently have a T1 line which terminates at the 2600 router. We are planning to get another line (T1 or DSL??) for backup purposes. Is it possible that with this router it will switch from T1 to T1 if one goes down. Is it possible to do load balancing with this router. It currently only has one WAN card. If I install another one, will this be possible. If not, what do you suggest as a replacement. The T1's are used for internet access not a site to site connection.
Thanks in advance!!
We currently have a T1 line which terminates at the 2600 router. We are planning to get another line (T1 or DSL??) for backup purposes. Is it possible that with this router it will switch from T1 to T1 if one goes down. Is it possible to do load balancing with this router. It currently only has one WAN card. If I install another one, will this be possible. If not, what do you suggest as a replacement. The T1's are used for internet access not a site to site connection.
Thanks in advance!!
BGP is a good idea. I would suggest using OSPF and giving each T1 the same 'cost'. This will enable load balancing. See this article for more info:
http://www.cisco.com/warp/public/105/46.html
http://www.cisco.com/warp/public/105/46.html
ASKER
We want to go with two different ISP's, incase one goes down. How can this be done. Is it easier to go the failover route, or can load balancing work w/o too much hassel.
Thanks.
Thanks.
Load-balancing can work, but you have to use BGP.
To use BGP between two ISP's, you have to own your own IP subnet, and get your own BGP AS number. This can get expensive (in the $15,000 range)
The ISP's will not enable OSPF on border routers.
One question is - do you have publicly accessible servers (ie. www, email, etc) that have a public IP address published in DNS? If yes, then you have other issues to deal with for the inbound (BGP fixes this, too).
Failover can work if you don't have any inbound traffic (except email which uses MX DNS records to provide easy failover), but you have to get creative with route-maps and double-nat situations. You might be able to use something like SAA probes and "track" commands along with the route maps. These are highly advanced router configurations and require Enterprise IOS.
A couple of alternatives:
Radware appliance: http://www.radware.com/content/products/lpb/default.asp
FatPipes appliance: http://www.fatpipeinc.com/xtreme/
The easiest, least expensive solution by far is to use the same ISP, but with T1 local loops from two different providers with diverse paths.
Even if you have two ISP's, and they both use the same local loop provider, your local loop may go through the same local provider switch and you have a great chance that if one goes down, so will the other.
Else, go with a different ISP that offers a better SLA and get two from them.
To use BGP between two ISP's, you have to own your own IP subnet, and get your own BGP AS number. This can get expensive (in the $15,000 range)
The ISP's will not enable OSPF on border routers.
One question is - do you have publicly accessible servers (ie. www, email, etc) that have a public IP address published in DNS? If yes, then you have other issues to deal with for the inbound (BGP fixes this, too).
Failover can work if you don't have any inbound traffic (except email which uses MX DNS records to provide easy failover), but you have to get creative with route-maps and double-nat situations. You might be able to use something like SAA probes and "track" commands along with the route maps. These are highly advanced router configurations and require Enterprise IOS.
A couple of alternatives:
Radware appliance: http://www.radware.com/content/products/lpb/default.asp
FatPipes appliance: http://www.fatpipeinc.com/xtreme/
The easiest, least expensive solution by far is to use the same ISP, but with T1 local loops from two different providers with diverse paths.
Even if you have two ISP's, and they both use the same local loop provider, your local loop may go through the same local provider switch and you have a great chance that if one goes down, so will the other.
Else, go with a different ISP that offers a better SLA and get two from them.
load balancing will provide fail over. In OSPF, if the link goes down, the cost will go up, and the packets always choose the path with the lowest cost.
While OSPF will by itself provide these capabilites, that only applies if you own both ends of both T1s.
I've never dealt with any ISP that will enable OSPF with a customer premesis border router. BGP is "the" protocol between customers and ISP's.
I've worked with AT&T, Sprint, MCI, XO, Global Crossing, Savvis, and many small regional ISP's. Without exception, they do not "do" OSPF or anything but BGP with a customer. Some will even charge extra for the BGP setup.
I've never dealt with any ISP that will enable OSPF with a customer premesis border router. BGP is "the" protocol between customers and ISP's.
I've worked with AT&T, Sprint, MCI, XO, Global Crossing, Savvis, and many small regional ISP's. Without exception, they do not "do" OSPF or anything but BGP with a customer. Some will even charge extra for the BGP setup.
ASKER
Ok, I was looking at the FatPipe products. Will I not run into the same protocol problems here?
No. With the FatPipes you don't have those issues to deal with.
I would suggest getting another cisco 2600 series router (I have 2 2620 router). Plug each router with a T1 from different ISP. Enable BGP and then enable HSRP (Hot Standby Routing Protocol). You can not load balance but you will be able to load share a bit after some tweaking but its not perfect loadsharing either. Having two router gives you not only T1 redundancy but also router redundancy.
As far as the above OSPF is concerned, ISP won't let you redistribute routes into their tables. You can use OSPF internally but from you to ISP, its all BGP. The configurations are simple and i can post some if you need them.
As far as the above OSPF is concerned, ISP won't let you redistribute routes into their tables. You can use OSPF internally but from you to ISP, its all BGP. The configurations are simple and i can post some if you need them.
ASKER
But how will having two different routers help with failover? I will have to reconfigure my firewall once one line goes down?? I mean I will not be abel to utilize both lines at the same time.
HSRP creates a single 'virtual' ip address across both routers. HSRP provides failover only. It is not designed for load-balancing or load-sharing. Yes, you can fudge that a little in some cases by using mulitple hsrp addresses and have some users default gateway point to one virtual and others point to the other virtual. However, with these out in front of your pix, you can't do that.
HSRP Creates a single virtual router out of two routers. Your firewall only knows the address of one router which is the virtual router. Using the HSRP, the cisco router keep heartbeat of each other and switch between themselves if the connection fails on one router.
What you do is that you give each router its own IP address. Then you define a virtual router IP address using HSRP in both routers and point your firewall towards that IP address. If one line goes down, HSRP switches over to other router with good line, the virtual IP address is maintained and your users don't see the connection drop except for a few seconds while the router switches over.
Both of your lines are in use, you can monitor them and then tweak BGP. But its not a true load balancing solution. Great redundancy solution but only minor load balancing solution. The Fat pipe and radware mentioned above will give load balancing/sharing, but from what i last read, fat pipe was limited to 2mbps and for radware, if you want HA (high availability) then you have to put two devices in. Usually at $4000+ for each device, thats expensive solution.
Load Sharing can be done using HSRP. Here is a document from cisco on Load Sharing using HSRP:
http://www.cisco.com/en/US/customer/tech/tk648/tk362/technologies_configuration_example09186a0080094e90.shtml
But in your case, if you have a single firewall and all users behind that firewall then you won't be able to do sharing but only balancing by tweaking BGP. Even in BGP case, the traffic would flow more from the bigger provider i.e. in my network more traffic comes from spring then from qwest. Also you don't have control over return traffic but only outgoing traffic.
What you do is that you give each router its own IP address. Then you define a virtual router IP address using HSRP in both routers and point your firewall towards that IP address. If one line goes down, HSRP switches over to other router with good line, the virtual IP address is maintained and your users don't see the connection drop except for a few seconds while the router switches over.
Both of your lines are in use, you can monitor them and then tweak BGP. But its not a true load balancing solution. Great redundancy solution but only minor load balancing solution. The Fat pipe and radware mentioned above will give load balancing/sharing, but from what i last read, fat pipe was limited to 2mbps and for radware, if you want HA (high availability) then you have to put two devices in. Usually at $4000+ for each device, thats expensive solution.
Load Sharing can be done using HSRP. Here is a document from cisco on Load Sharing using HSRP:
http://www.cisco.com/en/US/customer/tech/tk648/tk362/technologies_configuration_example09186a0080094e90.shtml
But in your case, if you have a single firewall and all users behind that firewall then you won't be able to do sharing but only balancing by tweaking BGP. Even in BGP case, the traffic would flow more from the bigger provider i.e. in my network more traffic comes from spring then from qwest. Also you don't have control over return traffic but only outgoing traffic.
ASKER
Ok, lets say I buy another 2620, and enable HSRP between the two routers and assign a virutal IP.
We will be having some VPN clients sitting behind the routers and before the firewall. The clients will connect to the VPN serves in another location. The VPN traffic will be inbound and outbound, mostly outbound (connection will be initiated from both ends). What affect will this have if I enable HSRP. When the connection is inbound it will be targeted at an IP address.
I am asking becasue I found that FatPipe will not do loadbalancing or failover for the incomming VPN traffic, only interent traffic. They have what they call a dynamic DNS which is only helpful if the incomming traffic is pointing at a Domain Name rather than an IP address.
We will be having some VPN clients sitting behind the routers and before the firewall. The clients will connect to the VPN serves in another location. The VPN traffic will be inbound and outbound, mostly outbound (connection will be initiated from both ends). What affect will this have if I enable HSRP. When the connection is inbound it will be targeted at an IP address.
I am asking becasue I found that FatPipe will not do loadbalancing or failover for the incomming VPN traffic, only interent traffic. They have what they call a dynamic DNS which is only helpful if the incomming traffic is pointing at a Domain Name rather than an IP address.
Here's some new information on stateful failover for VPN
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html
First, your virtual IP address is same no matter you connect from outside or inside. Next, the subnet that you are routing using BGP will be routed over both lines. BGP will take care of your IP routing, so if the VPN traffic can not come in from one ISP , BGP will send it through the other ISP. Your VPNs will not see the difference. Your IP addresses subnet will be announced as available from two networks and without tweaking, BGP will use the shortest path as given by the router. If not available, it will use the other path.
Fatpipe use DDNS instead of BGP. Its usually pitched as an alternative to BGP. But BGP is more powerful and very useful in VPN situation. I've the HQ VPN connecting multiple branches using ip address of the firewalls for point to point VPN and they are routed over BGP and HSRP without any problem.
Fatpipe use DDNS instead of BGP. Its usually pitched as an alternative to BGP. But BGP is more powerful and very useful in VPN situation. I've the HQ VPN connecting multiple branches using ip address of the firewalls for point to point VPN and they are routed over BGP and HSRP without any problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am still trying to work things out and see what will be best.
I thank all of you for your input. If I have any further questions, I will post back on this thread.
Thanks.
I thank all of you for your input. If I have any further questions, I will post back on this thread.
Thanks.
ASKER
Ok,
I spoke with my ISP. They are willing to use BGP. So now I am getting another T1. I am going to use the 2600 (will add another T1 CSU/DSU card), and enable BGP.
Thanks all!
I spoke with my ISP. They are willing to use BGP. So now I am getting another T1. I am going to use the 2600 (will add another T1 CSU/DSU card), and enable BGP.
Thanks all!
Sorry, I couldn't resist.
Yes, this router is capable of handling two T1's quite easily.
Yes, they can load balance - if both T1's go to the same ISP
Maybe, if you have two different ISP's and you enable BGP with default route only, and you own your own IP block
Yes, you have failover easier than you can have load sharing if you have different ISP's.
Same ISP and you get the both load-sharing and failover. Make sure you explain to the ISP what you want so they can provision their end appropriately. You may have to enable BGP using their private AS number.
If you go the DSL route, then you have even bigger issues because the don't 'do' BGP over dsl. That makes it all more difficult.