?
Solved

Automatic Failover using 2 T-1's

Posted on 2006-05-31
6
Medium Priority
?
901 Views
Last Modified: 2008-09-01
I'll try to make this clear and simple.  Maybe get into details later as needed.
I am going to be installing a Cisco 1841 router with 2 T-1 Wics.
One T-1 will be with Southwestern Bell and the other with Verizon for failover purposes.

Here's the tricky part.
I will have a watchguard firewall 192.168.1.254 that will be the main gateway on my network Connected to FE 0/0 on the cisco.  All misc. internet traffic will pass through it and out through Southwestern Bell's T-1.

Then, I will have a VPN device 192.168.1.253 connected to FE 0/1 on the cisco.  This VPN will go out through the Verizon Link.  (It is a custom hosted application that we want to keep off of our main internet for bandwidth purposes)

Without any other Cisco software (just the IOS that ships with the 1841), how do I configure failover for each of those T-1 connections at the router level.

Examples:  
1.  The Verizon link drops.  Route the VPN traffic through SWB.
2.  The SWB link drops.  Route regular internet traffic through Verizon.

Thanks,
Mike
0
Comment
Question by:mcrossland
  • 4
  • 2
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 16801729
That's a tricky one. If you have 2x T1's coming into one router, you only have 1 default gateway at a time, but you can use route-maps to make the deterministic route decisions.
Next issue is NAT. Unless you own your own IP subnet and advertise that to both ISP's via your own BGP AS number, you've got to nat from one to the other.
Policy-based routing combined with saa tracking is part of the answer (the failover part)
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801d1e95.html#wp1043552

For the second piece of the puzzle you need to enable conditional nat...
If source IP = WG firewall = SWBell IP, then NAT to Verizon IP if it must go out the Verizon T1
If source IP = VPN Box = VerizonIP, then NAT to a SWBell IP as it goes out that T1

interface serial 0/0/0
 descript Verizon T1
 ip nat outside
interface serial 0/0/1
 descript SWB T1
 ip nat outside

interface fe 0/0
 descript Watchguard FW - SWB
 ip nat inside
 ip address 23.45.67.8 255.255.255.248

interface fe 0/1
 descript VPN Box - Verizon
 ip nat inside
 ip address 56.78.9.1 255.255.255.248

\\-- nat Verizon traffic if it goes out Serial 0/0/1
ip nat inside route-map Verizon-SWB interface serial 0/0/1
ip nat inside route-map SWB-Verizon interface serial0/0/0
access-list 101 permit 56.78.9.0 0.0.0.7 any
access-list 102 permit 12.34.56.0 0.0.0.7 any

route-map Verizon-SWB permit 10
 match address 101
route-map SWB-Verizon permit 10
 match address 102


One other big issue that you will have is inbound traffic to your www server if you have one. Inbound email is easier with dual MX records in DNS.
0
 
LVL 10

Author Comment

by:mcrossland
ID: 16801882
Hmm....  Looks like I may have an issue with this as my watchguard handles NAT for me.  Last time I had a router with the ip nat inside statement, I had to remove it to get everything working.  Does that make sense?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16802764
Yes, but this is conditional nat. As long as your WG has an IP address from SWB, you have no choice but to nat as it goes out to Verizon.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16802771
My professional opinion - get 2x T1s from the same provider. Then you can use the same IP subnet and be done with it.
0
 
LVL 10

Author Comment

by:mcrossland
ID: 16803508
The idea was to have two different providers in the event that one provider was down or physical cable cut (have experienced this).

I think what I may do is just keep the watchguard as the primary internet and use only the other ISP for the VPN remote application.  I can do fault tolerance with that VPN device and I would just have 2 T-1 routers.   1 as a backup.  If internet is down, no biggie, but if the VPN is down, huge deal!

Points to you for giving such detailed information and helping me come to a conclusion.

Thanks,
Mike
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16804343
Glad to help!
- Cheers!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question