[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1860
  • Last Modified:

full redundant wan design, Multiple ISP with failover in asa

Hi experts,

Right now i am working on one project  and i need some gudiance on WAN design. It has two ISP's one is active another is backup. Two ASA firewalls in Active/standby mode and two 6509 switch in VSS mode.

i need to configure it WAN side but my confusion is how the L2 switches will be configure between firewall and router. On each router there are two link connecting one from each switch how will be configured, i mean two link will have one IP address or it will be etherchannel and one ip address will be assigned.

on firewall i am planning to use the redundant interfaces at inside and outside as path redundancy is needed , and HSRP on the routers where firewall will be pointed to the VIP of hsrp....

give ur suggestions......
wan-diagram.png
0
frk_sec
Asked:
frk_sec
  • 6
  • 6
  • 4
  • +1
4 Solutions
 
arnoldCommented:
Are you setting up some routing between ISP1 router and ISP2 router?

Presumably the reason you are using two routers versus a single router with both ISP's terminating on it is to cover the router failure.

The failover portion of the ASA is to use a VirtualIP which the LAN systems will use as the default gateway.

Do you own your own IPs or is ISP1 providing theirs while ISP2 provides you with theirs?
0
 
gavvingCommented:
When using active/standby on ASA's you want the interfaces to be able to ping each other basically for keepalives to work correctly and for the ASA failover to know the status of the interfaces.  So if the 2960's in the drawing are going to have vlans, then configuring trunking between them and place the ASA interfaces on the inside on the same vlan on both ASA.  Same with the outside interface.

But your drawing the way you have it fully meshed to the ASA isn't really going to work.  The 5520 isn't going to support that I think.  It would be something like:

inside2960sw1 <> ASA1 <> outside2960sw2
   |                                                 |
inside2960sw2 <> ASA2 <> outside2960sw2


0
 
frk_secAuthor Commented:
Thanks for the response...

ISP1 and ISP2 will provide /30 ip address on the outside interface of the router and i am planning to use /28 public IP's between the firewall outside and the router inside. I also think we have to use the HSRP on the router at the inside part.

lets say
ON R1
========
interface g 0/1
ip address xx.xx.66.1 /28
standby 1 ip xx.xx.61.5
standby 1 priority 100
standby 1 preempt
standby 1 track g0/1 75 (outside interface)

ON R1
========
interface g 0/1
ip address xx.xx.66.2 /28
standby 1 ip xx.xx.61.5
standby 1 priority 75
standby 1 track g0/1 50 (outside interface)

so on the ASA default gateway will be the xx.xx.61.5 that is the VIP of the HSRP and it will track the active link if that link goes down then all the traffic will be forwarded to the backup link.

yes arnold you are right....the reason to use two router for device redundancy and full mesh is for path redundancy...

Gavving the full mesh topology is for path redundancy......lets say if the switch 1 goes down then from firewall there will be no path to the active link i.e. lets say 15 MB and backup link is only 4MB...

Gavving i agree with ur design but what if the switch between Router 1 and ASA1 is down as we dont have any other link between them. outside interfaces of firewall and inside interfaces of routers are in the same vlan.

Sure there will be one link between the ASA1 and ASA2 for the failover and it will be through the switch in one seprate vlan say vlan20 for failover messages and stateful link

if the full mesh design has any problem then the below deisgn will be fine...please sugest the guys.....
but i dont understand how the link between two router will be configure. my plan is to use only static routing as no load sharing  in the network ..traffic will go to active router if that ISP connection is down then it will go to backup router...

--inside--|ASAp|--outsidevlan--|SWITCH|--outsidevlan--|2900p|--WAN
                    |                                       |                                            |
             failover                        outsidevlan                        inter router link
                    |                                       |                                            |
--inside--|ASAb|--outsidevlan--|SWITCH|--outsidevlan--|2900b|--WAN

waiting for you replies and pls let me know if i am not correct at any point......

Thanks
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
frk_secAuthor Commented:
suppose if we want to use the same design but  enhance the full mesh with the following configuration
Redundant interface concept on the firewall and as switches are 2960-S so that I can stack them (SW1&2) as one stack and SW 3&4 as another stack. so that both the switches will appear as one virtual switch and i can configure ether-channel on it for ASA and router ports

On ASA1
On ASA will it be possible to use the redundant interface concept. so that I can combine two physical interfaces in one logical interface  and then configure the IP address on it. on the switch side I can do the ether channel .
ex:-
ASA1 (outside interface)
redundant interface 1 (E0,E1)----connecting on switch 1 gi1/0/1 and switch 2 gi1/0/1
redundant interface 1 (E2,E2)---- connecting on switch 1 gi1/0/2 and switch 2 gi1/0/2

interface redundant 0
member-interface e0
member-interface e1
ip address xx.xx.61.3 255.255.255.x
nameif outside
security-level 0
no shutdown

On switch 1 and switch 2, we can create the vlan 10 (for instance) and put gi1/0/1, gi2/0/1 of sw1 and sw2 in vlan 10

SW1&2 as one stack
interface gi 1/0/1,gi2/0/1
switch mode access
switch mode vlan 10
channel-group 1 mode on

interface gi 1/0/2,gi2/0/2
switch mode access
switch mode vlan 10
channel-group 2 mode on

ASA1 (inside interface)
redundant interface 1 (E2,E3)----connecting on switch 3 gi0/1 and switch 3 gi0/1
redundant interface 1 (E2,E3)---- connecting on switch 4 gi0/2 and switch 4 gi0/2


interface redundant 1
member-interface e0
member-interface e1
ip address 10.xx.xx.3 255.255.255.x
nameif inside
security-level 100
no shutdown

On switch 1 and switch 2, we can create the vlan 20 (for instance) and put gi0/1,gi0/2 of sw3 and sw4 in vlan 20

SW 3&4 as one stack
interface gi 1/0/1,gi2/0/1
switch mode access
switch mode vlan 10
channel-group 1 mode on

interface gi 1/0/2,gi2/0/2
switch mode access
switch mode vlan 10
channel-group 2 mode on

Router  to Switch side
interface Port-channel1
ip address xx.xx.61.1 255.255.255.x
!
interface GigaEthernet0/0
duplex full
speed 100
channel-group 1
!
interface GigaEthernet0/1
duplex full
speed 100
channel-group 1

Next, the switch configuration:
interface Port-Channel1
switchport
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/1
 switchport access vlan 10
switchport mode access
channel-group 1 mode on
!
interface FastEthernet0/2
 switchport access vlan 10
switchport mode access
channel-group 1 mode on

 Pls comment.....what you guys think for it.....which one will be better.......

waiting for the response
0
 
arnoldCommented:
In your setup the following scenario will leave you without internet connection.
ISP1 goes down while your Router2 flakes out.  Not sure whether you considered:
http://www.valiantcom.com/aps/t1-4-protection-switch.html
I.e. each ISP connection goes to a swith such that each router has a connection to each ISP. only one port in a pair is active such that only one router has a connection to an ISP at a time whether it is R1 ISP1 R2 ISP2 or R1 ISP1 R1 ISP2 and the other two options.
But now your single device failure is the top most switch.


unless R1 and R2 are natted, there is no way to have a common /28 between them since one of the ISPs will not carry them or is your ISP1/ISP2 means a separate connection from the same IP presumably having a different path. (ISP1 connection comes from the west and ISP2 comes from the east providing separation even it a pole is knocked down)

The internals are simpler as you point out asa and down. i.e. bond/trunk two interfaces with each connecting to a switch (switch failover)

Everything below you will have to alternate/distribute the workstations such that if the switch dies, you'll have a portion of the functional system still connected. ASA failure will maintain connections.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

You would use the same virtual failover IP on the WAN side.

What or how you envision the transition/convergence?
0
 
gavvingCommented:
BGP peering and failover is not being mentioned for ISP failover.  That's what I'd recommend be used.   You'd have to get an AS number, and get BGP peering agreements with your ISPs.  Then you get assigned IP blocks from both ISPs and have both of them advertise each others IP blocks.  If one ISP goes down the other will still route the IP block from the other ISP.  

Is that what you plan to do?

I've implemented VSS6509s and fully redundant Internet connections previously.  Later today I'll try to throw together a diagram and sample configs.
0
 
frk_secAuthor Commented:
Thanks for the reply Gravving and arnold.....

I did not plan to implement the BGP in the network as there is not plan for load sharing....i am aware that BGP is used if the load sharing is required. if i want to send some network form one ISP and other network form other ISP and vice versa.....

I am aware that we need to purchase the AS no and pool of IP if we need to implement the BGP in the network.....

As gravving recommend to implement BGP but how the connection will be lets say ISP1 will connect on R1 and ISP2 will connect on R2 and IP address will be provided by ISP's and we will do the BGP neighbor relationship as they will provide the peer IP address..

So will it result Auto Fall back/failover if one ISP down and no need of HSRP in it. Am i right.

Gravving you mention failover  and u mean to this is for internet  not the ASA failover. Isn't it ?

Gavving it will be great if u put the solutions what u have implemented.....

Arnold i did not get what u want to say in this statement "What or how you envision the transition/convergence?" please give a bit explanation....

waiting for the reply.....

Thanks.....

l
0
 
arnoldCommented:
You have to use OSPF at least between R1 and R2 to handle the convergence in the event of ISP1 or ISP2 connection going down.
Since you have ISP provided IP, you would have to use DNS to load-balance/distribute how incoming requests will be handled, but that is neither here nor there.

each router will advertise to the other a lower preference/higher weight route for 0.0.0.0/0
Such that if a packet lands on the route the preferred path will be out the ISP to which the Router is directly connected, in the event the ISP connection is down, and the packet still lands on the router for the ISP, the path will converge and the packet will be routed to the other router and out via the second ISP.

The ASA is too far away to determine the path out to the Internet as well as the two Untrust interfaces will likely have equal weight because of the same issue.

0
 
frk_secAuthor Commented:
Thanks for the reply arnold.....
i got it, for sure two ISP will provide their own DNS and gateway and if the connection switch due to link or conneciton failure then it shd get change.....

can u pls post a sample config .........that will be great.......if u find some time for it..............

Thanks......

will wait for ur reply
0
 
gavvingCommented:
This configuration I'm posting isn't exactly what you had planned or had asked for, but it's what I know works and can predict it's behavior.   It requires routers connected to ISPs to take full BGP routes from the ISPs.  Obtaining an AS number, getting the ISPs to agree to advertise the other ISPs network numbers, etc.  BGP isn't necessarily used for load balancing, actually using it for that is fairly complicated.  Using it for true Internet failover for inbound traffic is primary use of it here.  Failover for outbound traffic is easy and doesn't necessarily require full BGP configuration.

The external routers are configured with HSRP to allow for failure of the router.  This means that the iBGP peering connection between the routers is used for network traffic on a regular basis as outbound traffic will flow to isp1-router and then across the iBGP connection to isp2-router if the BGP routes better going out that ISP.

The external switches are primarily present to allow the ASA to have connectivity to through the External interfaces, so that failover works correctly.  

Hopefully I got all the IPs in the configs consistent so that it all makes sense.

redundant-Network-setup.jpg
vss6500-config.txt
asa-config.txt
isp1-router-config.txt
isp2-router-config.txt
0
 
frk_secAuthor Commented:
Bundle of Thanks Gavving for the diagram and the configs........scenario is almost clear to me now....

I was already done the VSS part but with ur config it mada me more clear......but i will be thankful i you put shed some light on the following points regarding BGP...

1)External routers are configured with HSRP to allow failover of the router.......
In the hsrp config you are tracking object 2 but it does not have any config....i assume i need to track the default gateway  or BGP peer of R1 and if it goes down the R2 should become active. Am i right ?

2)I will take the AS no from the ISP lets say xxx2 and i will do the ebgp peering with ISP1 and ISP2 and will advertise the subnet/network between firewalls-routers ex: x.x.61.0 in bgp.  
What will be the use of iBGP in this secnario ? >>as u said it will be  use for network traffic on a regular basis........please correct me if i am wrong
Lets say internet traffic is coming from the firewall and it will hit the Active HSRP router and it will forward the traffic to related ISP (EX ISP1) but active router will have two routes to forward the traffic one is through eBGP and another is through iBGP...so eBGP route will be preferred and when the ISP1 link goes down it will have route through iBGP but HSRP will make the R2 as active so all the traffic will flow through it.

3)you have advertise  13.22.220 network in bgp but this has no relation with ISP networks or ROuter to firewall networks..........I guess these are some public network behind the VSS as u are pointing one static route for this network to 11.123.123.2 i.e. outside of ASA 1. so i think that network can be DMZ or behind inside network.

4)what the HSRP shd track the outside interface of the router or the default gateway or eBGP peer of the ISP1 and ISP2 on each router (R1 and R2)

5)can you advise what subnet IP block need to purchase for the ASA-routers network as some static nat's will be done here in addition to PAT. Am i right that VPN tunnels shd be installed on ASA not on routers....

6) use of prefix list is just to send networks 11.x.x.x. and 13.x.x.x. to the ISP1 and ISP2...

Thanks for your time......gavving...
please answer the above points.....

Thanks.....

0
 
gavvingCommented:
The 13.22.22.0/24 subnet I threw in there to show how you would configure an additional IP subnet.  When you sign up with 2 ISPs you can get multiple IP subnets, hopefully at least a /24 from both.  That way you have 2 /24s, but you only need to use one of them for the transport network IPs on the external side of the firewalls.  So the other one can be routed directly to the ASA external interface and you can NAT into it to use it.

1) The tracked objects are used in 2 places.  Track 1 is used in for the static route for the 13.22.22.0/24 subnet static route.  So that static route goes away in the event that the inside facing g0/0/1 interface goes down, and thus that router stops advertising it via BGP.  Track 2 is used to monitor the status of g0/0/0 and to cause the HSRP active router to flip to the ISP2-router in the event that the uplink to ISP1 goes down on g0/0/0.

2) What will happen with it configured like this is that ISP1-router will see full routes to the internet out both paths, and yes it will have 2 routes present for each subnet in the internet route table.  BGP will choose which route to use based upon AS-path distance, thus the 'closest' path is chosen.  If your destination happens to be 'closer' when going through ISP2, then the traffic will flow from ISP1-router thru the iBGP peer link on g0/0/2 to ISP2-router, then out to ISP2.  When you do a 'show ip route' on the routers you'll see an intermixing of routes going out the ISP connected to the router, and out the g0/0/2 interface to the other router.    How well they are balanced is dependent upon the peering quality of the ISPs.  Also you can adjust this somewhat with BGP options.

3) See comment at top on purpose of the 13.22.22.0/24 network.    It could be a DMZ network, or it could be just more IPs that you NAT into on the ASA.

4) see comment #1 on purpose of tracking.

5) For BGP you must advertise a /24, nothing smaller is allowed.  Yes VPN tunnels should be terminated on the ASA.  

6) Whenever your doing BGP peering with externally connected networks (i.e. the Internet) you should filter your outbound routes so that you only advertise what you want.  If you dont use the prefix lists, then when you get BGP peering with both ISPs working your routers will advertise the Internet route table from ISP1 to ISP2 and you're network will be seen as a route to the whole internet.  This is _bad_.  ISPs should have upstream filtering that stops you from taking down the Internet, but it's not a good idea to depend upon them.  Once you have a BGP link to the Internet, your now part of the Internet routing community and should act responsibly and knowledgeably about the connection.
0
 
frk_secAuthor Commented:
Thanks for the reply..........

i understood the scenario and can implement with the required changes and enhancements.....but i discussed it with my client IT guy so he was asking just the users need to use the internet as its a 20+ floor building.....there are no sites attached ot it ...or hardly 1 or 2 VPN. So is it a good practice just for the use of internet to users we will implement BGP...

Will it not be done through HSRP with IP SLA route tracking....

            
ip sla monitor 2
 type echo protocol ipIcmpEcho x.1.31.3 (default gateway of ISP1 or peer IP )
 frequency 5
ip sla monitor schedule 2 start-time now
!
track 10 rtr 2
!
interface FastEthernet0/0
 ip address x.1.61.x 255.255.255.0
 duplex auto
 speed auto
 standby 1 ip 150.1.61.1
 standby 1 preempt
 standby 1 track FastEthernet1/0
standby 1 track 10 decrement 50
   

On R2
=======
interface FastEthernet0/0
 ip address x.x.61.2 255.255.255.0
 speed auto
 full-duplex
 standby 1 ip 150.1.61.1
 standby 1 priority 95
 standby 1 preempt
 standby 1 track FastEthernet1/0
end


ASA will be Pointed to the virutal IP of the HSRP.............if the Public IP address are the problem on ASA-Router network then any private subnet can be used and natting can be done on the Router and couple of VPNS>.........

please advice....

waiting for reply......


Thanks.....
0
 
gavvingCommented:
Yes that would work...  But only if the IPs that your using are allowed to be routed out both ISPs.  And the only way that's going to work is thru BGP peering.   You either need to have a portable IP block, or you need to have agreements with the ISPs to advertise each IP block.  A BGP setup would accomplish that.  But if you're just doing outbound PAT traffic only, it's not truely necessary as you can just do PAT failover.

You can configure SLA tracking on the ASA to have it change the PAT dependent upon the ISP that's being used.  Or you have to configure SLA, NATing, and policy-routing on the Internet routers.  Both of which are different solutions than the one I showed above.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml
0
 
arnoldCommented:
Sorry do not have a handy example; though gavving's BGP example is akin to using OSPF to deal with failover in the event of an ISP connection drop
i.e. each will have the Interface dependent routing
ip route 0.0.0.0 0.0.0.0 <serialinterface0>
The OSPF will have a 200 weight on the 0.0.0.0 0.0.0.0 from the other router.

The more upsream failure, i.e. ISP1 up the chains experiences issues with routing to a particular destination, your system will not be adapt in dealing with those.
0
 
gavvingCommented:
The Information that I provided was detailed and helped the member understand his options and methods that could be used to accomplish the original intent of the question that was asked.  It is a tried and true solution that many companies have implemented.  If additional information or questions are present, then this question should be closed and points awarded accordingly.   Thanks.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 6
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now