Solved

Use an edge router to automatically failover to another ISP for devices that are not multi-ISP aware

Posted on 2013-11-14
7
1,134 Views
Last Modified: 2014-02-13
I have (2) ISP's with a /29 network space available in each (5 usable IP's).

Behind these devices, I have (1) Firewall on one ISP and (1) Firewall on the other ISP.  These are performing NAT for (2) different LAN segments.  

I also have a PBX that has a WAN interface on ISP (1) with a LAN interface that is in LAN segment (1).  The WAN interface exists OUTSIDE of the firewall (this device takes care of its own security in its IOS).  This device is only able to have (1) IP address and only has (1) port for WAN communication.  This WAN port is used for multiple things, including:  SIP trunks, remote phones (physical phones as well as soft phones), and remote administration among other things.  

The PBX is not MULTI-ISP aware and is not able to be made aware of multi-ISP.  It does have a routing table that I am able to add static routes to, but there is no way that I can tell that would enable this ISP to be MULTI-ISP aware in the event of an ISP failure.  

Since I have (2) ISP's and quite a lot of network gear, is there ANY WAY that I can get this PBX to have a single default gateway, and get that gateway to make a routing decision of ISP 1 if ISP 1 is up, and use ISP 2 if ISP 1 is down?  

There is a catch...the settings of the PBX cannot be changed in order to use ISP 2, it has to be automatic...I was thinking of trying something like this:

- Take a Cisco 1841 router and give it an IP address on each ISP
- Set the PBX default gateway to the IP address of the Cisco 1841 on ISP 1
- Set the 1841 up with a default route to ISP 1 as long as it can ping [the next hop or the core router @ ISP 1] using the SLA command/icmp reachability/route track
- Set the default route to ISP 2 in the event that ISP 1's SLA tracking fails to ping via ISP 1
- When the 1841 send traffic out ISP 2, have it NAT the IP address using NAT OVERLOAD and the IP address from ISP 2
- Set a 1-to-1 NAT for the IP address of the Cisco 1841 on ISP 2 point in to the PBX, so that traffic returning OR traffic coming unsolicited (like SIP trunk traffic) always lands on the PBX, even though the traffic was sent to the public IP of ISP 2

Would this work?  It works with LAN/Private IP's in this way, I was wondering if I could arrange a failover this way for a PUBLIC IP address and not a private IP.  I don't think it should matter, unless the SLA tracker comes back up in the middle of a conversation with ISP 2, and then the default route of the Cisco 1841 would change back to ISP 1.

Just so we're clear:  BGP is not an option, one of these circuits is Broadband and the ISP's will not peer with tier 2 devices.
0
Comment
Question by:jkeegan123
  • 4
  • 2
7 Comments
 
LVL 17

Assisted Solution

by:pergr
pergr earned 250 total points
Comment Utility
Yes, it should work.

The remote phones will also need a way to fail over.
Some phones can be configured with a backup sip server - which would be the IP on ISP2.

Make sure your sip trunk provider allows you to connect from any of the two ISPs.
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
I usually use a Cisco ASA to do this, it removes any "double NAT" from the equation.

With a Cisco ASA with Sec Plus licence, you can have two ISP connections and use an IP SLA to have primary and secondary.

The ASA IP SLA can manage outbound routing priorities.

As an example, your VoIP traffic is SIP trunk (so going to known destinations) and your SIP trunk provider will allow you move than one exit address, you could have all traffic apart from your SIP trunks on your primary line and the SIP trunks on the secondary line, in the event of the primary line failing all traffic would be on the secondary, and in the event of the secondary, your SIP traffic would fail over to the primary.

All traffic has the ASA as it's default gateway. The PBX would be re-homed so that it's "wan" interface had a private address.

I manager a number of Avaya CM and IP500 systems running with this configuration with teh ASA performing SIP inspection to manage the IP address change inside the SIP packets.
0
 
LVL 5

Author Comment

by:jkeegan123
Comment Utility
@ArneLovius:  Does that affect your SIP packets in any way?  I have found that during extremely high periods of utilization, the Cisco ASA can cause SIP packets to have jitter / delay more often than when I DIDN'T have the Cisco ASA in as an intermediary device.  Also, running the inspection of SIP packets seems like it could also cause un-needed delay.  I have not made a scientific measure of these situations, this is only conjecture and observation, BUT since my PBX (ALLWORX) allows for itself to be directly on the internet via a WAN port managing its own security, I just do that.  I also use the SecPlus/DualISP feature of the ASA very often, especially when VPN's are involved...but I haven't used it in a situation like this for SIP failover.  That's why I was going with NAT'ing the edge router from one ISP to the other.  Seems complicated, but it was the only way I could think of without putting the WAN interface of the PBX in the private network.

@pergr:  Remote phones are fine, they always register with the PBX and all calls are forced through the PBX, the phones never talk to the SIP carrier directly.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
I manage a site with 80 phones and an ASA 5510, and another site with 60 channels of a SIP trunking with an ASA 5510, neither site has experienced any SIP issues that even slightly look like the ASA, however one site has 100mb, and the other has 500.

What bandwidth do you have? Could your jitter problems have been when you reached high utilisation on your Internet connection?
0
 
LVL 5

Accepted Solution

by:
jkeegan123 earned 0 total points
Comment Utility
I ultimately did this with a device called PEPLINK in DROP-IN-MODE.

Given:  
(2) ISP's
(1) PEPLINK 210 (2 ISP's MAX)
(1) device that is not multi-ISP aware that is configured with a single WAN IP on ISP-1, with a default gateway of the CPE router from that ISP-1, nothing out of the ordinary.

PEPLINK has:
(2) WAN ports
(1) LAN port

Configure PEPLINK as such:
(WAN 1) - static IP on WAN 1 circuit, with default gateway and correct SNM.
(WAN 2) - static IP on WAN 2 circuit, with default gateway and correct SNM.
(LAN 1) - same IP address as the WAN IP that the device you want to protect has.
Mode:  Configure unit in DROP-IN mode.

What happens is that the device you want to protect ends up being able to use BOTH ISP's without realizing that it is doing so, in a balanced format.  I'm not sure exactly what is being done behind the scenes, but I do know that SSL/encrypted sites keep an affinity so that you do not have to re-auth unexpectedly coming from a new IP, and sites that use multicast like torrents are able to make use of BOTH ISP's at once.  Given a failure of either WAN circuit, the protected device keeps on working without missing a beat, and without reconfiguration.  

The Peplink 210 is about $1399.
0
 
LVL 5

Author Comment

by:jkeegan123
Comment Utility
@ArneLovius:  Could you share an ASA config in this thread to show how to prioritized the outbound traffic with (2) links?  On SECPLUS licensed Cisco ASA 5505's I am only able to have the 2nd circuit as a cold failover, using the SLA / RTR commands.  

Thanks!
0
 
LVL 5

Author Closing Comment

by:jkeegan123
Comment Utility
my solution provided the most automatic way to get this done.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now