Use an edge router to automatically failover to another ISP for devices that are not multi-ISP aware
I have (2) ISP's with a /29 network space available in each (5 usable IP's).
Behind these devices, I have (1) Firewall on one ISP and (1) Firewall on the other ISP. These are performing NAT for (2) different LAN segments.
I also have a PBX that has a WAN interface on ISP (1) with a LAN interface that is in LAN segment (1). The WAN interface exists OUTSIDE of the firewall (this device takes care of its own security in its IOS). This device is only able to have (1) IP address and only has (1) port for WAN communication. This WAN port is used for multiple things, including: SIP trunks, remote phones (physical phones as well as soft phones), and remote administration among other things.
The PBX is not MULTI-ISP aware and is not able to be made aware of multi-ISP. It does have a routing table that I am able to add static routes to, but there is no way that I can tell that would enable this ISP to be MULTI-ISP aware in the event of an ISP failure.
Since I have (2) ISP's and quite a lot of network gear, is there ANY WAY that I can get this PBX to have a single default gateway, and get that gateway to make a routing decision of ISP 1 if ISP 1 is up, and use ISP 2 if ISP 1 is down?
There is a catch...the settings of the PBX cannot be changed in order to use ISP 2, it has to be automatic...I was thinking of trying something like this:
- Take a Cisco 1841 router and give it an IP address on each ISP
- Set the PBX default gateway to the IP address of the Cisco 1841 on ISP 1
- Set the 1841 up with a default route to ISP 1 as long as it can ping [the next hop or the core router @ ISP 1] using the SLA command/icmp reachability/route track
- Set the default route to ISP 2 in the event that ISP 1's SLA tracking fails to ping via ISP 1
- When the 1841 send traffic out ISP 2, have it NAT the IP address using NAT OVERLOAD and the IP address from ISP 2
- Set a 1-to-1 NAT for the IP address of the Cisco 1841 on ISP 2 point in to the PBX, so that traffic returning OR traffic coming unsolicited (like SIP trunk traffic) always lands on the PBX, even though the traffic was sent to the public IP of ISP 2
Would this work? It works with LAN/Private IP's in this way, I was wondering if I could arrange a failover this way for a PUBLIC IP address and not a private IP. I don't think it should matter, unless the SLA tracker comes back up in the middle of a conversation with ISP 2, and then the default route of the Cisco 1841 would change back to ISP 1.
Just so we're clear: BGP is not an option, one of these circuits is Broadband and the ISP's will not peer with tier 2 devices.
Behind these devices, I have (1) Firewall on one ISP and (1) Firewall on the other ISP. These are performing NAT for (2) different LAN segments.
I also have a PBX that has a WAN interface on ISP (1) with a LAN interface that is in LAN segment (1). The WAN interface exists OUTSIDE of the firewall (this device takes care of its own security in its IOS). This device is only able to have (1) IP address and only has (1) port for WAN communication. This WAN port is used for multiple things, including: SIP trunks, remote phones (physical phones as well as soft phones), and remote administration among other things.
The PBX is not MULTI-ISP aware and is not able to be made aware of multi-ISP. It does have a routing table that I am able to add static routes to, but there is no way that I can tell that would enable this ISP to be MULTI-ISP aware in the event of an ISP failure.
Since I have (2) ISP's and quite a lot of network gear, is there ANY WAY that I can get this PBX to have a single default gateway, and get that gateway to make a routing decision of ISP 1 if ISP 1 is up, and use ISP 2 if ISP 1 is down?
There is a catch...the settings of the PBX cannot be changed in order to use ISP 2, it has to be automatic...I was thinking of trying something like this:
- Take a Cisco 1841 router and give it an IP address on each ISP
- Set the PBX default gateway to the IP address of the Cisco 1841 on ISP 1
- Set the 1841 up with a default route to ISP 1 as long as it can ping [the next hop or the core router @ ISP 1] using the SLA command/icmp reachability/route track
- Set the default route to ISP 2 in the event that ISP 1's SLA tracking fails to ping via ISP 1
- When the 1841 send traffic out ISP 2, have it NAT the IP address using NAT OVERLOAD and the IP address from ISP 2
- Set a 1-to-1 NAT for the IP address of the Cisco 1841 on ISP 2 point in to the PBX, so that traffic returning OR traffic coming unsolicited (like SIP trunk traffic) always lands on the PBX, even though the traffic was sent to the public IP of ISP 2
Would this work? It works with LAN/Private IP's in this way, I was wondering if I could arrange a failover this way for a PUBLIC IP address and not a private IP. I don't think it should matter, unless the SLA tracker comes back up in the middle of a conversation with ISP 2, and then the default route of the Cisco 1841 would change back to ISP 1.
Just so we're clear: BGP is not an option, one of these circuits is Broadband and the ISP's will not peer with tier 2 devices.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ArneLovius: Does that affect your SIP packets in any way? I have found that during extremely high periods of utilization, the Cisco ASA can cause SIP packets to have jitter / delay more often than when I DIDN'T have the Cisco ASA in as an intermediary device. Also, running the inspection of SIP packets seems like it could also cause un-needed delay. I have not made a scientific measure of these situations, this is only conjecture and observation, BUT since my PBX (ALLWORX) allows for itself to be directly on the internet via a WAN port managing its own security, I just do that. I also use the SecPlus/DualISP feature of the ASA very often, especially when VPN's are involved...but I haven't used it in a situation like this for SIP failover. That's why I was going with NAT'ing the edge router from one ISP to the other. Seems complicated, but it was the only way I could think of without putting the WAN interface of the PBX in the private network.
@pergr: Remote phones are fine, they always register with the PBX and all calls are forced through the PBX, the phones never talk to the SIP carrier directly.
@pergr: Remote phones are fine, they always register with the PBX and all calls are forced through the PBX, the phones never talk to the SIP carrier directly.
I manage a site with 80 phones and an ASA 5510, and another site with 60 channels of a SIP trunking with an ASA 5510, neither site has experienced any SIP issues that even slightly look like the ASA, however one site has 100mb, and the other has 500.
What bandwidth do you have? Could your jitter problems have been when you reached high utilisation on your Internet connection?
What bandwidth do you have? Could your jitter problems have been when you reached high utilisation on your Internet connection?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@ArneLovius: Could you share an ASA config in this thread to show how to prioritized the outbound traffic with (2) links? On SECPLUS licensed Cisco ASA 5505's I am only able to have the 2nd circuit as a cold failover, using the SLA / RTR commands.
Thanks!
Thanks!
ASKER
my solution provided the most automatic way to get this done.
With a Cisco ASA with Sec Plus licence, you can have two ISP connections and use an IP SLA to have primary and secondary.
The ASA IP SLA can manage outbound routing priorities.
As an example, your VoIP traffic is SIP trunk (so going to known destinations) and your SIP trunk provider will allow you move than one exit address, you could have all traffic apart from your SIP trunks on your primary line and the SIP trunks on the secondary line, in the event of the primary line failing all traffic would be on the secondary, and in the event of the secondary, your SIP traffic would fail over to the primary.
All traffic has the ASA as it's default gateway. The PBX would be re-homed so that it's "wan" interface had a private address.
I manager a number of Avaya CM and IP500 systems running with this configuration with teh ASA performing SIP inspection to manage the IP address change inside the SIP packets.