Best Practice for Network setup with two separate ISP/WANs with Cisco Hardware

Hi gurus,

I have an existing network consisting of 1x Cisco ASA 5512-x firewall, a Cisco Catalyst 3560 (w/ ip services image), and a few Cisco Catalyst 2960 switches.

I have one existing 60mb fiber internet connection and just recently added a second 100mb fiber from a different provider.

I also have a spare Cisco ASA 5510 and Cisco 1921 router on tap.

I want to be able to load balance and direct incoming/outgoing traffic between the two ISPs but I need guidance on what the proper topology setup should be to give me full control while adhering to best practices.

Some of the configurations I want to achieve are:

1) load balance incoming traffic between the two separate ISPs for published connections, i.e. voip, smtp, and web
2) load balance and redundancy for outbound internet traffic for LAN users
3) direct specific devices and protocols to either ISP service

Off the top of my head, I'm assuming the proper setup would be to have both ISPs connected to a Cisco router, followed by the ASA 5512-x firewall, then the network, per below diagram:

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Do you have a /24 assiged to you by one of the ISPs?  Do you have your own ASN?

Inbound traffic can only be load balanced in one of two ways:

1) Having your own ASN and using BGP with the two ISPs.  In order to get an ASN, you have to have a /24 assigned to you by one of your ISP's.

2) DNS round robin.  Assign two IP addresses, one from each ISP, to the same host name.  Then your DNS server will rotate which address it hands out when a query is made.  However, if one of the Internet links goes down, then every other DNS request will still hand out that IP address, which connection requests will fail because the link is down.
Unless you have your own IPS you can not load balance incoming traffic since your wan side will differ based on the provider.  The loadbalancing you can achieve is DNS load balancing where each host that is externally accessible will have two IPs one from each provider.

With that said you can achieve outgoing traffic control through policy based routing and weighted routes i.e assign paths to

As to your device based designation suggests you VLan based on devices each has to have weighted paths, as long as primary path is available when it is not available the fallback will take over.
jetli87Author Commented:
Hi thanks for the response.

Both ISPs have a /28 public IPs assigned.

Yes I'm aware that my two options to load balance would be via BGP peering or DNS round robin.  With load balancing aside, if I wanted to manually direct/map inbound traffic to either ISP connections to the same internal host, what would be the best network topology setup, i.e. internal LAN host @, mapped externally to ISP1 Pub IP and ISP2 Pub IP
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

You will need to verify that ASA will allow you to map two different public IP addresses to the same internal address.  It has been a few years since I worked with ASA so I can't remember if you can.

Since you have just /28's that means you can get your own ASN, so BGP is out.  That leaves you with the less desirable DNS round robin load balancing.

Arnold's comment on using PBR is spot on.
There is necessity to alter anything on your lan in terms of IPs.

Neither ISP will agree to have their /28 rebroadcast through a different provider nor will they agree to broadcast the other's IPs. As was said, the only incoming available to you is DNS loadbalancing, as for VPNs  you I'll have to define two if using site to site.

Presumably. You would want high cost traffic to go over low cost provider it is either determined by the service or destination.

the routing policy will be governed on the 1921 you could use the 1921/asa combination to deal with route advertisement.........
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
The topologymap you have will work.  Your 1921 will have to do policy based routing, and NAT.

That said, I don't think it will handle 160 Mbps with both of those enabled.

You will be lacking horsepower and will bottleneck at the router.

The ASA cannot intelligently route traffic, you would be stuck with a single static route. With a backup route if the primary fails.  You can map two public IPS on the ASA, but you can only route out one interface.

In short, not 100% possible with the equipment you have.
jetli87Author Commented:
Thanks Daniel.  What additional equipment would you recommend?
I would suggest you go ahead and start with the 1921.  I think that forwarding only it can get close to 200 Mbps, so true it may not handle 160Mbps with those services enabled, but how many times are you going to max out both links at the same time?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.