WAN Failover Suggestions

[kidzer]

Hi folks,

Trying to work out a way to achieve WAN failover over a local DSL and WAN service that links several sites and has its own internet connection.

I believe the final topology will have a router connecting to the internet, connected to an ASA 5510 and then a router on the inside of the ASA which will have a sub-interface on the VLAN that connects to the WAN service and the 'other' internet connection which they're using at the moment.

What I'd like to have happen is to have the router on the inside of the ASA be able to have knowledge of the status of the internet connection on the outside of the ASA instead of simply sending packets to it for the internet - so that when the local internet link goes down, traffic would return to using the other internet connection.

I'm sure it can happen with the use of a dynamic routing protocol + a floating static route or something similar, but I haven't been able to work it out in my initial scribbles.

Has anybody worked on a similar solution before?

If my scribbles lead to anything I'll be sure to post it!

Thanks folks!

[Jay]

I have tried many ways to get a 5505 to do fail over and the only way I got it to work was to use a draytek 2820 with dual WAN with the ASA behind it. As we where an ISP we bonded both lines with the same IP over different carriers so when one line dropped the other picked up with the same IP (vital for ipsec)

[kidzer]

Awww no, I was about 10 minutes away from a working solution in GNS3 when it died and took my config with it...damn!

Anyway, here is the topology I'll be working with;

<The Internet>--<Internet Router>--<ASA 5510>--<Internal Router>--<LAN>

There is another router on the LAN that connects to their WAN service that has their current internet connection.

What I had was a static route on the ASA for a single IP Address on the internet (I was using 208.67.222.222 - OpenDNS) that was sent towards the Internet Router. I then created an IP SLA entry on the ASA (represented by a Router in my GNS3 lab) that ran a ping to that IP Address. Given the static route for that IP Address, it'll always go out to the internet using the local internet connection, this allows me to have something that'll always use that connection.

I also had an EIGRP adjacency between the ASA Inside interface and the LAN Router, advertising the subnet they share. The ASA side is also set up to redistribute static routes, but I've put a filter on it with an ACL so that the /32 route for that single IP Address doesn't get passed to the inside router.

The last bit I was working on was modifying the default static route on the ASA to 'track' the IP SLA, which should mean that if the IP SLA fails, the route gets removed and thus shouldn't be redistributed in EIGRP. Once I get that working I can put in a static route on the LAN Router with a higher metric than the External EIGRP Route (the default gateway pointing at the local internet connection) so that when the EIGRP one gets removed the other one will slot in.

But GNS3 failing has wound me up, so I'll try it another night!

[loki]

If you're Cisco kitted out then there are a few protocols relating to gateway load balancing.

Hot standby router protocol
Virtual Router Redundancy Protocol (not Cisco)
Gateway load balancing protocol

Now I've never actually used any of these but the last one in particular should be communicating between the routers and using a virtual mac in the same way that an NLB does, it will also load balance between the two so that you don't have a wan connection doing nothing.

I'm afraid you'll need to do some diging for more info to proceed though, sorry.

EDIT: if you're more worried about the internet links than the hardware you may be better of with MLPPP bonded lines from the internet router.

[kidzer]

Yeah - I'd thought about using HSRP between the two internet gateways on the LAN but here's why I didn't;

- The Router that connects to the WAN Provider is controlled by them, not sure if they'd be keen on doing it
- The other Router won't ever have an interface go down if its just the internet connection that drops, which is what I'm trying to protect against.

It has to be said, they never asked for this as part of the work we're doing for them - I don't think they've considered it, it's just an added thing I thought of that I'd like to be able to present.

I'll have another play with my proposed solution tonight, and see how it works out...

[kidzer]

Aha! Got it!

Annotated (and relevant sections of) config below for anybody who cares;

Code:

ROUTER CONFIG

!
! EIGRP AS 10, Advertising the subnet between Router/ASA
!
router eigrp 10
 network $SUBNET
 no auto-summary

!
! Default Route weighted higher than EIGRP
!
ip route 0.0.0.0 0.0.0.0 $SAVVIS_IP 171





ASA CONFIG
!
! ASA was represented by a router in the test, and it was an old IOS so the IP SLA stuff might be slightly different
!

!
! IP SLA to track reachability of an Internet IP (Exampe uses OpenDNS)
!
ip sla monitor 10
 type echo protocol ipIcmpEcho 208.67.222.222 source-interface FastEthernet0/1
ip sla monitor schedule 10 life forever start-time now

!
! Ensure IP SLA Test IP always goes out the local internet connection
!
ip route 208.67.222.222 255.255.255.255 $INTERNET_ROUTER_IP

!
! EIGRP AS 10, redistributing Static Routes. /32 route filtered from Routing Updates
!
router eigrp 10
 redistribute static
 network 172.16.0.0 0.0.0.255
 distribute-list EIGRP_Redistribute out
 no auto-summary

!
! ACL for Route Filtering
!
ip access-list standard EIGRP_Redistribute
 permit 0.0.0.0
 deny   any

!
! IP SLA tracking 
!
track 10 rtr 10 reachability

!
! Default Route to the internet tracking the IP SLA Tracking Object
!
ip route 0.0.0.0 0.0.0.0 10.20.10.2 track 10

I'll admit, my knowledge of route redistribution isn't the greatest but I'm finding it odd that the static route on the router only falls behind the EIGRP route when I increase the metric to at least higher than 170, the administrative distance of an External EIGRP route. Seems strange to me, but it works!

[badass]

Aha! Got it!

Annotated (and relevant sections of) config below for anybody who cares;

Code:

ROUTER CONFIG

!
! EIGRP AS 10, Advertising the subnet between Router/ASA
!
router eigrp 10
 network $SUBNET
 no auto-summary

!
! Default Route weighted higher than EIGRP
!
ip route 0.0.0.0 0.0.0.0 $SAVVIS_IP 171





ASA CONFIG
!
! ASA was represented by a router in the test, and it was an old IOS so the IP SLA stuff might be slightly different
!

!
! IP SLA to track reachability of an Internet IP (Exampe uses OpenDNS)
!
ip sla monitor 10
 type echo protocol ipIcmpEcho 208.67.222.222 source-interface FastEthernet0/1
ip sla monitor schedule 10 life forever start-time now

!
! Ensure IP SLA Test IP always goes out the local internet connection
!
ip route 208.67.222.222 255.255.255.255 $INTERNET_ROUTER_IP

!
! EIGRP AS 10, redistributing Static Routes. /32 route filtered from Routing Updates
!
router eigrp 10
 redistribute static
 network 172.16.0.0 0.0.0.255
 distribute-list EIGRP_Redistribute out
 no auto-summary

!
! ACL for Route Filtering
!
ip access-list standard EIGRP_Redistribute
 permit 0.0.0.0
 deny   any

!
! IP SLA tracking 
!
track 10 rtr 10 reachability

!
! Default Route to the internet tracking the IP SLA Tracking Object
!
ip route 0.0.0.0 0.0.0.0 10.20.10.2 track 10

I'll admit, my knowledge of route redistribution isn't the greatest but I'm finding it odd that the static route on the router only falls behind the EIGRP route when I increase the metric to at least higher than 170, the administrative distance of an External EIGRP route. Seems strange to me, but it works!

Ninja!

[Jay]

lol

nice work!