Multiple ISP failover / Multiple 2811 Routers 3

[captnops]

I have two 2811 Routers and four ISP circuits (from seperate ISPs). I am interested in setting these up to load balance in/out traffic and also to have hardware and/or data circuit fault tolerance. These

I have reviewed the following information:

http://cisco.com/en/US/docs/ios/oer...TSD_Products_Configuration_Guide_Chapter.html

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html

http://www.inacom-sby.net/Shawn/post/2007/11/Dual-ISPs-(Part-3)-OER.aspx

and I am left with the following questions:

1. Does the config have to be the same on each router (with the interfaces/settings on each reflective of the other)?

2. Is using SLA and OER the best way to accomplish my goals?

Any help is greatly appreciated.

 

[jneiberger]

If you already have these in place, what are you doing now? I'm assuming that you:

1. Have your own ASN
2. Run eBGP with your ISPs
3. Run iBGP between your border routers

Is that true?

 

[captnops]

Thank you for the help.

I do not have my own ASN and do not run eBGP.

I currently have a single 2811 with multiple vwic t1 cards.

I an attempting to provide some hardware and circuit redundancy by adding a second 2811 and splitting the circuits between them (2 T1's to one, two to the second). Our T1's are pulled from different vendors and CO's for geographic redundancy and as such have different public IPs.

If in the middle of all of that, I am able to load balance all traffic between them, then that would be a bonus!

Thanks again

Todd

 

[jneiberger]

How does your router choose which ISP to route to? Are you just doing a sort of per-destination load sharing?

If you want to have multiple routers and multiple ISPs with dynamic failover and reasonable load sharing, BGP is a good way to do it. You would have to get your own ASN, which means you have to have your own address space, a /24 at a minimum. Anything smaller than that and it's a pointless exercise.

There are hardware vendors that provide similar functionality without having to run BGP. They have their own sets of pros and cons, but I think it's something you should look into.

The one I remember off the top of my head is FatPipe Networks,

http://www.fatpipeinc.com.

There are others, but they're slipping my mind at the moment.

 

[captnops]

Currently, that router only TX/RX on a single T1 with it being necessary to manually fail over a down circuit or router.

I have no need for BGP (rather for a 24 sub of addresses), plus I need to have geographic diversity as we are a call center and cannot afford downtime. That is the reason I have pulled T's from multiple vendors.

The links I referenced earlier seem to indicate that my goals are possible, but having never done it that way, i am unsure of how to proceed.

Thanks

 

[jneiberger]

Well, you don't have to many options if you want multirouter, multi-ISP Internet connectivity with failover between ISPs. I've given you the two most feasible options. In my opinion, at least.

If you want to avoid having to run BGP, find out if one of your ISPs offers geographic diversity on their circuits. I used to have multiple T1s through Sprint at one site, but one was homed to Cheyenne and the other was homed to Tacoma. This will be far easier for you if you stick to one ISP.

 

[jgagz]

Captnops-

Best practice for what you are looking to do is to implement BGP. BGP is specifically designed for connecting to multiple service providers and will provide you a scalable solution. If you aren't sure how to do this, I would recommend reaching out to a Cisco partner and getting some assistance in this.

Talk to your service provider to get the paperwork for an ip address block and information on obtaining your BGP ASN. There really isn't a scalable alternative that is going to work here without BGP. OER will help you with tuning BGP once you have it up (it won't do you a lot of good until then). In case you are wondering - BGP ASN's are not that difficult to get today (it can be time consuming but it isn't difficult to qualify).

Good luck,
Joe

 

[captnops]

Thanks for the additional information. My problem is that we are a relatively small company and would have no need for 256 public addresses and would probably not qualify for an ASN.

Thank you both the help, but BGP does not appear to be a good fit right now.

 

[jneiberger]

Are you hosting web servers that need to be accessible from the Internet? If not, one of those load-sharing devices like the one from Fatpipe might work great for you.

 

[captnops]

I do have web servers that need to be accessible from the web and perhaps there is no easy (router based) way to load balance for in/out traffic on all circuits.

What could I do to ensure router to router failover in the event of a router failure and ensure that all traffic routes out the second router automatically?

Is is possible to load balance circuits on a single router?

Thanks

 

[jneiberger]

Outbound load-sharing is fairly simple depending on your design.

A B
\ /
\ /
\ /
C
|
|
|
[internal network]

If routers A and B have internet connectivity, connect their LAN ports to Switch C. Then run HSRP or VRRP between them and the configure the virtual address as the default gateway for your internal hosts.

This creates problems for inbound access, though. Let's say you have two ISPs with a small range of addresses from each. If you're using external DNS to reach your internal servers, it does you no good to have two ISPs. If one link to one ISP is down, no one will be able to access your servers because the DNS entry resolves to an address that is no longer reachable even though you have access through your second ISP.

That's what BGP buys you. It allows you to advertise a consistent address space to the Internet.

Based on what you've said so far, I really don't think you should go with multiple ISPs. You'd be far better off using a single ISP and multiple circuits with geographic diversity.

 

[captnops]

As far a the DNS entry for web access is concerned, I could create internal name servers to route the traffic effectively if a single public circuit goes down (although clearly not the best solution)

Using HSRP and SLA's would enable me to failover between routers, is that correct?

Is there any way to failover individually circuits within a single router from an internal to internet point of view.

btw..thanks for the help...its been a long time since my last hands on config.

 

[jneiberger]

I've done something similar in the past with HSRP, but I was also using BGP externally, so that's not a great example.

On a single router, you can use equally weighted default routes pointing out each circuit, then use per-destination load sharing. You don't want per-packet load sharing in that situation.

Outbound load sharing is fairly simple to control. Inbound load sharing is far more difficult to control. That's why I don't call it load balancing. There really isn't such a thing, especially inbound on the Internet. The best you can hope for is somewhat equitable load sharing, but you'll never get them balanced.

 

[wingatesl]

I have made a few blog entries to get sla and OER working. your issue will be with inbound traffic failing over. A lot of ISPs ignore the ttl on DNS entries and cache them for quite a while. The fatpipe device will do nothing more than your routers and ands server could do. It is pretty easy to set it up so that you can utilize both connections inbound at one time. The difficulty is getting the users browser to select the correct connection when one of them is down. Now that I am thinking about it, I think I have an idea brewing.... more to follow on that later. To get you started here is my page

http://www.inacom-sby.net/shawn

Shawn

 

[Supergrrover]

wingatesl

Amazing posts on your blog. I love the depth. That is how a guide should be written. That certainly gets another star.


Brent
Systems Engineer / Consultant
CCNP, CCSP