Redundant outbound internet traffic

[w33mhz]

What is the best way to setup a failover for my internet traffic. I have a couple different ISP's, one with a cisco PIX 515e hosted at the ISP and an Adtran NetVanta 4305 at our site. The other is a is connected via an ASA 5520. The primary outbound traffic I would like to go out the ASA and if that serivce were to go down I would like to failover to the Adtran connection. I am not really sure what I need to do, currently I just manually change a static route on my core switch and proxy server. Most of my inbound traffic comes in via the PIX and Adtran connection.

 

[unclerico]

So beyond the failover configuration is your idea to have traffic coming inbound over one connection and outbound over the other connection?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[w33mhz]

well incoming and out going can use the same connection, but I need to have them failover to a different connection. The incoming I believe will be a separate issue that will need to be addressed, but I am just focusing on the outbound internet traffic. I was thinking of something like vrrp, but I think that will only help in case of local device failure not if the connection drops, so I would think I would need to use a dynamic routing protocol, where as now i just have static routes and I just manually change them. I am not sure what to use.

 

[burtsbees]

Well, the way to do this in the same device would be to make a floating static route as the default route. Since both devices are up, I would imagine you would have to manipulate the nodes in some way, maybe with a script, to rewrite their own gateways in case of the one they use presently went down...

Burt

 

[unclerico]

Does your core switch act as the default gateway for your VLAN's?? As for incoming traffic, do you have have devices that are NATted to ip's hanging off of the Adtran/PIX connection??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[w33mhz]

For most of my VLAN's yes my core switch is the gateway. How do I setup a floating static route?

 

[unclerico]

Super easy. On your core switch (assuming it's a Cisco):

ip route 0.0.0.0 0.0.0.0 <next_hop_ip>
ip route 0.0.0.0 0.0.0.0 <secondary_next_hop_ip> 10

The first entry installs the default route with the normal administrative distance of 1. The second entry installs a secondary default route with an administrative distance of 10. The first route will be preferred due to the lower AD.

You could also tackle this by utilizing IP SLA's but it may be overkill in this scenario.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[w33mhz]

OH, ok, floating static route is just a fancy name for using metrics. I just haven't had good luck using those at times. Anyways, we did a little restucturing and figured out a different way. We conlidated to 1 ASA 5520, for both ISPs, a separate interface for each ISP, then we setup a static route with a tracker that basicly pings the next hop IP address of the primary ISP, then once it loses a ping it fails over to the other interface. This also allows us to route based off of if our ISP's internet traffic goes down but the next hop interface does not, we just add another tracker IP address passed their network, like to an externally hosted DNS server.