Discussion in 'Cisco' started by D, Nov 12, 2003.

  D

    D Guest

    I need to get this network design out and tested in two weeks. Hope
    the experts on the list can help me.

    The company I work for wants to find out whether we could replace our
    current T1 link with two redundant links at about the same cost or
    less. We are thinking about using a TimeWarner cable and a DSL ISP to
    achieve this. I know this a very rudimentary type of redundancy and
    load balance.

    1) a single T1 from Qwest (no offense to the Qwest experts on the
    list) through SouthWestern Bell. Corporate network is NATed through
    two PIX 515e w/ failover, which then connect to a Cisco 2600 to the T1

    2) currently use a Class C space from Qwest. DNS is outsourced to
    Verisign. We do own a Class C network. But will have problem to use it
    in our redundant design because the two ISPs we talk to either refuse
    or are extremely discouraging to BGP with us.

    Here are my lab scenarios and problems I have found:

    1. Load balance outgoing traffic.
    Default route on the PIX points to a single Internet router which has
    an Ethernet port going to the cable ISP and another to the DSL ISP.
    Two equal-cost static default routes are configured on this router.
    ECF is turned on by default for per-destination. The outgoing traffic
    (already NATed at the PIX) is NATed again at outgoing Interface it
    chooses. So far, no problem, except for fault-tolerance.

    2. Load balance incoming traffic
    We need to have public access to our web server, VPN concentrator,
    Email service, and Citrix Secure Gateway. Each of these will have to
    have a static public IP assigned from each of the two ISPs. We then
    need to create redundant entry through Verisign DNS service and
    hopefully can assign a short TTL to them for DNS Round-Robin.

    1) on a sigle router, there can be only one static translation for
    each of these public servers. These server's outgoing traffic can only
    go out through one ISP. So the connection may break because the source
    IP in the responding traffic may be different from the Dest. IP of the
    incoming traffic.

    2) if I use a different router for each ISP connection and 3rd router
    w/ two default routes between these two Internt routers and the PIX. A
    connection request may come in through the cable connection and the
    response may be NATed through the DSL connection, thus breaking the
    session again. Is there any way that the 3rd router will keep a
    stateful table to correlate the incoming connection and outgoing
    response with a certain route?

    3. Fault-tolerace
    1) The singe Internet router is a single point of failure. If we use
    aforementioned senario w/ two Internet routers and a 3rd one pointing
    to the two, we could turn on HSRP between the two. Since HSRP doesn't
    load-balance, I guess we could create two HSRP groups with each router
    being the active in a group and have the 3rd router load balance
    between the two virtual IPs. It may be better for all three routers to
    dynamically exchange routing info to detect link problems faster.

    2) Problem: the Internet router(s) do not link directly to a ISP
    router but to the cable/DSL modem. So if anything upstream beyond the
    modems goes down our router(s) won't be able to detect it. If one ISP
    goes down this way, approximate 50% of our outgoing packets will be
    dropped, resulting in intermittent connection problems.

    Remedy: we will have to find a netmonitoring program or script that
    will constantly ping the upstream routes and inform us when one ISP
    connection goes down, or even better, automatically logon to the
    router and take that default route out temporally until it's back up.

    I know each of you are extremely busy and I apologize for this long
    message. I tried to get some help at the CCO forum and only got one
    response so far.

    Appreciate it immensely for your response in advance!
    D, Nov 12, 2003
  chris

    chris Guest

    The answer to your problem lies in PBR and two seperate NATS. There you go.
    chris, Nov 17, 2003
