Cisco WAN :: Internet Failover Via MPLS 2821 Router?
Jun 13, 2012
Currently I'm looking for a way to failover our internet connection from one site to another site over our MPLS line, should that internet connection go down.
My layout: Internet > Cable internet modem (Site B) > ASA 5510 (Site B) > 2821 Router (Site B) > MPLS Line > 2821 Router (Site A) > ASA5510 (Site A) > ISP provider internet router (Site A) > Internet
Facts:Site B is the one with the internet issues.The MPLS line is routed using BGP. [URL]
Most of my remote site is running MPLS primary (2821) and DMVPN (881) as a backup solution..Some of my sites run MPLS primary on 2821 and site to site as back up on 881 router.. MPLS here means the router that connected me to MPLS cloud of provider, not running any mpls..it is easy that way for us..
When MPLS is down,
The way s2s tunnel gets triggered is via HSRP on LAN i.e, the HSRP VIP is served by the 881..At the far end data center, the MPLS route of remote site is purged out, there is static route with higher admin distance will get into routing table.
Remote site A LAN----- MPLS Router-----MPLS cloud-------MPLS router----------------Data Center LAN Remote site A LAN----- DSL Router-----internet cloud--------Data center ASA----------Data Center LAN
In the MPLS plus s2s model, I often get into problem...the problem is how do I manage the 881 router via snmp, ccm , tacacs or any other management tools? There is a routing issue in hand that I canno route to and from to the mgt address of DSL. I cannot reach the loopback or mgmt vlan of the DSL router when the MPLS is active…but this will disallow all the management stuff we do on the DSL router.
I am putting together a solution for a client. The client has an MPLS circuit and internet as a backup circuit. I understand that we can do WAN failover using ASA5510 appliance.Now, if i am adding dual ASA5510 active/standby mode, How do i automatically failover WAN circuits to standby firewall if both MPLS and Internet circuits are connecting to primary ASA5510. Should i connect MPLS circuit to ASA1 and Internet circuit to ASA2? Ideally, i want both circuits to connect to primary ASA5510 for automatic WAN failover. My concern is , if the primary ASA5510 fails which has WAN and Internet circuits connected , do i need to manually switch connection from primary to standy? The goal is to fully automate wan failover and asa failover .
We have multiple cisco routers and most of them have dual WAN connections thru different ISPs. So, we use IP SLA monitor with tracking object s to monitor each ISP availability/reliability and switch routing accordingly ( by IOS). So far, it has been working ok. However, recently, we had some ISP high latency and the connection to one ISP will be so slow but the IOS keep seeing it as UP, thus sending traffic thru it. So, I tried to change around the threshold numbers around with no luck. Is there any configuration/commands or tricks that can do the job here? I don't want the users to be the one to detect the Internet slowness and have me manually shut down an interface or change the static routes metrics. here is a sample of my config:
ip sla 1 type echo protocol ipIcmpEcho x.x.x.x isp 1 gateway threshold 3 frequency 5ip sla monitor schedule 1 life forever start-time now ip sla 2 type echo protocol ipIcmpEcho x.x.x.x isp 2 gateway threshold 3 frequency 5ip sla monitor schedule 2 life forever start-time now
I have an issue where we have a single ASA5505 [soon to be active/standby with single ISP] connecting to HQ where there are 2 x Cisco 2821's. Each 2821 router has it's own connection to the internet running BGP and each router is setup to terminate IPSEC VPN's from the ASA. The ASA has a backup VPN configuration with no IP SLA configuration to track if the Primary IPSEC endpoint is alive. Keep alives are set and the VPN does failover to the backup.When the primary 2821 internet connection fails the ASA fails over to the backup 2821 and everything works a dream. However when the primary internet link re establishes to the primary 2821 the ASA does not fail back to the primary 2821 it stays on the backup 2821 and all is broken as the remote site starts forwarding traffic out the BGP default route - which is back via the primary connection...How do I fix this so that the ASA tracks the IP of the primary router to failback without manual intervention - clearing isakmp and ipsec sa's?The other issue is the ASA does not allow traffic to be orignated from the 2821 end of the VPN. You have to establish traffic from behind the ASA for the IPSEC sa to be created.
The MPLS connection is currently down, I'm trying to run a failover Site-to-Site VPN over the internet. All of the examples I've read have both connections involved in the failover coming out of one device. Since I'm not working that way, what is going to be the best way to failover? Do I need to set up some sort of IP SLA in the config? Or can I somehow weight routes in EIGRP in a way that the connection will failover from Internet to MPLS when the MPLS goes down and vice versa when the MPLS connection comes back up?
I'm a bit perplexed atm with trying to set up multiple failover routes on a 2821 router. Let me say that I have more experieince in a switched network as routing is seldom required where I work atm. Here's my problem. I have a routing table set up as follows but only the primary routes work. The failover routes will not kick in once the primary route is not there.
ip route 10.32.11.0 255.255.255.0 128.32.8.11 ip route 10.32.11.0 255.255.255.0 128.32.24.11 100 ip route 10.32.12.0 255.255.255.0 128.32.8.12 ip route 10.32.12.0 255.255.255.0 128.32.24.12 100 ip route 10.32.14.0 255.255.255.0 128.32.8.14 ip route 10.32.14.0 255.255.255.0 128.32.24.14 100
Ip addresses are not exact but it gets the point across.
Why the failover routes are not failing over? The failover routes work if I remove the primary route from the config.
i m planning to use the 2921 router for both mpls and internet connection , to 2 different isp also am planning to use bgp with a public providor independant
I am sitting on Internet and want to copy IOS Image to router. I can SCP, itu authenticated to Router but ends with a message "host is not communicating for more than 15 seconds".
Router : Cisco 2821 Current IOS: (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1.
I am looking for a simple router recomendation for multihoming dual 100Mbps internet connections with BGP routing. What are the current best practices regarding required resources for the full Internet BGP routing table? We were thinking of specing a 3945 for this application, but is that overkill? The customer has a 2821 that is not in use, I'm thinking this would be too slow for Internet BGP routing combined with the 100Mbps line speed.
What is the best way to monitor an Internet Edge router from the Internal network behind the Firewall?We want to pull more information from the edge router like netflow. We can use SNMPv3 and ACLs to keep the router secure.
But I am looking for the best config to keep both the router and firewall as secure as possible while still allowing us to monitor performance and faults.I am running an ASA and a 2821.
I wanted to configure failover internet between two routers Cisco 3800 Series. Each router is connected to an ISP. I have configured HSRP protocol on my interfaces and my HSRP configuration works well. I want to configure my routers to switch my internet traffic in case of failure. For example,if the first ISP internet connection fails, traffic will switch at the second ISP. I want to know how I should proceed to do this.
configure a router 1812 as failover, I walk with fixed ip internet link in Fe0 (need to determine the mac) and a dynamic ip link in FE1, other ports with a single vlan dhcp 172.20.16.1
I managed to do DHCP, connect to internet, to make nat vlan. But I could not do failover and load balance neither.
I am setting up a lab network to emulate our production network and am using a single 2851 to emulate both my MPLS provider (only running BGP, not actually running MPLS) and our ISP that we use for our DMVPN secondary network.
Because I am using one router to function as both service providers I am running VRF's to keep the routing tables separated. So far basic connectivity works fine, I can ping from the PE 'MPLS' VRF to the data center CE interface and the ISP side is working as well.
Pinging across the ISP VRF lab-isp#ping vrf TW 66.193.134.46Type escape sequence to abort.Sending 5, 100-byte ICMP [code]...
BGP is up from both the data center MPLS CE and the data center internet router. BGP on the data center internet router: lab-dc1-inet#sh ip bgp summ BGP router identifier 66.193.134.46, local AS number 33415 BGP table version is 4, main routing table version 4 [code]...
BGP on the data center MPLS CE lab-dc1-1#sh ip bgp summ BGP router identifier 10.152.1.250, local AS number 65000 BGP table version is 2, main routing table version 2 [code]....
This is my first attempt at using VRF's in this fashion and could have easily missed something or used a config that is not necessary.
Here is the configuration on the MPLS PE/Internet router. ip vrf CL rd 1:1 route-target export 1:1 route-target import 1:1 [code]....
I am working for a company based in Sydney Australia, the company recently open an office in London UK, therefore we are going to get leased lined based on MPLS.We were advised that Customer Edge router will be CISCO1941/K9. We want to our UK client to access our web-based applications via MPLS network instead of internet. The UK office is using BT Business ADSL with 5 Static IP address (please note the modem IP address is actually dynamic), we are going to get a Cisco 857/K9 router which will be used for the entry for the UK client to access the MPLS network. My question will be how do I configure the Cisco 857 router to allow one of the public ip to access the MPLS network. It appears that there are two options, and I am not sure if this is going to work or which one is working better. I have attached two diagrams for clarification of my case.
Option 1 Cisco WAN interface get Dynamic IP (PPPoA) from BT LAN Interface (4 Port) get the assigned 5 Static IP addresses One of the five IPs (217.xx.xx.169) will be assigned to the FE1 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic) One of the five IPs to 217.xx.xx.170 will be assigned to the WAN interface of Sonicwall Firewall Router which also serve as Internet Access Gateway for LAN users, All trafiic destined for Sydney LAN will be using FE0 (Cisco 1941) as gateway Option 2Cisco WAN interface get Dynamic IP (PPPoA) from BT LAN Interface (4 Port) will get 192.168.0.1, Cisco 857 router will be the default gateway for LAN users, using one to many NAT, also one to one NAT, One of the five IPs (217.xx.xx.169) will be forwarded to the FE0 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic)
I need to confirm internet access from remote network through MPLS cloud to another site. Let me explain. We have a MPLS network with Wind stream as listed in the visio drawing; site 1 has internet access through the Time-Warner cloud for all users. Site2 has internet access through the Wind stream MPLS router. Site three has no internet access, and only has LAN access layer2 through Windstream routers to Site1 for networks 192.168.0.0/24, 10.1.1.x/24. My question is can we give everyone at Site 3 internet access through the MPLS network down into Site 1 using the Time-Warner ISP cloud.
I placed routes on the Site 3 3750 stack IP route 192.168.50.x 255.255.255.0 to the interface of the MPLS router at site3, then at site 1 we have IP route 192.168.50.x 255.255.255.0 to the MPLS interface, and able to ping all anything on the 192.168.50.0 network. I added the IP route 0.0.0.0 0.0.0.0 192.168.50.x the MPLS router interface, we do not have internet access at Site 3 using Site 1 network.
I confirmed at Site 1 from the Cisco 3750 switch we can ping 4.2.2.2 = Google. How to confirm this will work and what’s required to complete this connection to give everyone at site 3 internet access through Site 1 Time-Warner.
I have Cisco 2821 router, using it to learn various features. I just recieved this router recently. I wanted to connect it to my cable modem so I can access the outside world. Also when I overload a new interface comes up NVI0, which is nat vertual interface, but anyways.
I have an IPSec VPN and NAT configured. Return traffic from an internal NAT host seems to be blocked by the WAN inbound ACL. What is the proper way to allow return traffic from the Internet for this internat NAT host? Note: As a test, removing the deny entry on the WAN ACL allows return traffic.
I currently have a 150 nodes MPLS network. My management is anxious to join some sites with 3G routers as their centres move around a lot.My current MPLS site as 4 x Ps with lots of PEs linking to the 150 x CEs. Is there a way to easily link up my 3G routers to my MPLS network? I have heard DMVPN may be a solution, but not sure how to implement.
I have some Cisco 2651 routers, I was trying to implement MPLS on those routers, Can i accomplish this upgrading newer IOS version? link to download the supported IOS.
Can Cisco2951 work as an MPLS router. If yes what will be needed to make it function as an MPLS router? Else which alternative router can function as an MPLS router.
I have 3 locations connected with MPLS connectivity … 2 mbps , 2 mbps branches and 4 mbps and I have Cisco 1841 router ?Last few days I am facing problem that Cisco 1841 router’s Lan port suddenly stop working and connectivity get disconnected.In this stage branch offices can reach up to CISCO 1841 WAN port.
( I have changed 2 different router assuming router problem but issues remain same, Hence No hardware problem )
I wanted to get some opinions on the topic above. We are purchasing MPLS services from a large ISP and they offer a managed router option. I will also have a Cisco ISR 2900 at each site running SRST for my voice system. I have some experience with BGP and am not scared at all to support it if need be. That said, I am currently looking at pros and cons of going with a managed router from this company vs managing my own. Actually, I will manage my own regardless and would just plug it into the managed router. My router is perfectly capable of handling the BGP protocol but I am hoping that I can get some opinions from all of you.
i just want to administor cisco ASA5520 and cisco router mpls 1900 can some tell me as admin what to check as u get into office /reguraly in cisco asa 5520 and vpn mpls router for administrator ,right now its working as configured by supplier for remote sites to connect HQ and access several server,My interest to know what are the basic day to day checkup on cisco asa5520 working as ips and cisco asa 5520 working as content filtering and cisco vpn mpls
I am looking at running MPLS from from one datacentre to the other (we have a layer2 interconnect and can run jumbo frames) I need about 70 access ports (each in a seperate VRF) at the new datacentre
I am looking at :
2x 6503'-Es with sup720-3B and a 48x port linecard or 2x 7201 router with 2x 2960-S layer 2 access switches.
We are planning on moving towards MPLS. I want to test a MPLS capability with Cisco 1841 Router and a HWIC-4ESW. Is it possible to use the MPLS withe mentioned devices?
I'm looking for Routing Design scenarios to complete our configuration needs for remote branches. We will have two 1921 routers in each location, one with a T1 from our MPLS carrier, the other with a DSL connection from an ISP. The T1 router will have an assigned AS and use BGP to router back to head quarters. The DSL router will have an IPSec tunnel back to an ASA 5510 at head quarters. I envisions a GRE tunnel from the DSL router back to head end routers connecting to MPLS at head quarters. Not sure yet how to manipuate the routing between head quarters and the branches such that the T1 router is the primary route to and from the branches and the DSL router is for failover/backup.
sample configuration for internet failover . i have 2 ISPs with one coming in thought a serial cable and another through internet and would wish one take over after the other has failed .The router is Cisco 1921 .
There are four figures(A,B,C,D) shown in attached diagram.my aim to achieve wan side failover, mean to say, if one ISP or Router goes down, the other should still be reachable.
Cisco 2960 = L2 Switch Cisco 3560 = L3 Switch
Here I am discussing only two redundancy methods i.e Floating Static route and IP SLA. There are following questionnaires related to attached diagram given below
Figure A: 1. Floating static route (Yes or No) 2. IP SLA (Yes or No) Figure B: 1. Floating static route (Yes or No) 2. IP SLA ( Yes or No) Figure C: 1. Floating static route (Yes or No) 2. IP SLA ( Yes or No)
I have a cisco 2821 router and it has an advanceip image in the flash each time on reboot it gives the message software forced crash and checksum error and finally goes into rommon. i tried xmodem and tftpdnld -r but same problem persists. I even changed the CF with a working router's flash but the same problem occurs.I also loaded an ip base image of about 13Mb size and all the same problem repeats with it.
