[c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup

Ryan Lambert ryanclambert at gmail.com
Mon Aug 18 21:59:45 EDT 2008 

Hi Scott,

Hopefully I am understanding your challenge correctly. It appears to me like
you're having trouble chatting dynamic routing protocols directly with the
wireless network, among some other various nitty-gritty that is not "just as
simple" as the SE tries to make it sound.

Looking at your diagram, it seems that the 7204 also should have a route to
the 1841 via the mysterious cloud there, albeit a few more hops in between.
For obvious reasons (lack of link state awareness), plain old static routing
isn't a reliable option in your scenario. With that said, OSPF may not even
be necessary. Have you considered the possibility of running ebgp-multihop
from the Cisco 7204XVR to the 1841's interface directly connected to the
wireless network? You could also establish a private BGP session with the
other 1841 via the directly connected T1 link, and announce the same prefix
out of both sessions. 

As for the VRRP question: If memory serves, I want to say yes, you can use a
"real" IP address that does not exist in the same subnet as the floating
virtual; at least, this worked the last time I tried to do it so far as I
can recall. Unfortunately for the past year and change, I've been dealing
with a limitation on a never-to-be-named hardware/software platform that
just recently started allowing this... uhm, feature.

I'm still kind of scratching my head on a good, clean way to "load-balance"
this outbound for you, given only one of the routers is going to serve as
the ASA's default route out in a VRRP/HSRP configuration. I'm sure there is
an answer, it just doesn't look pretty in my head. Maybe the answer here is
to do OSPF between the 1841s and the ASA, all in NBMA mode so that the 1841s
aren't trying to share a default to one another. The only thing the 1841s
should need to do are A) create an adjacency with the ASA, and b) advertise
it a default route. In that case, it may be necessary to expand to a /28 if
everything else is in use on that subnet. Maybe someone else has a better
solution -- that's at least the one I'd try to lab out first, if it were me.

Just something to think about, I guess... :)

-Ryan


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Scott Lambert
Sent: Monday, August 18, 2008 7:36 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Need some guidance for T1 / wireless ethernet handoff load
balancing/failover setup

I have a customer who went directly to cisco to ask about how to load
balance two WAN connections to their Cisco PIX 515E.  Cisco sold them an
ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the
ASA and 1841s.  Apparantly, the customer didn't even mention that the
two connections were to the same ISP, me.  The customer just ordered the
equipment and said "Make it work."

The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless
network.

Cisco sales tech guy said:
> What we discussed was the ASA having a default route to the virtual   
> IP address of the routers and they would be running either VRRP or    
> GLBP (whatever they decided they wanted to do) going out to the       
> service provider.  Then the routers would simply have a default route 
> going out to the service provider to hit the 'Net.                    

The network design is supposed to be something like :

    Cisco 7204VXR NPE G1 (ISP)
       |                |
      T1        Wireless network cloud
       |                |
   Cisco 1841       Cisco 1841
       |                |
      -+-------+--------+-
               |
         Cisco ASA 5510  (Customer)

The wireless network cloud is creating logistical issues for me.  The
wireless ethernet makes multiple hops through StarOS based routers
which do not speak OSPF, yet.  I have to staticly route traffic to the
wireless cloud.  The wireless network is handled by a different group
here and I don't have much influence over how they run it.

I've been running ISP routers for 10 years, but have not had this
configuration come up before.  99.9999% of my customers have been single
homed to me.  Also, ASA/PIX devices haven't been common for me until the
past couple of years and I keep running into areas where they seem to
try very hard to avoid having common routing features.  I'm primarily a
servers guy but when you work in small ISPs, you get to do everything.

I could use some guidence in the best way to make these links load
balance with graceful degradation if one link should fall down.

I've been considering bringing up an IPSec VPN from the 7204VXR to the
1841 handling the wireless ethernet connection, just to bypass the need
for dynamic routing in the wireless network.  Then I could run OSPF or
other magic between the 1841s and my 7204.

Is OSPF going to be enough to load balance the links, or will I need
something else?  

If not, could an MLPPP bundle be brought up which uses the T1 and an
IPSec tunnel?  But then, how would I use the 1841s redundantly?

To keep the 1841s redundant, do I need to use their existing router to
act as a T1 to ethernet bridge?

Also, on the VRRP front, the customer currently has a /29 LAN subnet
outside their ASA.  The current T1 router has one IP and the rest of
the IPs are in use on the ASA.  Will we need to renumber them to a /28
subnet?  Or, can the virtual router address be from their current subnet
with the individual routers having their primary IPs from another, RFC
1918, subnet?

The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E)
connections.

If I configure the VirtualTemplates to permit CEF, which lowers CPU
utilization to about 30%, the router hangs in an ininite loop at random
intervals, at least with c7200-ik91s-mz.122-28.SB5.bin.  Any of the 12.2
SB series images at the time I last tried CEF did the same thing and I
haven't had enough nerve to try again since. 

Hopefully, that is not important right now.  The only reason I mention
it is in case an IPSec tunnel, or whatever the necessary magic ends up
being, might make a significant impact on the CPU.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list