[c-nsp] Need some guidance for T1 / wireless ethernet handoff load balancing/failover setup

Mon Aug 18 19:36:20 EDT 2008

I have a customer who went directly to cisco to ask about how to load
balance two WAN connections to their Cisco PIX 515E.  Cisco sold them an
ASA 5510 and two 1841s and suggested VRRP or GLBP for the LAN with the
ASA and 1841s.  Apparantly, the customer didn't even mention that the
two connections were to the same ISP, me.  The customer just ordered the
equipment and said "Make it work."

The WANs are T1 (existing) and 4Mbps ethernet delivered via a wireless
network.

Cisco sales tech guy said:
> What we discussed was the ASA having a default route to the virtual   
> IP address of the routers and they would be running either VRRP or    
> GLBP (whatever they decided they wanted to do) going out to the       
> service provider.  Then the routers would simply have a default route 
> going out to the service provider to hit the 'Net.                    

The network design is supposed to be something like :

    Cisco 7204VXR NPE G1 (ISP)
       |                |
      T1        Wireless network cloud
       |                |
   Cisco 1841       Cisco 1841
       |                |
      -+-------+--------+-
               |
         Cisco ASA 5510  (Customer)

The wireless network cloud is creating logistical issues for me.  The
wireless ethernet makes multiple hops through StarOS based routers
which do not speak OSPF, yet.  I have to staticly route traffic to the
wireless cloud.  The wireless network is handled by a different group
here and I don't have much influence over how they run it.

I've been running ISP routers for 10 years, but have not had this
configuration come up before.  99.9999% of my customers have been single
homed to me.  Also, ASA/PIX devices haven't been common for me until the
past couple of years and I keep running into areas where they seem to
try very hard to avoid having common routing features.  I'm primarily a
servers guy but when you work in small ISPs, you get to do everything.

I could use some guidence in the best way to make these links load
balance with graceful degradation if one link should fall down.

I've been considering bringing up an IPSec VPN from the 7204VXR to the
1841 handling the wireless ethernet connection, just to bypass the need
for dynamic routing in the wireless network.  Then I could run OSPF or
other magic between the 1841s and my 7204.

Is OSPF going to be enough to load balance the links, or will I need
something else?  

If not, could an MLPPP bundle be brought up which uses the T1 and an
IPSec tunnel?  But then, how would I use the 1841s redundantly?

To keep the 1841s redundant, do I need to use their existing router to
act as a T1 to ethernet bridge?

Also, on the VRRP front, the customer currently has a /29 LAN subnet
outside their ASA.  The current T1 router has one IP and the rest of
the IPs are in use on the ASA.  Will we need to renumber them to a /28
subnet?  Or, can the virtual router address be from their current subnet
with the individual routers having their primary IPs from another, RFC
1918, subnet?

The 7204VXR is running at 55% CPU load handling about 1800 PPPo(A|E)
connections.

If I configure the VirtualTemplates to permit CEF, which lowers CPU
utilization to about 30%, the router hangs in an ininite loop at random
intervals, at least with c7200-ik91s-mz.122-28.SB5.bin.  Any of the 12.2
SB series images at the time I last tried CEF did the same thing and I
haven't had enough nerve to try again since. 

Hopefully, that is not important right now.  The only reason I mention
it is in case an IPSec tunnel, or whatever the necessary magic ends up
being, might make a significant impact on the CPU.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org