[c-nsp] Dual Homing

Daljit Singh daljit.singh at digivive.com
Wed May 14 03:53:33 EDT 2014


HI, 

In reference to acl hits Are you talking about IN traffic?, If it is IN traffic then the routing  on the fortigate is towards only first link.

Also what routing do you have in your fortigate towards ISP. Can you paste some lines.

Regards
Daljit

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darwis Herman
Sent: Wednesday, May 14, 2014 10:15 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Dual Homing

Dear Gurus and Friend,

I am seeking a little help on my setup as below:-


                  /-----------1st Link  (C4500)----------\
ISP --------                                                              ---------------------- CUSTOMER (Fortigate 200B)
                  \-----------2nd Link (C4500)----------/


Current Setup:-

Customer is having 2 connection to a same ISP. 
ISP assigned both links with 2 VLANs with point-to-point (/30) IP addresses for gateway termination.
ISP also assigned a pool of /27 public IP addresses to CUSTOMER.
CUSTOMER requires the /27 public IP to be accessible from both links.



Situation:-

When both links are UP, CUSTOMER is able to use their public IP pools (natted within their Fortigate) When 2nd link is DOWN, public IP still  usable.
When 1st link is DOWN, public IP no longer usable.
Fortigate side configured with policy based detection mechanism, whereby it will sense whichever usable link to route out traffics from natted host.


Configuration for both C4500:-

C4500 # (for link #1)

interface Vlan10
 description CUSTOMER_X_#1
 ip address 192.168.10.1 255.255.255.252  no ip redirects  no ip proxy-arp end

----
router ospf 1
network 192.168.10.1 0.0.0.0 area 0

----

ip route 172.21.200.32 255.255.255.224 192.168.10.1 tag 1 ip route 172.21.200.32 255.255.255.224 192.168.10.5 tag 1

--------------

C4500_1#show access-lists IN_CUSTOMER_X_#1 Extended IP access list IN_CUSTOMER_X_#1
    10 permit ip any 172.21.200.32 0.0.0.31 (3640 matches) C4500_1#

C4500 # (for link #2)

interface Vlan20
 description CUSTOMER_X_#2
 ip address 192.168.10.5 255.255.255.252  no ip redirects  no ip proxy-arp end

----
router ospf 1
network 192.168.10.5 0.0.0.0 area 0

ip route 172.21.200.32 255.255.255.224 192.168.10.1 tag 1 ip route 172.21.200.32 255.255.255.224 192.168.10.5 tag 1

----------

C4500_2#show access-lists IN_CUSTOMER_X_#2 Extended IP access list IN_CUSTOMER_X_#2
    10 permit ip any 172.21.200.32 0.0.0.31 C4500_2#

--------------------------------------------------------------------------------------------------------


By looking at the ACL hits, it seems that only 1st link being used all the time.

Is there anything else that is missing to complete redundancy routing?




Best Regards,

 

Darwis Herman



 

"This is 10% Luck, 20% Skill,
15%  Concentrated Power of Will,  5% Pleasure, 50% Pain And a 100%  Reason to Remember The Name!"

 		 	   		  
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Disclaimer:

This e-mail & attachment(s) within it are for sole use of intended recipient(s) & may contain confidential & privileged information. If you are not the intended recipient, please intimate the sender by replying to this email & destroy all copies & the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited & unlawful. The recipient acknowledges that COMPANY , its subsidiaries, associated companies or persons authorized by it (collectively "THE Group"), are unable to exercise control, ensure, guarantee the integrity of/over the contents of the information contained in e-mail transmissions & further acknowledges that any views expressed in this message are those of the individual sender & no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of THE Group.




More information about the cisco-nsp mailing list