[c-nsp] Dual Homing
Darwis Herman
magic.hand at live.com
Wed May 14 09:57:45 EDT 2014
Dear Antoine,
At the Fortigate's end, it allows, port 80, 443 and ICMP.
I am not sure it it was a coincident or something, but during my troubleshooting at customer premise, when I shutdown the VLAN in one of the C4500, I can still ping the NATed IP from public. Same goes when I changed to the primary connection. Only when I asked to turn off the WAN link from their Fortigate, it fails. Does this explains something? I didn't check if the routing disappeared or not during that time.
I am going to reproduce this with my own ASA5500, with 2 WAN connection behind that C4500 and a NATed machine. Hopefully I can get some idea from there.
Best Regards,
Darwis Herman
“This is 10% Luck, 20% Skill,
15% Concentrated Power of Will, 5% Pleasure, 50% Pain And a 100% Reason to Remember The Name!”
Date: Wed, 14 May 2014 14:37:02 +0200
Subject: Re: [c-nsp] Dual Homing
From: mrantoinemonnier at gmail.com
To: magic.hand at live.com
CC: bep at whack.org; cisco-nsp at puck.nether.net
what traffic to you use to test this? The load-sharing algorithm may be sending all traffic to the same path if all the the traffic has the same source and destination IP address.
Moreover, have you checked that one of those routes disappear from your routing table when the first link is down?
ip route 172.21.200.32 255.255.255.224 192.168.10.1 tag 1
ip route 172.21.200.32 255.255.255.224 192.168.10.5 tag 1
If you have a default-route, your equipment could be doing a recursive lookup for 192.168.10.1
you could try this instead:
ip route 172.21.200.32 255.255.255.224 vlanXY 192.168.10.1 tag 1
ip route 172.21.200.32 255.255.255.224 vlanYZ 192.168.10.5 tag 1
but it may only help if your L3 vlan interface goes down when your physical link goes down.
On Wed, May 14, 2014 at 11:36 AM, Darwis Herman <magic.hand at live.com> wrote:
Dear Daljit,
The ACL hits showing that customer's gateway successfully reached ISP's end (C4500). That is just a control mechanism that will make sure only allowed IP can travel thru back to ISP.
I don't have the control over Fortigate. The customer told me that that Fortigate configured with primary and secondary WAN link. It will sense the availability of links. If primary is down, it will divert to secondary.
Dear Bruce,
Yes, as of the ACL, ISP controls the inbound, Fortigate controls outbound from customer end.
What is required in this setup is, 172.21.200.32/27 can travel thru both links at any point of time. Not necessarily load balanced.
Best Regards,
Darwis Herman
“This is 10% Luck, 20% Skill,
15% Concentrated Power of Will, 5% Pleasure, 50% Pain And a 100% Reason to Remember The Name!”
> Date: Wed, 14 May 2014 01:02:34 -0700
> From: bep at whack.org
> To: magic.hand at live.com; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Dual Homing
>
> Darwis Herman wrote:
> > Dear Gurus and Friend,
> >
> > I am seeking a little help on my setup as below:-
> >
> >
> > /-----------1st Link (C4500)----------\
> > ISP -------- ---------------------- CUSTOMER (Fortigate 200B)
> > \-----------2nd Link (C4500)----------/
> >
> >
> > Current Setup:-
> >
> > Customer is having 2 connection to a same ISP.
> > ISP assigned both links with 2 VLANs with point-to-point (/30) IP addresses for gateway termination.
> > ISP also assigned a pool of /27 public IP addresses to CUSTOMER.
> > CUSTOMER requires the /27 public IP to be accessible from both links.
> >
> >
>
> What are you expecting out of the C4500's? ISP controls the inbound.
> Fortigate controls the outbound.
>
> --
> =========
> bep
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list