Mutliple gateways

[XOR != OR]

Hey all, I have a linux box acting as a proxy that has two potential gateways to the internet. I'd like to do simple failover; I don't even want connection persistence. All I want is if gateway1 dies, start using gateway2.

Problem: Any faults that kick up will likely be beyond the immediate gateway. So while I could add two default gws to the box and count on gw time out features built into the kernel, that would only help me if my immediate border firewalls died ( which have uptimes of 1.5 years and 2, respectively ). Far more likely is the default gateway to the ISP from those devices failing.

Anybody have any suggestions?

One idea I had was to make the primary gw add a rule when it detects a dead GW ISP side. It's a 515e with the latest firmware.

 

[berky]

so let me make sure i have this right. does your network essentially look like this:

Internet ------- R1 \
                     |----- Proxy ------- PC's
Internet ------- R2 /

is that about right?

if so, is your R1 and R2 pix 515e as you mention? or just one of them? or something else? does your proxy have the ability to run ospf?

if your R1 and R2 are actual routers, you could set it up like this:

Internet ------- R1 \
                 |   |----- Switch ----  Proxy ------- PC's
Internet ------- R2 /

then set up VRRP on the interfaces between the routers and the proxy and make that single IP your gateway on the proxy. you can also then run ospf or another IGP between your 2 routers, passing their default gateway in the routing protocol.


either way, if i'm correct about the network layout, i'm not really sure what you're gaining as you're not really redundant anyway.

 

[xphil3]

so let me make sure i have this right. does your network essentially look like this:

Internet ------- R1 \
                     |----- Proxy ------- PC's
Internet ------- R2 /

is that about right?

if so, is your R1 and R2 pix 515e as you mention? or just one of them? or something else? does your proxy have the ability to run ospf?

if your R1 and R2 are actual routers, you could set it up like this:

Internet ------- R1 \
                 |   |----- Switch ----  Proxy ------- PC's
Internet ------- R2 /

then set up VRRP on the interfaces between the routers and the proxy and make that single IP your gateway on the proxy. you can also then run ospf or another IGP between your 2 routers, passing their default gateway in the routing protocol.


either way, if i'm correct about the network layout, i'm not really sure what you're gaining as you're not really redundant anyway.

Great suggestions, but isn't a solution to his problem. If you notice he wants a solution where the downstream device will know if the upstream device fails, not necessarily on HIS demarc. VRRP, HSRP and GLBP will only track on the interface pointing towards the demarc but if his gateways goes down on their conenction to the rest of the ISP network his interface will still stay up/up(customers ask me this all the time)

XOR, if your network does look like berkys first then what you are going to want to do is implement an IP SLA monitor and run a ping to the next hop in your ISP network.. if you lose connectivity to that, fail over to the other gateway.

http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html
bada-bing! linkage.

 

[XOR != OR]

Hey guys, thanks for the input. I'll look into your suggestions.

What I've got so far is this:

while : ; do
        ping -W 2 -c 1 $TESTIP > /dev/null 2>&1
        RETVAL=$?

        if [ $RETVAL -ne 0 ] ; then
                echo $NAME1 Down $COUNT1 $FAILUREREPEATCOUNT
                CPS1=1
        else
                CPS1=0
        fi

        if [ $LPS1 -ne $CPS1 ]; then
                echo Ping status changed for $NAME1 from $LPS1 to $CPS1
                COUNT1=1
        else
                COUNT1=`expr $COUNT1 + 1`
        fi

        LPS1=$CPS1

        if [[ $CPS1 -eq 1 && $COUNT1 -ge $FAILUREREPEATCOUNT ]]; then
                echo Switch over to new GW
                ip route replace default scope global via $GW_ADDR2
                sendmail -t < /root/linktest/test.email
                break;
        fi

        sleep $SLEEPTIME

done

Which is just a simple ping test, and when that fails, replace the default gateway.

It does not test for the connectivity on the t1. It's just a quick and dirty hack. I stole it, shamelessly: http://blog.taragana.com/wp-content/upload/gwping

 

[xphil3]

Hey guys, thanks for the input. I'll look into your suggestions.

What I've got so far is thisWhich is just a simple ping test, and when that fails, replace the default gateway.

It does not test for the connectivity on the t1. It's just a quick and dirty hack. I stole it, shamelessly: http://blog.taragana.com/wp-content/upload/gwping

pfft.... nothing shameless about it man, that's what *good* engineers do... no need to reinvent the wheel. That will pretty much do exactly what IP SLA ping monitoring will do. I Was going to suggest something similar as well.

 

[berky]

hmm... I see that your connection is a T1. i haven't dealt much with serial connections, but I'm pretty sure they still show up/down unless the entire path to the ISP is up. if that's the case, there are many options. to be honest, i think the best solution would be to ask your ISP if they will allow you to configure a BGP peer with them. they can just send you the default route and you send them your networks. then just set a local preference on the routes you learn, and you'll prefer the one over the other. but you also have to set up IBGP between both your routers at that point.


also, i wasn't suggesting the vrrp to determine which ISP went down. if you notice, i also connected R1 to R2, where you can run standard IGPs across. I was going under the assumption that if the link state dropped on the ISP connection, that would be sufficient for whatever protocol he wanted to use on the ISP link (static route to ISP that would drop out of table if link dropped, and redistribute that default route into the IGP). but like i said, i'm not too awfully familiar with serial connections. We always use BGP, so we don't have to rely on link status.

 

[xphil3]

hmm... I see that your connection is a T1. i haven't dealt much with serial connections, but I'm pretty sure they still show up/down unless the entire path to the ISP is up. if that's the case, there are many options. to be honest, i think the best solution would be to ask your ISP if they will allow you to configure a BGP peer with them. they can just send you the default route and you send them your networks. then just set a local preference on the routes you learn, and you'll prefer the one over the other. but you also have to set up IBGP between both your routers at that point.


also, i wasn't suggesting the vrrp to determine which ISP went down. if you notice, i also connected R1 to R2, where you can run standard IGPs across. I was going under the assumption that if the link state dropped on the ISP connection, that would be sufficient for whatever protocol he wanted to use on the ISP link (static route to ISP that would drop out of table if link dropped, and redistribute that default route into the IGP). but like i said, i'm not too awfully familiar with serial connections. We always use BGP, so we don't have to rely on link status.

hahaha, you totally sound like someone who just finished their BSCI test for the CCNP!. BGP for this situation.... again we don't have all the information but I highly doubt he would want to run an EGP along with having the get an AS. All HA protocols will only track the interface on the router that they are running on... I think the intent is to monitor past his demarc... IE.

ISPbackbone------------ISPedge----------CustomerEdge-----LAN
               ^ monitor this link

with vrrp if that link goes down, the CE router doesn't know about it... with IP SLA you can monitor that interface via ping and then switch over to your other default route if it goes down. Right tool for the job, if you have cisco gear on the edge that is

 

[XOR != OR]

That's absolutely correct. I have two dissimilar ISPs ( t1 and a cable connection ). I have gateways via dissimilar firewalls ( 5520 and 515e ) on the same subnet.

BGP sounds like a good time, but the script works and is easier to work with, for both myself and my peers.

But hey, I'll continue reading. More education never hurt anybody.

 

[berky]

hahaha, you totally sound like someone who just finished their BSCI test for the CCNP!. BGP for this situation.... again we don't have all the information but I highly doubt he would want to run an EGP along with having the get an AS. All HA protocols will only track the interface on the router that they are running on... I think the intent is to monitor past his demarc... IE.

ISPbackbone------------ISPedge----------CustomerEdge-----LAN
               ^ monitor this link

no, i just work with BGP every day and it's very useful. sure, it's probably overkill for this scenario, but there are so many things you can do with it.

with vrrp if that link goes down, the CE router doesn't know about it... with IP SLA you can monitor that interface via ping and then switch over to your other default route if it goes down. Right tool for the job, if you have cisco gear on the edge that is

I never said the CE would know if the vrrp link went down... that was for the proxy's benefit.

only thing i'd say about the ping is that you have to watch that they don't start blocking it, as a lot of paranoid people seem to do these days.



either way, it sounds like he's already set on using his ping script, so as long as it's working, that's all that matters.

 

[XOR != OR]

either way, it sounds like he's already set on using his ping script, so as long as it's working, that's all that matters.

For this application, but I always welcome more ideas.

Can never know enough.

 

[shade91]

Rather than mess with vlans and changing gateways and such I did a bit of work with BGP. We have two separate links to the internet: one at our main datacenter and one at a hotsite. The main datacenter injects a default route into the cloud. When the main internet link fails, the edge router into our private cloud stops injecting the route at which point the hotsite default route takes over (I give the main data center default route priority over the hotsite). It works quite smooth. It's almost pointless now though since our main data center cage is running bonded T1s and our backup is ethernet internet @ 3mb.