WAN Redundancy Without BGP
Quick note: I attempted this
config in early 2009. I managed
to get both tunnels up and the default route redistributed
through EIGRP. The network was stable, as long as only one
tunnel was participating in EIGRP. When the second tunnel
was brought up, EIGRP began complaining of route conflicts
and dropping the redistributed static route. I ended up dropping
the project when the remote router dropped offline. I had harassed
the datacenter techs enough, and shelved the project for another
time. I hope to attempt this again in the future!
The gold standard for internet redundancy is Border Gateway
Protocol (BGP).
An organization can register for its own block of IP addresses and autonomous
system
number (ASN). These addresses belong to you and not your ISP.
To connect your block
to the internet, a traditional WAN connection (DS1, DS3, etc.) is made to an ISP
and your
router is set up as a BGP peer with the provider router. Your router
advertises your ASN and
IP block to the provider, who passes it along to their BGP peers. When
this process is done with
multiple providers, you end up with a layer 3 redundant connection to the
internet. Unfortunately,
BGP requires constant tuning, skilled staff, and a provider willing to provide
BGP peering.
I live in an area with only a few internet providers, and
only one supports BGP peering.
So other options need to be explored for redundancy. As I was studying for
the CCNP ISCW
exam, I had an idea. It should be possible to extend BGP-quality
fault tolerance into my
home network using dual internet providers, a router colocated in a datacenter,
and dual GRE
tunnels. If this sounds crazy, please read on..
Step 1
Colocate a Cisco router in a datacenter. I am using a spare Cisco
2620. Reserve two or more IP
addresses for
the router: one for the
management interface, and one or more to use for NAT.
The datacenter must be running BGP
(nearly all do).
That means the IP
address they
assign to your
router is fault tolerant by the BGP standard. Good. Let's extend
that to the small office or home office.
Step 2
Set up a router in your home or office. You need two internet
providers. Simple residential
services like cable modem and DSL work fine. Each provider needs to be
connected to a
WAN interface on your router. Allow these interfaces to get a DHCP address
from the provider,
or enter your static IP that the provider assigned.
Step 3
Establish two GRE tunnels (one across each provider) between the two routers.
From this point on,
we deal with these two virtual connections and can disregard the underlying
topology.
Step 4
Enable EIGRP on the new tunnel interfaces and LAN interface. On the remote
router, we need to
redistribute static routes into EIGRP so that the home/office router can see a dynamic
default route.
Important: Remove the default route on your local router and
replace it with a /32 route
to the management IP of your remote router in the datacenter. The
redistributed default route will
appear as an External EIGRP route on the home/office router (Administrative
Distance = 170).
If the home/office router has a default static route (AD = 1), it will take
precedence and
traffic will never flow out through your tunnels. Once that is complete, we see an EIGRP
topology like this:
EIGRP is now managing our default route via the remote datacenter. It can
respond correctly
to the tunnel interfaces becoming unavailable (or simply not passing traffic).
At this point, you can
hook a computer into your LAN and hit the internet via the tunnels. One
more step to allow inbound traffic:
Step 5
Enable NAT on the remote router and set up a static NAT entry from the
remote router to an address on the LAN.
You can static NAT entire IP addresses from the datacenter IP space to your LAN.
You can also map individual
TCP and UDP ports like you typically would on a home LAN.
Load balancing:
EIGRP will add one redistributed default route to the home/office per tunnel.
By default, Cisco IOS
can accept up to 6 routes to the same destination and will use a round-robin
load balancing scheme
between them. It should be possible to force the router to prefer one
tunnel over the other by tweaking
the EIGRP metric on the tunnel interfaces. It should also be possible to
adjust what proportion of traffic
crosses each tunnel using the EIGRP variance command.