If you have a mostly Cisco network like we do, you know that there is nothing you can’t do, for a price. Cisco has some great Fail-Over techniques using their ASA 5500 series Firewalls but you need to get the extra HA licensing. Also, what do you do if your other firewalls aren’t Cisco? In this case, EIGRP can get you the same basic features for free. Now before I get lots of comments on this, using dynamic weighted routes with EIGRP does not provide Stateful Failover meaning that you will drop your connection for a short period while the network converges and you won’t be able to setup BGP this way (I think).
For this post, I’m going to use a simple scenario of having two sites with two internet connections. One is much faster than the other and it makes sense to backhaul the internet from Site B to Site A when the connection at Site A is active. For this post, let’s assume that you want to just protect against the link between sites going down and not things like the Internet modem locking up (In future posts I’ll address this).
RTRA EIGRP Config
RTRA Fa 0/0 ip address is 10.100.1.2 255.255.255.0
RTRA Fa 0/1 ip address is 10.1.1.1 255.255.255.0
FWA Fa 0/1 ip address is 10.1.1.254 255.255.255.0
RTRA# conf t
RTRB EIGRP Config
Fa 0/0 ip address is 10.100.1.3 255.255.255.0
Fa 0/1 ip address is 192.168.1.1 255.255.255.0
RTRB# conf t
Both routers are participating in EIGRP group 100. They will advertise their routes to each other and calculate the metric based on bandwidth, congestion, etc. The key here is setting the “redistribute static metric 20000 1 255 255 1500” command on RTRA. This tells EIGRP to redistribute the static routes you have setup in the router with a bandwidth of 20,000 kbps, delay of 1, reliability of 255, loading of 255, and MTU of 1500. RTRB has a static route for 0.0.0.0 but with a metric of 255. The dynamic route from RTRA will have a metric of 170 (External EIGRP) and will replace the static route in the routing table. This works fine if the only static route you have is for your default route so this isn’t very flexible. You could also attach a summary default route to Fa 0/0 and accomplish the same thing.
If the link between RTRA and RTRB is active, traffic that doesn’t have a route in RTRB (Internet) will be sent to RTRA. In the event that the link between RTRA and RTRB goes down, RTRB will send traffic to its local internet connection because the static route is now the only default route.
Now the biggest downside to this type of “failover” routing is that it isn’t fully dynamic and doesn’t take into account the fact that Cable or DSL modems can lock up and will still look like they are up to the firewall or router and therefore not remove the route. This approach also doesn’t work well if you have even more locations with their own Gateways to the Internet. I will address this in the next post.