Wired Intelligent Edge

Excuse my ignorance but I am new to networking and kind of got thrown into it at my job. I believe I know the answer but for some reason my brain is not putting all the pieces together.

 

Setup:

1 Cisco Router - New Fiber connection

1 Cable Modem - Existing Cable connection

1 CradlePoint Router

2 ASA Firewalls 5506

1 Core Switch - Connects to 1 EndPoint switch (PC/Phone/etc.)

 

Connections:

Cisco Router to Firewall to Core Switch to EndPoint Switch

Cable Modem to CradlePoint Router to Firewall to Core Switch to EndPoint switch

 

We have 2 ISPs that I need to connect to a single 2540 24 port switch. I am in the process of configuring/testing out Fiber with a Firewall but the switch already has a cable ISP connection configured to it.

 

How can I add the 2nd network so I can test my applications and services on the network?

 

Once it is completed I will be using both of them as a Primary/Secondary internet connection which once again, I will need some guidance on.

 

If anyone could show me the direction, I would greatly appreciate it!!

 

Thank you in advance.

 

 

My thoughts:

I will connect the Cable to the Cisco Router so it has both internet connections for failover.

Connect to a firewall that is setup on an Active/Standby

Firewall goes to Core Switch

 

How would I go about configuring this for ISP A to be primary but if it fails, goes to ISP B? Different IPs, etc.

 

Thinking segementing the network to include the ISP A but on an Aruba Switch, how can I state go here with X Networks but if connection fails, route to ISP B with X Networks....

Brain is fried!

Dealing with an Aruba 2540 if I were you I will use the firewalls in a Active/Standby (or Active/Active) configuration IF possible/supported...at that point your clients could (a) point to Aruba 2540's SVI addresses as their gateway (one for each routed VLAN Id) and use a transport VLAN to connect to Virtual IP Address of clustered Firewalls or they could (b) connect directly to your clustered Firewalls virtual addresses if all required VLAN Ids are transported to (and managed by) clustered Firewalls.

AFAIK Aruba 2540 hasn't a way to let the egress traffic to Internet "go here with X Networks but if connection fails, route to ISP B with X Networks"...this is an usual dual WAN Firewall feature...or a behaviour configurable where two Firewalls are clustered together (VRRP).

Parnassus,

 

I appreciate the reply but can you dumb that down for a beginner? If you can point me in a direction where I can review some documentation also, would be helpful for me. I am doing my best to learn this stuff on the fly as I work for a small company with very little IT Budget for training.

 

Thanks!

I think I have over complicated my thought process.

 

I setup my ASA firewall with 2 outside interfaces for ISP A and ISP B then created a static routes for both outside interfaces. I then configured monitor options for ISP A to ping an IP address every 60 seconds so once that connection is down, it should fail over to ISP B. 

 

I should be able to keep all the normal configurations for my inside and dmz interfaces.

 

My next part to figure out is how do I setup my Azure ASAv to still continue to work with my on-prem ASA if we failover to ISP B.....

 

Getting there piece by piece though.

Glad you're getting piece by piece...as written there are two possible paths:

• Policy Based Routing (example here for Cisco ASA) done at Firewall level or at Core Switch level (if supported).
• Using a single Firewall that is able to provide Load-Sharing/Balancing of multiple WANs (is it Cisco ASA 5506 Dual WAN Load Balancing capable? I don't know, not a Cisco expert here).

As far as I understand you went down the first one.