thanks for the response giltjr
I will be making a call to AT&T tomorrow, and I will ask those questions. Anything else I should ask?
Main Topics
Browse All TopicsHello
I will be building out a new infrastructure as we will be implementing MPLS via AT&T service, with two sites in CA, one in CO. AT&T will provide Internet connection at one site in CA (main site) and the CO site. I would like to also use a FE/BE Exchange setup with proper firewalls in place. I will put FE/BE at both CA (main) site and CO site. Failover and redundancy is obsolutely critical between all three sites- business critical are Exchange and Internet. Cost is not primary or secondary issue.
I would like to see what the basic network and hardware diagram would look like- placement of firewalls/routers, and how or if I can use AT&T's "managed" router. (dual WAN ports?) We will have a PT-PT T1 between the two CA sites.
If more information is needed, I will provide. Thanks in advance.
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
You should be able to ask for a diagram of what the network will look like.
You need to decide how much bandwidth you need for backup. Will ISDN do? Or do you need more that 128 Kbps?
What you may want to look at is something like:
"AT&T Mananged Router" <----> EVPN Cloud <----> "AT&T Managed Router"
/\ /\
| |
Internet Link Internet Link
| |
\/ \/
AT&T Managed Firewall <---- Internet ----> AT&T Managed Firewall
<-- VPN Tunnel -->
Your private traffic would flow over the EVPN cloud and normal Internet traffic would flow over the Internet. If the EVPN link went down the site to site traffic would flow over the VPN tunnle over the Internet. The only single point of failure is the router at each site. However I think they even have options where you can have two routers at each site, one for EVPN and one for Internet with VPN over the Internet. Primary link would be EVPN router and EVPN link, backup for site to site would be Internet and VPN tunnel.
AT&T has a TON of options, they all cost money, but they have tons of options.
thanks for the reply. The backup has to be seamless, so speed will have to the the same. And speed will have to improve over what we currently have, which are T1's from MCI/Verizon.
I will be asked about the single point of failure of having AT&T be the only supplier. Is there any way around that? If money can solve that problem, I'm all ears.
Will we have to add another firewall in front of the managed firewall for the FE/BE of Exchange?
Well technically AT&T could be a failure point, but that would mean their network would have an issue. What are the chances of AT&T's network having a melt down? Well not only is it slim to none, most of the biggies actually share backbones and connect to each other at peering points.
AT&T MPLS can get into the multiple T1, Fractional DS3, Full DS3, and so on all the way up to a full OC3.
Well if expense is truly no problem get two "MLPS" type connection at the same speed, one from MCI/Verizon and one from AT&T and do your own private BGP routing across the two.
However, you may still have a single point of failure. How does the local telco get to your building? Most likely one conduit with multiple wires/fiber into one telco closet. What happens if the telco closet looses power, get distroyed, or the one conduit to your building gets cut.
Your best bet may be to just say we are going to use both Verizion Business and AT&T, one link from both at the same exact speed. Get them both and your local telco in a room and say design it. No bickering over who is primary and who is backup, infact design it so that traffic can flow over BOTH links at the same time.
They will be delivering two routers as you said, one for the EVPN and one for the Internet. I believe the managed firewall is not the best option if we are building a Front End/Back End for Exchange, as we'll need access to the firewall. They politely laughed when I asked for access to their routers.! So I assume the same for the firewall.
I am wondering what protocols are used on and between the two routers.
AT&T will not let you have access to the router or the firewall if they are managing them. If you ask nicely they will allow you have SNMP read access to some of the interface mibs so that you can monitor link utilization.
If you know what ports and protocols you need for the application you are building all you need to do is give AT&T the information and they will apply the ACL's to the firewall.
The advantage of AT&T managing it is you don't need to have the knowledge or staffing to do it. Which depending on the knowledge and size of your network/security group could be a big plus.
IIRC they have two options for managed firewall service, one the firewall is at your site the other the firewall is at their site. The advantage of having the firewall at AT&T's end is the "bad" traffic is blocked at a point that it will not use any of your bandwidth. So you do not loose any bandwidth to "bad" traffic and specific type of DOS attacks will not bother you.
The dis-advantage of having AT&T manage the firewall is if you need a change, it may take a week to get the change made. I am not sure what AT&T's turn around is for firewall changes, you need to ask them.
They glanced over the setup for the Internet backing up the EVPN in one meeting we had a couple of years ago. IIRC the Internet router ends up with two IP addresses on the inside interface. One you use as the default route for Internet traffic. The other is used as part of a HSRP setup for in conjunction with the EVPN router. You have a route for the "EVPN" traffic pointing to the "EVPH HSRP" address. Normally the EVPN router is the active route and the Internet is the FO route. If the EVPN path goes down, the Internet router takes over. Then there is a VPN tunnel between the two sites over the Internet path so that all site-to-site traffic is encrypted.
Business Accounts
Answer for Membership
by: giltjrPosted on 2007-03-06 at 18:34:55ID: 18667493
I think we need more info. I the MPLS service, their EVPN service?
Are they providing two PVCs, one for the site-to-site communication and one for the Internet?
Will the Internet actually terminate on the router at your site or are you getting their managed firewall service?