Tech or Treat! Write an article about your scariest tech disaster to win gadgets!Learn more


Which Cisco router? 3 WAN Failover / SonicWall Configuration

Posted on 2004-08-25
Medium Priority
Last Modified: 2012-06-27
We have one office with an ISA and EXG server, with our other critical servers (SQL, IIS, 2x Redhat machines) hosted offsite in a data centre. We have a sonicwall TZ170 in the office and a PRO 3060 in the data centre. We use a sonic to sonic VPN for traffic going from us to our servers in the data centre.

In terms of connectivity, we have a 2Mb leased line, a 2Mb adsl, and a line provided by a data centre next door (at which our servers are not hosted) which is essentially a second leased line. All have public IPs. The 2Mb leased line has a Cisco 1700 series router which is managed by our provider and which we cannot alter. The ADSL has a zoom adsl modem. The third line comes to us from a data centre next door, and we get just the line (ie they manage the router).

We just had a very frightening experience where our 2Mb leased line failed. We have not yet configured a failover, because we do not yet have a router that would have the 3 wan ports to support this. We want to purchase a Cisco router which can take 3 ethernet wan ports and configure it such that if traffic cannot get through on the leased line, it fails over automatically to the ADSL, and if that fails, it fails to the third line. The plan is to configure the sonicwall in the data centre such that it will accept VPN connections from any of these three public IPs.

I have a few questions:

Which Cisco router and which modules would you reccomend? We may eventually want to run these routers themselves in a failover configuration (ie have 2). As a young business, cost is an important factor. Also, we do not plan on using any advanced features apart from these.

My second question is for the config of the SonicWall Pro 3060--is it best to configure 3 separate VPN policies so that in a situation where a line failed the sonic would automatically accept a vpn connection from a different public ip? Will the sonic have issues if it does not realise the first vpn connection is dropped and we immediately try and initiate a second VPN from the same device (our office sonic)? Are there any specific settings we should apply.

Many thanks to anyone who can help!
Question by:jbreg
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 11896629
If I understand correctly:
You have one leased line to a router that you can't touch. You get an Ethernet feed.
You have one DSL modem with a Ethernet feed to you
You have an "extra" Ethernet feed from the Data Center next door.
Each one gives you an IP address.

Looks like you need a router with 4 Ethernet interfaces.

Cisco has a 2651 router that has 2 onboard, and you can add a module with 2 more 10/100 interfaces (NM-2FE), or one module with 4 Ethernet (10Mb) ports (NM-4E), giving you the total that you need.
To get the automatic failover resiliency that you want, you might want to consider using Service Assurance Agent (SAA) configurations. Some creative NAT with route-maps and you're in business.
Down the road as you grow, you can add a 2nd identical router for double-resiliency, or just add a redundant power supply or something. Modularity all the way...

As long as the 3060 is configured to accept the tunnel from any one of three IP addresses, I don't see any issues there. I'm not a SonicWall expert, so my input on that subject is limited.


Author Comment

ID: 11896715
Excellent comments, that's exactly what I was after.

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

647 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question