redundant networking to internet

I have two computers hosted at a datacenter.
Computer A is the web and computer B is the database.

Currently I have two nics in each computer.  A1 A2  B1 B2
A switch connects A2 -> B2 so the computers can communicate
A1 is hooked to the internet.  Computer A is running a firewall.

The switch is a single point of failure.
The datacenter gives us a 2nd drop to the internet which is unused.

How do I set this up so,
A.  I am using a real firewall
B.  The equipment is redundant in case a piece of it fails.
C.  I am using both of the drops to the internet.


P.S.  I sell Fortinet routers (very few, my primary business is not router config) but my hunch is that for any vpn work Cisco 501 5505 are more reliable.
LVL 13
Who is Participating?
kdearingConnect With a Mentor Commented:
That diagram doesn't match up with the description in the original question.

The attached diagram is based on original question.
You would need 2 high-availability router/firewalls, the Cisco 5510 is a good choice.
Don't need any switches (the 5510 has 3x 10/100 & 2 gig ports).
If you want redundant equipment you'll need to buy 2 cisco 5510's with HA (High Availability) .The 501 and 5505 do not support redundancy.
I don't think you would be able to terminate 2 internet connections on the firewalls and terminate the vpn on the firewall with a reachable address.
For full redundancy I think you would need to look at 2 routers running glbp going into 2 switches (connected to each other) and the 2 outside interfaces of the firewall connected to this. but it all depends how much redundancy you want.
How much traffic will these two servers be generating?
Using real datacenter-grade eq  may seem like over kill just for two servers.

Do the two network drops just go to the same provider, or a different provider switch,
but the same vlan  (subnet)?

Or are you actually multi-homed with each of the two network drops going to a totally different ISP?

Do you have your own AS# and an assignment of IP space for multihoming?
This certainly effects what type of equipment you need.

Does the failover need to be completely automatic, or is it ok  if you have to
login to a switch, turn a port or two off, then login to another switch and turn a port or two on?

If you want to be fully redundant against failure of any of your equipment, and
you must have a "real" firewall box, I would use.. at least:

Two Firewall devices, probably PIX 515s or something newer/better, since the failover capability is available.

Two managed switches with port VLAN, 802.1q tagging, and spanning tree protocol support.
Use layer 3 switches such as 3550s, otherwise you need dedicated routers too

For each server, plug one NIC into switch A, plug the other NIC into switch B.
Use interface teaming, or (Linux)  network bonding in active backup mode  to allow
failover to the second NIC.

Place all the ports that servers are plugged in  into a VLAN.  Plug each firewalll's inside interface, say E0 into a port on each switch  and make that a trunk port.    Create a vlan interface on the firewall, and give servers IPs in the same subnet, with the firewall as default gateway, this is either assigned by one of your providers, or they are private IPs that will be translated to public IPs by your firewall.

Similarly, create a VLAN for your firewalls'  outside interfaces, and a VLAN interface on the
firewall for the outside IP.

Each of these in its own little subnet.

And an additional VLAN for each provider's  drop, or a shared VLAN if it's the same provider, and they'll let you do the failover with spanning tree protocol.

The VLAN interfaces for these go on your L3 switch,

Setup your layer 3 switch to route between the providers and the firewall outside interface.

You should consult with the ISP / data center's network engineers for some guidance.

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

gsgiAuthor Commented:
Ok.  thanks for the feedback:

10-20 meg is normal to the internet - sometimes for short periods it will go up to 50-70 meg (1 - 2 minutes every few days)

Between server A and server B there is a gig switch.  at a university, my testing showed 60 - 70 megs is normal for two computers communicating over a gig network, which was only a little higher than the 40-50 meg i'd see over a 100 meg switch.  i have not metered these two particular servers that are interconnected.

the two drops go to the datacenter internet which uses several different providers and is connected to other datacenters they own too.  but as for: is one drop layer3 and is the other drop savvis or something like that, i do not know.

I had the two switches and two HA firewalls and trunking in my basic idea (didn't know 5505 doesn't do HA) but didn't have the vlan part although I think that I understand it...

here is what my client asked me specifically - the drawing is his:
>Here is my basic idea on how I would setup my two networks.
>Does this make sense?  Can the router take a given IP address
>and route traffic to an internal address as I show below?

This drawing does add one more step that I did not initially bring into the discussion ... there is a second datacenter he has setup identically and a private network running between them so he can replicate the db from dc1 to dc2 ...  he is currently not using this dc to dc private connection because he is awaiting my recommendation on how to connect all this stuff together.

gsgiAuthor Commented:
i assume we have to vpn over the private dc to dc drop but i do not know.  all he told me about it is that he is charged less for traffic over it than traffic out to the internet
gsgiAuthor Commented:
Here is the diagram I came up based on the feedback here for the redundancy.  His diagram doesn't speak to the redundancy.  In my diagram with the redundancy of the two nics, we would not be running an internal and an external subnet between the two computers but I do not think one is necessary for them to talk.


dylan_leggattConnect With a Mentor Commented:
The reason I think you need routers between the firewalls and the internet connection is the vpn. If the firewalls failover and the vpn is suddenly terminated on a different device the vpn endpoint address will be different if is a different ISP on the other ASA.
Its something I'm not sure how you would do is to have a vpn available with the same endpoint address via 2 different ISP's . I've done it with 2 connections from the same ISP but not different ones
Also HA does not work like you've drawn it . You have drawn it like HSRP with 2 address's and a 3rd virtual address. would be the gateway address and when the device fails over the address moves to the other device. I would definately suggest the use of switches rather than different interfaces on the ASA. Thats not what the ASA interfaces are there for. They are there for different networks with different security levels, not to be used as a stand-in switch.
MysidiaConnect With a Mentor Commented:
How the two drops are provided and where you get your ip addresses from  is important in the design.
And potentially effects the best choice of equipment.

The link redundancy is a lot easier on your end if both links go to the same immediate upstream ISP, and the same IPs are usable on each link.


You need for the upstream(s) to fail the incoming traffic to the other link, if one of the links fails, or if the firewall that link is connected to fails.

Your upstream won't necessarily know that your firewall #1 has failed, unless link is physically lost,
but sometimes devices may die while the link stays physically up.

You need some ip addresses for your equipment that you can use with _either_ ISP,
in addition to peering subnets specific to each ISP (for routing equipment only),
otherwise, you don't really have full redundancy --  failure of Link A  makes  Link A's ips
unreachable is _NOT_ redundancy.

In a typical scenario, failover with multiple ISPs would be accomplished by multihoming -- getting a  multi-homable  /24  from one of your ISPs.

Negotiate with each of your ISPs to establish BGP sessions with your router (which also means 2 additional subnets for each peering).
You convince your two ISPs to allow you to advertise your /24  out of each link, and if a link fails,  the advertisement goes away in about 5 minutes, only the other link's advertisement remains.

This is probably the most graceful failure method possible with multiple completely different ISPs.   But a Firewall device generally cannot do this.

If both network drops are provided by the same ISP, as I would suspect might be the case here,
 the failover scenario and setup for ISP failover probably requires much more work.

Your ISP may provide a way for you to use OSPF for L3 redundancy, which some Firewalls can deal with, or may be able to provide the failover at L2, by allowing you to use switches and STP,  letting the ISP handle the routing for you, if say, both your
network drops are on the same  provider Vlan.

This is the ideal case, where a pair of 5510 with the right features licensed  should work.

gsgiAuthor Commented:
In the redundancy we talked about, the idea that one of those two internet connections provided by the datacenter would go down never came up.  I think we were more worried about the equipment we own in the rack than the stuff provided by the datacenter ... but since you have now brought that up, I will think about it too.

gsgiAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.