Thirst4Knowledge
asked on
IP Fail-over help
HI Experts,
Can anybody give me advice on IP fail-over?
In the diagram provided below I show a simple layout of what I intend to do.
What I need is advice about the following
1)A quick briefing on how IP fail-over would work in this scenario
2)Recommended Equipment
2)Configuration & concepts
FYI
The Data Centre has a Cisco ASA firewall
The Primary line is a 100Mbps leased line
The Backup/fail-over Line is the an SDSL Line
All VPN's will terminate on the ASA firewall
I'm struggling to find any links on IP fail over or examples of set-ups
If you need any more detail please let me know
PS I have purposely left out any IP info as the HQ is going to be a new office and there is nothing set-up there in terms of equipment and IP addresses, so this is essentially a "Clean slate design"
Thanks
T4K
Ip-Failover.png
Can anybody give me advice on IP fail-over?
In the diagram provided below I show a simple layout of what I intend to do.
What I need is advice about the following
1)A quick briefing on how IP fail-over would work in this scenario
2)Recommended Equipment
2)Configuration & concepts
FYI
The Data Centre has a Cisco ASA firewall
The Primary line is a 100Mbps leased line
The Backup/fail-over Line is the an SDSL Line
All VPN's will terminate on the ASA firewall
I'm struggling to find any links on IP fail over or examples of set-ups
If you need any more detail please let me know
PS I have purposely left out any IP info as the HQ is going to be a new office and there is nothing set-up there in terms of equipment and IP addresses, so this is essentially a "Clean slate design"
Thanks
T4K
Ip-Failover.png
ASKER
Thank you I will have a look and get back to you
So the only link to the datacenter is from your office (ie all traffic to the datacenter needs to go via your office internet connection ?
ASKER
We intend to split the traffic so that Business data can go through the leased line and porn can go through the either the sdsl line (might as well utilise it if its just sitting there as a failover) or perhaps route browsing traffic through some other means like an ADSL
ASKER
can anyone answer :
2)Recommended Equipment
I wan't to keep costs down as much as possible, our supplier has suggested both a firewall and a router.... I was wondering if we could get away with an ISR.
Considering its a point to point connection and the need for a dedicated firewall seems over the top and I wonder if were not being made to buy overly expensive solutions (God forbid...)
2)Recommended Equipment
I wan't to keep costs down as much as possible, our supplier has suggested both a firewall and a router.... I was wondering if we could get away with an ISR.
Considering its a point to point connection and the need for a dedicated firewall seems over the top and I wonder if were not being made to buy overly expensive solutions (God forbid...)
ASKER
I would also like to know if there is a need for a VPN over the leased line, since it is a point to point leased line then connection then surely not ?
The ISR has reasonably good zone based firewall. It depends on whether you need deep packet inspection or more serious threat defence system than what is available in IOS.
Without understanding what your business does (ie no financial services or healthcare records?), I would think that the IOS firewall on the ISR should be sufficient. You could run with CBAC and IPS for more threat defence.
As for the choice of router, you want to check what the entry level BGP router is in the ISR range. The 1800/1900 series should support it - but you want to check on Cisco's feature navigator. You should get as much money as you can afford.
If your leased line is a leased L2 P2P connection then there is no need for a VPN. Being able to support jumbo frames on it would be an added plus if you are doing replication.
Without understanding what your business does (ie no financial services or healthcare records?), I would think that the IOS firewall on the ISR should be sufficient. You could run with CBAC and IPS for more threat defence.
As for the choice of router, you want to check what the entry level BGP router is in the ISR range. The 1800/1900 series should support it - but you want to check on Cisco's feature navigator. You should get as much money as you can afford.
If your leased line is a leased L2 P2P connection then there is no need for a VPN. Being able to support jumbo frames on it would be an added plus if you are doing replication.
ASKER
"If your leased line is a leased L2 P2P connection then there is no need for a VPN. Being able to support jumbo frames on it would be an added plus if you are doing replication."
Thank you for this
We do have healthcare & Financial records but they will be held at the data-centre protected by an ASA firewall, so I guess there is no need for a dedicated firewall at the remote office ?
Thank you for this
We do have healthcare & Financial records but they will be held at the data-centre protected by an ASA firewall, so I guess there is no need for a dedicated firewall at the remote office ?
In a way you have two scopes to the question.
One dealing with access of business data either via the Point-to-Point or VPN as a failover.
The other is the web access.
What equipment currently exists in the HQ?
While adding bandwidth use setting up a OSPF or similar routing between the HQ and the Offsite will deal with a link going down being detected where a VPN will be the failover.
A router that terminates both the Point-to-point and the ADSL could handle the interface based routing of web traffic if it is a necessity.
One dealing with access of business data either via the Point-to-Point or VPN as a failover.
The other is the web access.
What equipment currently exists in the HQ?
While adding bandwidth use setting up a OSPF or similar routing between the HQ and the Offsite will deal with a link going down being detected where a VPN will be the failover.
A router that terminates both the Point-to-point and the ADSL could handle the interface based routing of web traffic if it is a necessity.
ASKER
at hq we have decided to go for an ISR (cisco 2900)
ASKER
Ok so we have been advised that a Cisco 2921 will do the trick.
What I need to know is where would I terminate the connection to the Data Centre?
Would there be any issues with plugging it straight into the core switch in the Data centre ?
What I need to know is where would I terminate the connection to the Data Centre?
Would there be any issues with plugging it straight into the core switch in the Data centre ?
Could you provide an updated diagram that you envision with the new router in the MIX.
Unless the data center and your HQ are currently getting the services from the same source, an IP failover might not be possible.
If the same provider handles both, you could use BGP to transition the advertising of a block of IPs from one location to the other. If you own your own block of IPs, you could do the same accross different providers.
Unless the data center and your HQ are currently getting the services from the same source, an IP failover might not be possible.
If the same provider handles both, you could use BGP to transition the advertising of a block of IPs from one location to the other. If you own your own block of IPs, you could do the same accross different providers.
ASKER
Thank you arnold, I am updating the diagram and will provide it shortley.
Just so you know:
Data Centre side:
A block of IP's assigned by provider "A"
HQ
A block of IP's from the same provider "A"
SDSL
Block of IP's from different provider
Just so you know:
Data Centre side:
A block of IP's assigned by provider "A"
HQ
A block of IP's from the same provider "A"
SDSL
Block of IP's from different provider
ASKER
Another point is that I thought I would just use an RFC1918 Private address space at the HQ and if I were to connect it to the Data centre.
The issue is not with the private IP space but with the public one to which external resources will be connecting.
lets say you have a block of public IP x.x.x.0/28 (16 public IPs) that can shift between the HQ router and the Datacenter.
Since it is the same provider, the BGP advertisement will take some time to propagate, but it should be quick since it is internal to their organization.
This 16 IP block is separate and distinct from the regular IPs.
If you are certain that the leased point to point line will be up, you can route the incoming requests via the leased line. The other option is to map x.x.x.2 on each side to a local server that is mirrored.
You could have the BGP advertising of the same block which could distribute the load.
Check with provider A if such a setup is an option for you.
lets say you have a block of public IP x.x.x.0/28 (16 public IPs) that can shift between the HQ router and the Datacenter.
Since it is the same provider, the BGP advertisement will take some time to propagate, but it should be quick since it is internal to their organization.
This 16 IP block is separate and distinct from the regular IPs.
If you are certain that the leased point to point line will be up, you can route the incoming requests via the leased line. The other option is to map x.x.x.2 on each side to a local server that is mirrored.
You could have the BGP advertising of the same block which could distribute the load.
Check with provider A if such a setup is an option for you.
ASKER
Im not sure where BGP will fit into this. I think that the 2921 has BGP capability but the terminating equipment on the other side Im sure dosn't.
Its either going to plug into a 2960 switch in the Data centre as thre is no other choice, there is a 2800 Router at the data centre but it only has 2 Ethernet ports which are already being used. I will give you a diagram of the setup
Its either going to plug into a 2960 switch in the Data centre as thre is no other choice, there is a 2800 Router at the data centre but it only has 2 Ethernet ports which are already being used. I will give you a diagram of the setup
The BGP needs to be setup between the router and provider A's equipment. This is where you advertise the public IPs.
ASKER
Hi Arnold
"Could you provide an updated diagram that you envision with the new router in the MIX."
Point-to-point-sana.jpg
"Could you provide an updated diagram that you envision with the new router in the MIX."
Point-to-point-sana.jpg
I would think that the connection is between the two routers.
Advertising routing rules to your provider would provide for IP fallover for the provider A connection. If provider A has network issues or your connection to provider A at both location fail, there is nothing that can be done. All you would be able to do is access the net since the DSL is provided by someone else unless you get your own IP blocks and reach agreement with all providers to advertise your IP block through them.
Most have a set minimum limit on the size of the IP segment that they would advertise with BGP.
i.e. some may not advertise any less than a class C segment /24,255.255.255.0
The other part would be to configure each side.
i.e. your public IP is X.X.X.X. The question whether you want it hitting the same server or whether it hits a mirrored server at each site?
i.e. web server head unit can be such that each location hits the local web server. with the SQL server if any is setup as a geographic failover. note the application setup on the web server has to be able to deal with/handle the failover.
i.e. try one, on failure try the other.
Advertising routing rules to your provider would provide for IP fallover for the provider A connection. If provider A has network issues or your connection to provider A at both location fail, there is nothing that can be done. All you would be able to do is access the net since the DSL is provided by someone else unless you get your own IP blocks and reach agreement with all providers to advertise your IP block through them.
Most have a set minimum limit on the size of the IP segment that they would advertise with BGP.
i.e. some may not advertise any less than a class C segment /24,255.255.255.0
The other part would be to configure each side.
i.e. your public IP is X.X.X.X. The question whether you want it hitting the same server or whether it hits a mirrored server at each site?
i.e. web server head unit can be such that each location hits the local web server. with the SQL server if any is setup as a geographic failover. note the application setup on the web server has to be able to deal with/handle the failover.
i.e. try one, on failure try the other.
ASKER
arnold,
The 2800 router at the DC only has 2 Ethernet ports which are already being used. SO I have no way to conect the routers directly.
Unless you can think of something else :/
The 2800 router at the DC only has 2 Ethernet ports which are already being used. SO I have no way to conect the routers directly.
Unless you can think of something else :/
The point to point is not a serial (T1) type of a connection?
Since you have Provider A through which your Datacenter and your HQ is connected, I think you should ask them what options they can setup to handle the IP failover.
The difficulty deals with whether both sides advertise the public Network or whether you have to start the advertising on one side when the other fails.
i.e. have a system behind each check the other to see that it is up and in the event it is not, start the local bgp session.
The drawing is deceptive as it is not clear where the provider connection is dropped in on the datacenter
Do you have:
Internet <=> provider A <=> Router 2800 <=> ASA
Or from the drawing
Internet <=> provider A <=> ASA<=>Router<=>Switch
The question is if your provider drops an Ethernet connection that you are setting into the ASA, what is the purpose for the router?
Depending on which ASA you have, you could have one of its 5/8ports going into a switch and setup the point to point which seems to also be Ethernet based to the HQ.
I believe the ASA's support BGP as well.
Since you have Provider A through which your Datacenter and your HQ is connected, I think you should ask them what options they can setup to handle the IP failover.
The difficulty deals with whether both sides advertise the public Network or whether you have to start the advertising on one side when the other fails.
i.e. have a system behind each check the other to see that it is up and in the event it is not, start the local bgp session.
The drawing is deceptive as it is not clear where the provider connection is dropped in on the datacenter
Do you have:
Internet <=> provider A <=> Router 2800 <=> ASA
Or from the drawing
Internet <=> provider A <=> ASA<=>Router<=>Switch
The question is if your provider drops an Ethernet connection that you are setting into the ASA, what is the purpose for the router?
Depending on which ASA you have, you could have one of its 5/8ports going into a switch and setup the point to point which seems to also be Ethernet based to the HQ.
I believe the ASA's support BGP as well.
ASKER
The pointo to point is not a (T1) serial connection it is a 100Mbps connection which is presented with Ethernet cables at each end.
I have an ASA 5510
I have an ASA 5510
So because your ASA is limited to a certain number of clients, you have to use the router?
ASKER
sorry but now Im really confused...
All I want to do is connect my new office to the Data centre via a point to point leased line connection
I just one to know where and how I should connect both sides.
Lets forget the failover for now as its getting realy confusing
All I want to do is connect my new office to the Data centre via a point to point leased line connection
I just one to know where and how I should connect both sides.
Lets forget the failover for now as its getting realy confusing
That is the problem is that you do not have an available ethernet port.
One option is to configure new office 2900 Ethernet port to which the Point to point connects with an IP from the LAN on the 2800
i.e.
2800 Ethernet1 has the IP from the ASA
Ethernet2 has IP for example 172.25.0.1/24.
You would need to configure your 2900 Ethernet port to have an IP 172.25.0.3 as an example.
Once you do that, your 2900's routing table will reflect that access to 172.25.0.0/24 should go through the EthernetPort having the IP 172.25.0.3.
One option is to configure new office 2900 Ethernet port to which the Point to point connects with an IP from the LAN on the 2800
i.e.
2800 Ethernet1 has the IP from the ASA
Ethernet2 has IP for example 172.25.0.1/24.
You would need to configure your 2900 Ethernet port to have an IP 172.25.0.3 as an example.
Once you do that, your 2900's routing table will reflect that access to 172.25.0.0/24 should go through the EthernetPort having the IP 172.25.0.3.
ASKER
an updated image with SDSL VPN backup
I was thinking of just putting a metric ont the VPN interface that is higher then the point to point interface so should one go down it will fall over to the other one... like 2 default flaoting static routes
point-to-point-with-VPN--over-SD.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
did not get to the bottom of it
Please refer this guide what you need, and howto:
http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml