Link to home
Start Free TrialLog in
Avatar of Thirst4Knowledge

asked on

IP Fail-over help

HI Experts,

Can anybody give me advice on IP fail-over?

In the diagram provided below I show a simple layout of what I intend to do.

What I need is advice about the following

1)A quick briefing on how IP fail-over would work in this scenario

2)Recommended Equipment

2)Configuration & concepts


The Data Centre has a Cisco ASA firewall
The Primary line is a 100Mbps leased line
The Backup/fail-over Line is the an SDSL Line
All VPN's will terminate on the ASA firewall

I'm struggling to find any links on IP fail over or examples of set-ups

If you need any more detail please let me know

PS I have purposely left out any IP info as the HQ is going to be a new office and there is nothing set-up there in terms of equipment and IP addresses, so this is essentially a "Clean slate design"

Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image

Avatar of Thirst4Knowledge


Thank you I will have a look and get back to you
So the only link to the datacenter is from your office (ie all traffic to the datacenter needs to go via your office internet connection ?
We intend to split the traffic so that Business data can go through the leased line and porn can go through the either the sdsl line (might as well utilise it if its just sitting there as a failover) or perhaps route browsing traffic through some other means like an ADSL
can anyone answer :

2)Recommended Equipment

I wan't to keep costs down as much as possible, our supplier has suggested both a firewall and a router.... I was wondering if we could get away with an ISR.

Considering its a point to point connection and the need for a dedicated firewall seems over the top and I wonder if were not being made to buy overly expensive solutions (God forbid...)
I would also like to know if there is a need for a VPN over the leased line, since it is a point to point leased line then connection then surely not ?
The ISR has reasonably good zone based firewall.  It depends on whether you need deep packet inspection or more serious threat defence system than what is available in IOS.

Without understanding what your business does (ie no financial services or healthcare records?), I would think that the IOS firewall on the ISR should be sufficient.  You could run with CBAC and IPS for more threat defence.

As for the choice of router, you want to check what the entry level BGP router is in the ISR range.  The 1800/1900 series should support it - but you want to check on Cisco's feature navigator.  You should get as much money as you can afford.  

If your leased line is a leased L2 P2P connection then there is no need for a VPN.   Being able to support jumbo frames on it would be an added plus if you are doing replication.
"If your leased line is a leased L2 P2P connection then there is no need for a VPN.   Being able to support jumbo frames on it would be an added plus if you are doing replication."

Thank you for this

We do have healthcare & Financial records but they will be held at the data-centre protected by an ASA firewall, so I guess there is no need for a dedicated firewall at the remote office ?
In a way you have two scopes to the question.
One dealing with access of business data either via the Point-to-Point or VPN as a failover.
The other is the web access.
What equipment currently exists in the HQ?

While adding bandwidth use setting up a OSPF or similar routing between the HQ and the Offsite will deal with a link going down being detected where a VPN will be the failover.
A router that terminates both the Point-to-point and the ADSL could handle the interface based routing of web traffic if it is a necessity.
at hq we have decided to go for an ISR (cisco 2900)

Ok so we have been advised that a Cisco 2921 will do the trick.
What I need to know is where would I terminate the connection to the Data Centre?
Would there be any issues with plugging it straight into the core switch in the Data centre ?
Could you provide an updated diagram that you envision with the new router in the MIX.

Unless the data center and your HQ are currently getting the services from the same source, an IP failover might not be possible.
If the same provider handles both, you could use BGP to transition the advertising of a block of IPs from one location to the other.  If you own your own block of IPs, you could do the same accross different providers.
Thank you arnold, I am updating the diagram and will provide it shortley.
Just so you know:
Data Centre side:
A block of IP's assigned by provider "A"
A block of IP's from the same provider "A"
Block of IP's from different provider
Another point is that I thought I would just use an RFC1918 Private address space at the HQ and if I were to connect it to the Data centre.
The issue is not with the private IP space but with the public one to which external resources will be connecting.
lets say you have a block of public IP x.x.x.0/28 (16 public IPs) that can shift between the HQ router and the Datacenter.
Since it is the same provider, the BGP advertisement will take some time to propagate, but it should be quick since it is internal to their organization.
This 16 IP block is separate and distinct from the regular IPs.
If you are certain that the leased point to point line will be up, you can route the incoming requests via the leased line. The other option is to map x.x.x.2 on each side to a local server that is mirrored.

You could have the BGP advertising of the same block which could distribute the load.
Check with provider A if such a setup is an option for you.

Im not sure where BGP will fit into this.  I think that the 2921 has BGP capability but the terminating equipment on the other side Im sure dosn't.
Its either going to plug into a 2960 switch in the Data centre as thre is no other choice, there is a 2800 Router at the data centre but it only has 2 Ethernet ports which are already being used. I will give you a diagram of the setup
The BGP needs to be setup between the router and provider A's equipment.  This is where you advertise the public IPs.
Hi Arnold
"Could you provide an updated diagram that you envision with the new router in the MIX."

I would think that the connection is between the two routers.

Advertising routing rules to your provider would provide for IP fallover for the provider A connection.  If provider A has network issues or your connection to provider A at both location fail, there is nothing that can be done.  All you would be able to do is access the net since the DSL is provided by someone else unless you get your own IP blocks and reach agreement with all providers to advertise your IP block through them.
Most have a set minimum limit on the size of the IP segment that they would advertise with BGP.
i.e. some may not advertise any less than a class C segment /24,

The other part would be to configure each side.
i.e. your public IP is X.X.X.X.  The question whether you want it hitting the same server or whether it hits a mirrored server at each site?

i.e. web server head unit can be such that each location hits the local web server.  with the SQL server if any is setup as a geographic failover.  note the application setup on the web server has to be able to deal with/handle the failover.
i.e. try one, on failure try the other.

The 2800 router at the DC only has 2 Ethernet ports which are already being used.  SO I have no way to conect the routers directly.

Unless you can think of something else :/
The point to point is not a serial (T1) type of a connection?
Since you have Provider A through which your Datacenter and your HQ is connected, I think you should ask them what options they can setup to handle the IP failover.

The difficulty deals with whether both sides advertise the public Network or whether you have to start the advertising on one side when the other fails.
i.e. have a system behind each check the other to see that it is up and in the event it is not, start the local bgp session.

The drawing is deceptive as it is not clear where the provider connection is dropped in on the datacenter

Do you have:
Internet <=> provider A <=> Router 2800 <=> ASA
Or from the drawing
Internet <=> provider A <=> ASA<=>Router<=>Switch
The question is if your provider drops an Ethernet connection that you are setting into the ASA, what is the purpose for the router?

Depending on which ASA you have, you could have one of its 5/8ports  going into a switch and setup the point to point which seems to also be Ethernet based to the HQ.
I believe the ASA's support BGP as well.
The pointo to point is not a (T1) serial connection it is a 100Mbps connection which is presented with Ethernet cables at each end.  

I have an ASA 5510
So because your ASA is limited to a certain number of clients, you have to use the router?
sorry but now Im really confused...

All I want to do is connect my new office to the Data centre via a point to point leased line connection

I just one to know where and how I should connect both sides.

Lets forget the failover for now as its getting realy confusing

That is the problem is that you do not have an available ethernet port.
One option is to configure new office 2900 Ethernet port to which the Point to point connects with an IP from the LAN on the 2800
2800 Ethernet1 has the IP from the ASA
Ethernet2 has IP  for example
You would need to configure your 2900 Ethernet port to have an IP as an example.
Once you do that, your 2900's routing table will reflect that access to should go through the EthernetPort having the IP

an updated image with SDSL VPN backup
I was thinking of just putting a metric ont the VPN interface that is higher then the point to point interface so should one go down it will fall over to the other one... like 2 default flaoting static routes
Avatar of arnold
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
did not get to the bottom of it