Avatar of Thirst4Knowledge
Thirst4Knowledge
 asked on

IP Fail-over help

HI Experts,

Can anybody give me advice on IP fail-over?

In the diagram provided below I show a simple layout of what I intend to do.

What I need is advice about the following

1)A quick briefing on how IP fail-over would work in this scenario

2)Recommended Equipment

2)Configuration & concepts

FYI

The Data Centre has a Cisco ASA firewall
The Primary line is a 100Mbps leased line
The Backup/fail-over Line is the an SDSL Line
All VPN's will terminate on the ASA firewall

I'm struggling to find any links on IP fail over or examples of set-ups

If you need any more detail please let me know

PS I have purposely left out any IP info as the HQ is going to be a new office and there is nothing set-up there in terms of equipment and IP addresses, so this is essentially a "Clean slate design"

Thanks
T4K
Ip-Failover.png
Network ArchitectureRoutersCiscoNetworking Hardware-Other

Avatar of undefined
Last Comment
Thirst4Knowledge

8/22/2022 - Mon
Istvan Kalmar

Thirst4Knowledge

ASKER
Thank you I will have a look and get back to you
router_doctor

So the only link to the datacenter is from your office (ie all traffic to the datacenter needs to go via your office internet connection ?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Thirst4Knowledge

ASKER
We intend to split the traffic so that Business data can go through the leased line and porn can go through the either the sdsl line (might as well utilise it if its just sitting there as a failover) or perhaps route browsing traffic through some other means like an ADSL
Thirst4Knowledge

ASKER
can anyone answer :


2)Recommended Equipment

I wan't to keep costs down as much as possible, our supplier has suggested both a firewall and a router.... I was wondering if we could get away with an ISR.

Considering its a point to point connection and the need for a dedicated firewall seems over the top and I wonder if were not being made to buy overly expensive solutions (God forbid...)
Thirst4Knowledge

ASKER
I would also like to know if there is a need for a VPN over the leased line, since it is a point to point leased line then connection then surely not ?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
router_doctor

The ISR has reasonably good zone based firewall.  It depends on whether you need deep packet inspection or more serious threat defence system than what is available in IOS.

Without understanding what your business does (ie no financial services or healthcare records?), I would think that the IOS firewall on the ISR should be sufficient.  You could run with CBAC and IPS for more threat defence.

As for the choice of router, you want to check what the entry level BGP router is in the ISR range.  The 1800/1900 series should support it - but you want to check on Cisco's feature navigator.  You should get as much money as you can afford.  

If your leased line is a leased L2 P2P connection then there is no need for a VPN.   Being able to support jumbo frames on it would be an added plus if you are doing replication.
Thirst4Knowledge

ASKER
"If your leased line is a leased L2 P2P connection then there is no need for a VPN.   Being able to support jumbo frames on it would be an added plus if you are doing replication."

Thank you for this

We do have healthcare & Financial records but they will be held at the data-centre protected by an ASA firewall, so I guess there is no need for a dedicated firewall at the remote office ?
arnold

In a way you have two scopes to the question.
One dealing with access of business data either via the Point-to-Point or VPN as a failover.
The other is the web access.
What equipment currently exists in the HQ?

While adding bandwidth use setting up a OSPF or similar routing between the HQ and the Offsite will deal with a link going down being detected where a VPN will be the failover.
A router that terminates both the Point-to-point and the ADSL could handle the interface based routing of web traffic if it is a necessity.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Thirst4Knowledge

ASKER
at hq we have decided to go for an ISR (cisco 2900)


Thirst4Knowledge

ASKER
Ok so we have been advised that a Cisco 2921 will do the trick.
 
What I need to know is where would I terminate the connection to the Data Centre?
 
Would there be any issues with plugging it straight into the core switch in the Data centre ?
arnold

Could you provide an updated diagram that you envision with the new router in the MIX.

Unless the data center and your HQ are currently getting the services from the same source, an IP failover might not be possible.
If the same provider handles both, you could use BGP to transition the advertising of a block of IPs from one location to the other.  If you own your own block of IPs, you could do the same accross different providers.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Thirst4Knowledge

ASKER
Thank you arnold, I am updating the diagram and will provide it shortley.
 
Just so you know:
Data Centre side:
A block of IP's assigned by provider "A"
HQ
A block of IP's from the same provider "A"
SDSL
Block of IP's from different provider
 
Thirst4Knowledge

ASKER
Another point is that I thought I would just use an RFC1918 Private address space at the HQ and if I were to connect it to the Data centre.
arnold

The issue is not with the private IP space but with the public one to which external resources will be connecting.
lets say you have a block of public IP x.x.x.0/28 (16 public IPs) that can shift between the HQ router and the Datacenter.
Since it is the same provider, the BGP advertisement will take some time to propagate, but it should be quick since it is internal to their organization.
This 16 IP block is separate and distinct from the regular IPs.
If you are certain that the leased point to point line will be up, you can route the incoming requests via the leased line. The other option is to map x.x.x.2 on each side to a local server that is mirrored.

You could have the BGP advertising of the same block which could distribute the load.
Check with provider A if such a setup is an option for you.


This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Thirst4Knowledge

ASKER
Im not sure where BGP will fit into this.  I think that the 2921 has BGP capability but the terminating equipment on the other side Im sure dosn't.
 
Its either going to plug into a 2960 switch in the Data centre as thre is no other choice, there is a 2800 Router at the data centre but it only has 2 Ethernet ports which are already being used. I will give you a diagram of the setup
arnold

The BGP needs to be setup between the router and provider A's equipment.  This is where you advertise the public IPs.
Thirst4Knowledge

ASKER
Hi Arnold
"Could you provide an updated diagram that you envision with the new router in the MIX."

Point-to-point-sana.jpg
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
arnold

I would think that the connection is between the two routers.

Advertising routing rules to your provider would provide for IP fallover for the provider A connection.  If provider A has network issues or your connection to provider A at both location fail, there is nothing that can be done.  All you would be able to do is access the net since the DSL is provided by someone else unless you get your own IP blocks and reach agreement with all providers to advertise your IP block through them.
Most have a set minimum limit on the size of the IP segment that they would advertise with BGP.
i.e. some may not advertise any less than a class C segment /24,255.255.255.0

The other part would be to configure each side.
i.e. your public IP is X.X.X.X.  The question whether you want it hitting the same server or whether it hits a mirrored server at each site?

i.e. web server head unit can be such that each location hits the local web server.  with the SQL server if any is setup as a geographic failover.  note the application setup on the web server has to be able to deal with/handle the failover.
i.e. try one, on failure try the other.
Thirst4Knowledge

ASKER
arnold,

The 2800 router at the DC only has 2 Ethernet ports which are already being used.  SO I have no way to conect the routers directly.


Unless you can think of something else :/
arnold

The point to point is not a serial (T1) type of a connection?
Since you have Provider A through which your Datacenter and your HQ is connected, I think you should ask them what options they can setup to handle the IP failover.

The difficulty deals with whether both sides advertise the public Network or whether you have to start the advertising on one side when the other fails.
i.e. have a system behind each check the other to see that it is up and in the event it is not, start the local bgp session.

The drawing is deceptive as it is not clear where the provider connection is dropped in on the datacenter

Do you have:
Internet <=> provider A <=> Router 2800 <=> ASA
Or from the drawing
Internet <=> provider A <=> ASA<=>Router<=>Switch
The question is if your provider drops an Ethernet connection that you are setting into the ASA, what is the purpose for the router?

Depending on which ASA you have, you could have one of its 5/8ports  going into a switch and setup the point to point which seems to also be Ethernet based to the HQ.
 
I believe the ASA's support BGP as well.
                                       
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Thirst4Knowledge

ASKER
The pointo to point is not a (T1) serial connection it is a 100Mbps connection which is presented with Ethernet cables at each end.  

I have an ASA 5510
arnold

So because your ASA is limited to a certain number of clients, you have to use the router?
Thirst4Knowledge

ASKER
sorry but now Im really confused...

All I want to do is connect my new office to the Data centre via a point to point leased line connection

I just one to know where and how I should connect both sides.

Lets forget the failover for now as its getting realy confusing


⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
arnold

That is the problem is that you do not have an available ethernet port.
One option is to configure new office 2900 Ethernet port to which the Point to point connects with an IP from the LAN on the 2800
i.e.
2800 Ethernet1 has the IP from the ASA
Ethernet2 has IP  for example 172.25.0.1/24.
You would need to configure your 2900 Ethernet port to have an IP 172.25.0.3 as an example.
Once you do that, your 2900's routing table will reflect that access to 172.25.0.0/24 should go through the EthernetPort having the IP 172.25.0.3.

Thirst4Knowledge

ASKER

an updated image with SDSL VPN backup
 
I was thinking of just putting a metric ont the VPN interface that is higher then the point to point interface so should one go down it will fall over to the other one... like 2 default flaoting static routes
point-to-point-with-VPN--over-SD.pdf
ASKER CERTIFIED SOLUTION
arnold

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Thirst4Knowledge

ASKER
did not get to the bottom of it
Your help has saved me hundreds of hours of internet surfing.
fblack61