What device can I use to load balance two ISP's

We currently have a network of about 50 devices, we have a Juniper SSG5 firewall connected to a Cable ISP Router providing our connection.  We want to introduce another ISP and purchase a Cisco device that will load balance the two connection and provide failover, we also need VPN capabilities.  We can replace the Juniper firewall if need be.  Any suggestions as to what device will fit the bill?
jp_techAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin EllenbeckerIT DirectorCommented:
Any Cisco IOS router has load balancing standard.  Here is a document explaining it.  What are you trying to load balance?  Is it for a single web server or your entire network?

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094820.shtml
0
Justin EllenbeckerIT DirectorCommented:
Depending on the pipe size and traffic amount I would look at something like a Cisco 2800 series or an ASA if you are going to replace a Juniper Firewall.  Here is the cisco Guide for Load Balancing on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa71/asdm51/selected_procedures/asdm_lb.pdf

And here is the link to the ASA comparison, again without knowing your total network size I cannot make a solid recommendation but the 5520 is a very nice model.

http://www.ciscosystems.ch/en/US/products/ps6120/prod_models_comparison.html

The 5520 Doesn't have the security plus licensing so there is no worry about adding it for your VPN capabilities it will do most of what you need out of the box, SSL VPN still requires additional licensing, they do come with 2 SSL VPN licenses you can use to test it before purchasing more though.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jp_techAuthor Commented:
We were looking at an ASA 5510.  We have about 45 workstations, 1 SBS 2008 server which we use as a DC and for mail, no web server and one 2008 app server.  We currently have a cable connection with 30 down and 15 up and want to add Verizon with 50/30.  Each ISP has it's own router with an ethernet handoff,  will the ASA be able to load balance both connections?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ks_adminCommented:
We use SonicWALL firewall/routers to do this...   they have High Availability / Load Balancing which has worked great for us in the past.  We've been using Pro5060 devices but we're about to go to a newer model, but still retains the same functionality.

It's also hard to go wrong with Cisco equipment..  it's rock solid, but we found them to be too complex for day to day administration without calling Cisco all the time.

0
Justin EllenbeckerIT DirectorCommented:
The downside of an ASA is that it technically does not do load balancing for ISP connections it will do a failover link.  To save costs and not require another router I would use the ASA and set your bigger pipe as the primary.  Then you can setup the SLA Failover conditions in the ASA.  Is this something that is acceptable, using the cable connection as a backup link or do you think you will saturate the Verizon line and need the bandwidth?
0
jp_techAuthor Commented:
I personally am leaning towards using the failover links using the ASA but they are asking for a load balancing scenario as well.  What will that scenario look like?
0
Justin EllenbeckerIT DirectorCommented:
If a Cisco rotuer has equal costs routes it will switch every other request.  This can cause unbalanced load balancing since some machines will use more bandwidth.  There there is per pack load sharing which is easily configured again this is not perfect either since some packets are larger.  The final option is to create a virtual interface that both connections are in and the router will handle the rest, this also gurantees packet order which is a must have for VOIP.
0
jp_techAuthor Commented:
In terms of future growth what would be the best option?
0
Justin EllenbeckerIT DirectorCommented:
http://www.dslreports.com/faq/cisco/50.5_Load_Balance_2_ISP_with_Cisco  

Failover in my opinion is probably a little better way to go otherwise you ahve to make sure your outbound traffic routed properly from things like the mail server.  This link I posted show how to make sure that certain traffic goes out the way it supposed to so those services do not get interupted.
0
jp_techAuthor Commented:
Will an older 2600 router be able to handle the 50mbit bandwith?
0
Justin EllenbeckerIT DirectorCommented:
That is a good question I was actually for this the other day since I use a 2621 at home and my cable company is upgrading to 60Mb in a few months.  Here is what I found.

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf

That is right from Cisco showing for example my 2621 can only do about 12mbps which suc since I jsut moved and got a 25mbps line that will soon be 60mbps down.  For what you need you are looking at somthing like a 2811 but a 2821 would give you some room without taxing the hardware too much.  If you are still running and original 2621 like I am you will be doing what I am doing, shopping for a new router.
0
jp_techAuthor Commented:
This company will have a 50mbps pipe which I think is plenty for them and should not have to worry about load balancing, I think this complicates things.  I would much rather install the ASA with the failover.  I just wanted to be prepared to defend my position when I get the barage of questions.
0
Justin EllenbeckerIT DirectorCommented:
Which you will and the easiest one I can think of is streaming, if you are sending packets out multiple IPs there is a good chance anything streamed is going to get busted when some of the packets go out the other interface. Give the same position I would also recommnd the ASA.
0
jp_techAuthor Commented:
Can you think of any other pros about having failover vs load balancing?
0
Justin EllenbeckerIT DirectorCommented:
Unless you are running a high bandwidth and really need load balancing you can usually get a way with a cheaper fail over line since it is for emergency use only.  Also a failover line can in some situations be activated more quickly.  Load balancing can lead to extra management required before you can do maintenance.  We use and active/passive PIX system that is similar the second pix is failover only but the identically configured so when I make changes that require a reboot,  I just do it.  No having to alert the entire building, most of the time you never even get a dropped page and streaming stays up as the requests rebuild.  Worst case a few people have to refresh their browser.  What i have seen with load balancing is that when the other node comes back up the system tries to balance again which can cause disconnects and other drops.
0
jp_techAuthor Commented:
This has assisted in my decision to go with the fail over as opposed to the load balance scenario.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Broadband

From novice to tech pro — start learning today.