Solved

Cisco 2801 - Verizon WAN HWIC - Routing/Gateway Question

Posted on 2010-11-23
4
559 Views
Last Modified: 2012-05-10
Looking for some advice on how this will work for us in a disaster recovery scenario.  Right now we are like most businesses on a fiber internet connection, and have fiber between our remote offices.  If in a disaster we lost fiber to our headquarter facility, we want to use the Verizon WAN HWIC solution to get us by until fiber service is restored.  What would this look like for us when the disaster happens?  How would I route us out through Verizon?

Right now we have everyone with a default gateway of our main switch.  That main switch has its default gateway as our firewall.  When the disaster happens, do I just change the main switches default gateway to my new router with the Verizon HWIC card in it?

I know this will only allow for outbound traffic to the internet, and nothing inbound, but will that work?

My other more pressing concern is, will this be safe?  Since traffic will now be routed through Verizon and a router only, no firewall?

Any thoughts or suggestions would be appreciated!

Link to the Verizon card
0
Comment
Question by:bschwarting
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:djcapone
Comment Utility
When you refer to the Verizon WAN HWIC solution, are you referring to the WWAN (aka 3G) solution or some other copper/fiber service provided by Verizon?

If each branch office has its own internet connection, you could utilize the fiber connections between offices to reroute traffic out of the branch office connections.

If I am correctly assuming you are referring to using a 3G solution as a backup, I will also assume that the fiber connecting all the branch offices to headquarters means that all internet access to the branch offices is being provided by the fiber connection at the HQ.

Based on these assumptions, you should be able to set an equal cost static route to the next-hop provided by the Verizon WWAN solution to act in a failover capacity.  You are correct in assuming that inbound traffic to mail servers, etc that rely on the IP space from your fiber provider would not work.  The security issues regarding bypassing the firewall are varied and would be based upon where NAT/PAT translations are taking place.

If you could provide more information regarding your network topology (with IP numbering, X.X out public IP space), I could assist more.
0
 
LVL 1

Author Comment

by:bschwarting
Comment Utility
Yeah, 3G, as a backup, and yes the HQ is the source for all internet.  Good assumptions!

From the reading I have done on ECMP Routing, they say this is not a solution for fail over, which is what we want.

We have 2 remote offices, and HQ, on the same subnet.  We have multiple VLAN's at the HQ, but left the same subnet to the remote offices to make it easier on configuration.

Everyone has the same gateway, which is our first floor switch.  All of our NAT/PAT happens on the firewall, which is the default gateway of our first floor switch.

That is why I was thinking I could manually change the gateway to our Verizon solution manually if we are down, but I guess I would then have to have at least NAT setup on something.

0
 
LVL 6

Accepted Solution

by:
djcapone earned 500 total points
Comment Utility
Hi,

To put some IP Numbers into this mix to get a clearer picture and explanation, I am going to assume the following layout:

Fiber Internet  (1.X.X.1)           Verizon WWAN (2.X.X.1)
   |    (1.X.X.2)                                    | (2.X.X.2)
Firewall                                        Cisco 2801          
   |    (10.1.0.1, 10.2.0.1, 10.3.0.1 /24s)     |     (10.1.0.2, 10.2.0.2, 10.3.0.2 /24s)
---------------------Main Switch-------------------------
          |                               |
          |           Various Branch Office Uplinks
   HQ Subnets        (10.3.0.X /24)
(10.1.0.X /24)
(10.2.0.X /24)    


From the diagram you can see that you would simply define all of the VLANs on the Cisco 2801 and give them a layer 3 address in each VLAN.  You would also independantly configure the Cisco 2801 for NAT.  As long as the fiber solution is up, all traffic will be routed out of the firewall and nothing should end up in the router.  In the event of a failure of the fiber circuit, there are several options that can be employed depending on the capabilities of the firewall and "main switch".

1. If the switch supports basic static layer 3 routes, I would still define both routes on the device, however, I would not make them equal cost.  Instead I would make the 3G network, say 100 compared to 10 for the fiber circuit.  This will ensure that traffic never "automatically" goes to the 3G circuit.  As mentioned, with static routing failover is not automatic unless the interface goes down.  So in the event the firewall fails and brings the interface down, it would act as an automatic failover.  However, if the circuit goes down and the interface remains up, having the route in place allows you to failover the path much quicker and easier by simply shutting down the interface going to the firewall.  This prevents the need to define a more complex route statement while you are in the middle of an outage.

2. If the main switch supports ip slas of some type, you can automate the failover of the static route.

3.  If the firewall supports ip slas of some type AS WELL AS hairpinning, you may be able to use the firewall to failover to the 3G network if the fiber circuit fails.  This would be a bit of a complex configuration.

One additional point I would like to make is that you can make to further subnet your network and place "important" users into their own VLAN.  Since your failover circuit will be a 3G circuit, speeds will not be that stellar and can probably only reliably support maybe 10 simultaneous users at one time.  I would consider essentially allowing the network to be down when the fiber circuit is down for everyone except these "VIPS".  Otherwise, if internet access is granted company wide over the 3G network, the speeds will be some horrendous that everyone might as well be down.


0
 
LVL 1

Author Comment

by:bschwarting
Comment Utility
thanks for all the help!  this has pushed me in the direction I need to go!
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now