?
Solved

ISP Failover using BGP

Posted on 2011-09-06
14
Medium Priority
?
1,256 Views
Last Modified: 2012-06-21
We host applications such as Exchange email for some of our clients.  100% up-time is very crucial for most of these clients.  We have two datacenters with a VPN between them.  My Server guys are working on a WMWare High Availability solution between the datacenters.  As far as routing is concerned I am little confused.  I'm thinking I will need a BGP solution for this to work from what I'm reading.  Let's say mail.domain.com in located in datacenter 1, if the internet fails or the exchange servers fails, our plan is for it to failover ot datacenter 2.  So right now mail.domain.com in DNS has an IP in Datacenter 1 IP Block.  Data Center 2 has a totally different IP Block, so how will mail be routed to Datacenter 2.  Each location has a Cisco 2851 as the WAN Router along with a Cisco ASA5520 behind it for firewall and VPN.  If anyone can shed some light on this I would greatly appreciate it.  
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 25

Accepted Solution

by:
Ken Boone earned 2000 total points
ID: 36489951
So there are two ways that this is typically done.  

#1 is that you have a fat pipe between the two data centers that share the same IP address space and you use vmotion to switch your VMs across.  You can advertise the same network out both ISPs or typically you would advertise only out 1 ISP unless there is a failure, then you would start advertising your ip block out datacenter2 and kick in vmotion.

#2 You have duplicate servers with different IPs at each datacenter.  You would advertise both ip blocks out both providers.  You would use the global load balancers to act as the authoritative name servers and you could do either 1) send all dns requests to your services to the first block unless it fails, or 2) let the load balancers balance traffic between the two data centers.  The issue here is that you have to make sure your applications and back end databases can handle requests coming from two locations.  Sometimes this will cause things to get out of sync if the apps and databases don't support it.
0
 
LVL 4

Author Comment

by:denver218
ID: 36490005
Thanks.  So let's look at option #1.  Each Data Center has a different Internet Service Provider and different IP Block.

DataCenter#1 - 1.1.1.1/24 (IP Block)
DataCenter#2 - 2.2.2.2/24 (IP Block)

When you say fat pipe, do you mean I would have to have a separate internet connection between the datacenter's?
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 36490028
Option #2 is an option I have seen in most deployments, but is just a sloppy way of implementing data center fail-over in my opinion.

Check out "BGP Conditional Advertisement"
 http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml

Billy
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Author Comment

by:denver218
ID: 36490324
Ok, so let's say Data Center 1 is using XO Communications for their ISP and Data Center 2 is using AT&T for their ISP.  If I want to use BGP, I know both ISP's will have to work together.  What the best way to get the ball rolling?  I know I will have to purchase an AS number.  Will I have to purchase an additional IP Block?  
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36490847
When I say a fat pipe - I just mean a big pipe between the two locations that basically act as a trunk between the internal and DMZ networks.  It would be a layer 2 connection trunking the vlans between locations.  

Well most likely you will not get your own IP block at this point.  With option #2 you actually don't have to use BGP if you don't want to.  That is because the routing to the two different IP blocks is up all the time.  You are actually controlling where the traffic goes based on the DNS response.  So the public address space you have from both providers is advertised over the Internet all the time.  You configure the global load balancers to answer with specific IP address you want based on where you want the traffic to flow.  Like I said you might have everything go to data center #1 unless you need it to failover.  The global load balancers can talk to each other so they know there is a failure and can automatically start answering DNS queries with the ip address from the other location.

You only need an AS # if you will run BGP.  Since you will not be advertising the same public IP block out two different providers it is not necessary to run BGP unless you want to easily be able to stop the advertisement at any one location.


0
 
LVL 4

Author Comment

by:denver218
ID: 36491020
Ok I have a 20Mbps Internet Connection at Datacenter1 and a 20Mbps Internet connection at Datacenter2.  I have a VPN between the datacentes.  Could this VPN serve at the pipe between the datacenters or will I have to get another circuit for this?  
0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36491192
Well if you are using 2 different IP subnets the VPN service is fine.    If you were going to use the same IP addresses at both locations a VPN would not work.
0
 
LVL 4

Author Comment

by:denver218
ID: 36491318
Each location already has its own Public IP Block.

DataCenter 1 - 1.1.1.0/23
DataCetner 2 - 2.2.2.0/22



0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36492436
VPN will be fine for a backend connection between the data centers like you have it.
0
 
LVL 4

Author Comment

by:denver218
ID: 36494877
Lastly, how do NATs work when failover occurs?  Let's say I have the following NAT for my email server on my ASA in Datacenter 1:  
static (inside,outside) 1.1.1.2 10.8.0.2 netmask 255.255.255.255
So in DNS 1.1.1.2 is "mail.domain.com"

So what Happens when Datacenter 1 fails?  My Mail server is NAT'ed to an IP in datacenter 1, but now has to work in datacenter 2.  

Sorry for all the questions I'm just starting to learn BGP.  I'm in the process of reading a book trying to learn more.  Thanks for all your guidance this far.


0
 
LVL 25

Expert Comment

by:Ken Boone
ID: 36495087
Well you would have an ASA in each datacenter.  The ASAs would NOT be in a failover pair.  So at datacenter 1 you have 1.1.1.2 mapped to the mail server in datacenter 1.  At datacenter 2 you would have 2.2.2.2 mapped to the mail server in datacenter 2.

In the event that datacenter 1 went downy the global load balancers acting as the authoritative name server would then start responding to dns queries by answering with the 2.2.2.2 address.
0
 
LVL 4

Author Comment

by:denver218
ID: 36495183
What type of Global Load Balancers to you recommend?  Just curious so I can research and learn more about them.  Thanks.
0
 
LVL 25

Assisted Solution

by:Ken Boone
Ken Boone earned 2000 total points
ID: 36495832
You can talk to your cisco rep to get more info, but you can start here:
http://www.cisco.com/en/US/products/hw/contnetw/ps4162/index.html
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 36497049
Thanks for your input.  I appreciate you help.
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question