Two ISP Fail over Internally vs Externally Fail over
-
@DustinB3403 said in Two ISP Fail over Internally vs Externally Fail over:
The goal is to always have your internet and services available should your firewall fail. Just curious how this would be configured internally. If it could at all.
Have a spare firewall is one of the most reliable things that you can do.
-
@DustinB3403 said in Two ISP Fail over Internally vs Externally Fail over:
@Dashrender Why would the services hosted locally matter, its a question of "how do you make sure that your internet is always available?"
Because you don't care about outgoing traffic in most cases, in that case, you just get two ISPs into one firewall (or clustered firewalls). That equipment handles all the fail over for outbound traffic. Websites will complain, and possibly make you log back in, but otherwise users should barely notice the difference...
But If you are hosting services for the internet, then you have a lot harder challenge of having sessions stay active, and keeping the IPs the same, etc.
-
isp1 - bgp router1 - fw1 - your switch
isp2 - bgp router2 - fw2 - your switch2
bgp routers have a direct connection as well as your switches.
Not only that saves you when one of the devices (or ISP) fails, it also allows you to use both internet connection. It's up to you how to (if) load balance such traffic.
Check http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html for more info.
Use keepalived, etc. for fw fail-over. -
I was just having a phone conversation with someone about this.
From an IT engineering point of view, we can do lots and lots of things in the UK quite cheaply to mitigate these, often automatically.
What it boils down to is how badly do you want a connection and are you serving resources from on-site as well?
If you plan and do it right, you can easily solve this without spending masses of money.
-
@Kris_K said in Two ISP Fail over Internally vs Externally Fail over:
isp1 - bgp router1 - fw1 - your switch
isp2 - bgp router2 - fw2 - your switch2
bgp routers have a direct connection as well as your switches.
Not only that saves you when one of the devices (or ISP) fails, it also allows you to use both internet connection. It's up to you how to (if) load balance such traffic.
Check http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html for more info.
Use keepalived, etc. for fw fail-over.Why do you need a router? can't the firewalls do this themselves?
-
I am actually looking at a PEPLINK to do this right now in a colocation facility where we are bringing in a unmetered Intneret circuit and the facility is providing a metered circut as part of the lease. I can use the facility circuit as a fail over only in case our unmetered circuit goes down.
https://forum.peplink.com/t/configuring-1-1-backup-by-high-availability-ha/8045
I'm still waiting for pricing on their boxes. I have a demo unit one of our previous technicians...ummm..."acquired" so i'm hoping pricing isn't too bad for a second box -
what does it do that the ER-L doesn't? I know someone else (the guy at SW who swears more than JB) recommended the Peplink to me years ago... but I think the ER-L can do many of the same things now.
-
@jt1001001 I've heard great things about the Peplink.
-
@Dashrender said in Two ISP Fail over Internally vs Externally Fail over:
what does it do that the ER-L doesn't? I know someone else (the guy at SW who swears more than JB) recommended the Peplink to me years ago... but I think the ER-L can do many of the same things now.
Yes @PSX_Defector recommends them.
-
Peplink do real load balancing. It's a decently big deal.
-
@Dashrender said in Two ISP Fail over Internally vs Externally Fail over:
what does it do that the ER-L doesn't? I know someone else (the guy at SW who swears more than JB) recommended the Peplink to me years ago... but I think the ER-L can do many of the same things now.
Much like Tivo and generic DVRs, they function the same, but the actual execution is more refined.
Outbound load balance has been a feature for many different devices for a while now. I've got an ER-L right now, yeah it does the load balance between the two circuits. But since they are very different speeds, they don't balance as evenly as Peplink can do it. They also don't offer bonded VPN and their interface is easy as fuck to deal with.
Yeah, I can buy a TWC DVR, but my Tivo does more.