Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
795
Views
0
Helpful
4
Replies

Fail over with 2 seperate WAN providers

Joe Scharbrough
Level 1
Level 1

‎11-30-2013 07:23 AM - edited ‎03-04-2019 09:43 PM

There are a lot of ways to do this but I am looking for ideas on a "best practices" way to accomplish this. Situation: We have approximately 800 users and 50 VPN's that are in use 24x7 and extremely critical (emergency service personel). We have 2 providers for our Internet, both in the 20 gb/sec + fiber area. Currently we have the nework configured so that approximately half the users go out one pipe and the other half go out the other.

The entire LAN/Man sprawls over aproximately a 15 sq mile area and all offices are connected by fiber. Latency is not an issue. The bulk of the emplyees are located in 2 areas and fairly evenly devided between the two, which are connected via fiber and each of those 2 areas is the demarc for the WAN connection.

I would appreciate any thoughts on this. I do not need a step by step guide just some ideas as to what approach would work best for this scenario. I looked at using Active/Active failover on the ASA but the VPN's warnings I read about through me off that idea.

We currenlty load balance about half the users by assigning the default gateway to various vlans but I need the ability to send all the traffic out one WAN connection in the event that the other goes out. We live in a hurricane alley so redundancy is not only critical but has a high probability of actually being used.

Thanks in advance for your input.

Labels:
0 Helpful
4 Replies 4

lmediavilla
Level 1
Level 1

‎12-02-2013 01:51 AM

For me the best practice is with an ip sla pinging any public ip address or the service provider gateway, if it fails use the backup route.

Kind regards

0 Helpful

Joe Scharbrough
Level 1
Level 1
In response to lmediavilla

‎12-02-2013 07:21 AM

Thanks I was leaning in that direction but thought I would post this in case someone had found a better way

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Joe Scharbrough

‎12-02-2013 10:02 AM

Joe

Having the picture is helpful. It would be helpful to know if you run a dynamic routing protocol within your network. Also whether you run any dynamic routing protocol with the WAN providers?

I had thought about suggesting configuring HSRP with track for the outbound interface. But with the firewalls that might be difficult to get to work. Though as I think about it I believe that HSRP would give you a good way to fail over if there is a problem on one of the layer 3 switches. And (assuming that there is no dynamic protocol with the providers) that a primary static default route with track/IP SLA and a floating static default route to the other switch might be a way to get what you want.

HTH

Rick

HTH

Rick
0 Helpful

sathvik k v
Level 3
Level 3
In response to Richard Burts

‎12-02-2013 10:53 PM

Hi Joe,

Even i would suggest to use IPSLA and track. Configure a IPSLA to ping the PE IP of service provider and trach the same.

Why dont you try load balancing between the ISP links, so that if one links fails for sure the traffic will flow on the other.

If you can provide the details of the layer-3 switch used can look for any other option.

Regards,

Sathvik K V

0 Helpful
Customers Also Viewed These Support Documents