Re: failover for networks over Internet between 2 ISPs

followurself · ‎08-25-2006

location1webservers--pixfirewall---switch---router manage by ISP1

dr servers--checkpoint firewall---switch---router managed by ISP2

the above 2 locations are at diff geographical location

the routers at both locations are managed by ISPs. we dont control them..wht we want is if the link of the internet at ISP1 fails then the traffic over the internet for the webservers at location1 should coem via location2. location 1 and location 2 are connected with a mpls private network..

wwe dont want any config changes at our end. wht we think if we talk to ISPs make them to agree to allow the communication. The public ip range at location shd be availabel if the link issnt available and if link at location 2 goes down then the DR servers should be available at the internet addrss via location 1.

how it can be achieved by making ISP to do tht for us. i dont think we need to have are own AS to do tht. can ISP help us by making changes at thier end

Rgds

Mun

sundar.palaniappan · ‎08-25-2006

Mun,

Yes, this is possible if your ISPs agree to it. Am listing some of the things that you need for this.

1. Your own AS

2. Enable BGP on the Internet Routers. There are many mechanisms available within BGP to set one as primary and another one as redundant link. Prepending AS path may be an option for you.

3. Both ISPs have to agree to route your IP block.

4. You can configure IGP or reliable static routing to detect primary link failure and failover to ISP2 for outbound traffic.

5. Your firewall policies have to configured accordingly.

Feel free to ask more questions, if you have any.

Hope that helps!

Regards,

Sundar

william.caban · ‎08-25-2006

AFAIK

1) Layer7 will be interrupted unless you are running some sort of Layer7 awared device

2) You may try to have "conditional network advertisement" of your servers segment from one ISP into the other. But this only work if the server's segment is managed and/or owned by you and it is not part of a higher delegated class.

If that is not the case, generally speaking, you don't even try it. When you advertise a small segment of a delegation into the global routing table it is usually lost because of routes aggregation at the major carriers. (You may have some luck and more chances with a /24)

Remember that global carriers need to control the amount of memory and minimize the convergence time for their routers. They have many many peers. If they don't aggregate the BGP rotues into something "manageable" it will take too much time to calculates routes.

To my understanding the approach for what you are looking is having a Layer7 aware device which will "route"/distribute the queries/access to the servers wherever they are. In case that a failure in one of the sites is detected, it will only send the traffic to the available sites.

If you are still interested in trying it you may search the Cisco site with the keyworkds: conditional advertisement

-W

followurself · ‎08-28-2006

hi Sundar

own AS..

can i eliminate..i want mainly only 2 or 3 ips ..if ISP agrees to announce them y wd i need own AS..having a own AS is also a process. how do i get it anyways..but we dont want to have own AS

2. Enable BGP on the Internet Routers. There are many mechanisms available within BGP to set one as primary and another one as redundant link. Prepending AS path may be an option for you.

we dont manage internet routers..its all ISP managed..all we want make ISP to announce three IPs

4. You can configure IGP or reliable static routing to detect primary link failure and failover to ISP2 for outbound traffic.

this will be for outbound traffic..but wht abt traffic from the internet coming in to our webservers

thanks

Hi William

if i understand correctly from your email we dont need AS and BGP.

i will read abt conditonal advertisement..but what kind of layer 7 device..we have these servers hosted by us.is tht wht u mean by managing the server segment.we have 255.255.255.128 as subnet mask but use only 3 ips available for online servers.

thanks

munaf

william.caban · ‎08-28-2006

Okay, as I understand you have a /25 which I can tell you right away, don't even try to make the ISPs to advertise those partial routes. You'll have the sumarization/aggregation issue I described erlier. (nanog.org is a nice place to follow these type of issues between carriers)

If you ever get, at least, a /24 then you can try the BGP conditional advertisement. BTW, if you ever need to request an ASN you just have to request it to ARIN (arin.net).

For the load balancing of traffic incomming to your servers there are some nice techniques in BGP using NetFlow as a feedback mechanism. But in your case you will need to be looking into something like a "Content Swtiching" device.

[Internet]

| \

[ISP1] [ISP2]

| |

+-[CCS]-+ << The CCSM will do the

/ \ Layer-7 balancing

| \

[Site1] [Site2]

See:

- Cisco Content Switching Module:

http://www.cisco.com/en/US/products/hw/modules/ps2706/ps780/index.html

- Cisco Content Switching Solutions:

http://www.cisco.com/en/US/netsol/ns340/ns394/ns50/ns254/networking_solutions_package.html

I think one of these content switching solutions will serve your needs.

-W

followurself · ‎08-29-2006

Hi William,

we have content switch to do load balancing..

let me brief it again

online servers--load balancers--firewall---location1--isp1--

DR servers--load balancers--firewall---location2--isp2--

we also have a dedicated connection location 1 and location 2.. when on internet user types our url it resolve to an ip which will direct him to ISP1 and then to online servers. if link on the internet/isp1 node fails..then when anybody on internet types our url it shoudl go to ISP 2..we will make necessary firewall changes at location 2 to direct the traffic to location 1 via the dedicated link..what we want is the traffic shd come to location 2 if isp1 fails...to do that wht we have to do in the simplest possible way..if isp1 and isp2 agrees to do bgp stuff at thier end it can be done is what i think...we dont want to go into hassle to get an AS number, and again we dont manage our isp router..how can we make it work?

Thanks

followurself · ‎08-29-2006

Hi Guys,

Correction its a /24 network and not /25

Rgds

Mun