08-08-2019 06:36 AM
Hello
I am trying to see if it is even possible.
I attached diagram
there are two locations A and B
there is dedicated connection between those two locations and run ospf within LAN
there is separate internet line on each location from different providers
there is one DMZ on one location.
location A users use internet using location A internet
location B users use internet using location B internet
Questions
is it possible to route internet traffic from location A to use location B internet line if location A internet goes down and vice versa automatically?
is it possible to propagate DMZ public IP thru location A internet and location B internet so even if either line (location A internet or location B internet) goes down, DMZ can be accessed thru either internet lines.
Thanks
08-08-2019 08:21 AM
Hello 100ptcbio,
what you would like to do is possible if you have your own public IP address block for the DMZ in SiteA.
If DMZ public address is given by ISPA in site A, it cannot use ISPB on site B unless both ISPs make an agreeement on this allowing ISPB to advertise DMZ subnet in case of need.
Hope to help
Giuseppe
08-08-2019 09:17 AM
thanks for the comments
do you think it is even possible to do internet failover between two locations?
08-08-2019 10:01 AM
If I understand the original post correctly there is a dedicated link between the sites. With a dedicated link between sites it should be possible to do Internet failover between the sites. To accomplish failover you would take these steps:
- each site establishes a default route to reach the Internet. We do not know at this point whether that would be a static default route or whether there might be a dynamic routing protocol between the site and its provider.
- each site would establish a process to monitor its local default route. If the local default route is a static route the process would probably involve tracking with IP SLA. If there is a dynamic routing protocol then the protocol would monitor the default route and would withdraw the learned default route if there were a problem reaching its ISP.
- each site would configure a routing protocol running over the dedicated link.
- each site would use the routing protocol on the dedicated link and if the local default route is valid it would advertise its default route to the other site using an Administrative Distance or a routing metric which makes the default route learned from the routing protocol less attractive than the local default route.
So what you would wind up with is in normal operation each site would have its own preferred default route to its ISP and would have a default route learned by the site to site routing protocol as a backup. If the local default route is withdrawn then the site would begin using the default route learned from the other site.
We do not know what you are doing for address translation. But I believe that you would need to configure the router connected to each ISP to translate the addresses of both sites in the case of a failover.
HTH
Rick
08-09-2019 06:54 AM
I will do nat on firewall and the switch below firewall will be backbone switch which i guess that I need to setup ip sla to monitor default route.
one thing I am not sure is if I do ip sla on backbone switch, default route will be firewall.
even if internet goes down, I won't be able to detect by monitoring firewall.
is it possible to monitor public internet from back bone switch to detect if internet goes down?
Thanks for you input.
08-09-2019 08:10 AM
There are some things about your network that we do not know and which might affect the advice that we would give. Do the firewalls learn a default route from the ISPs dynamically and based on what they have learned from ISP advertise a default route into your network? Or do the firewalls just advertise a configured default route? Or is the default route configured on the backbone switch and just uses firewall as next hop?
When you configure IP SLA you can specify what address you want to monitor. Many people set it up to monitor the next hop address. But it is quite possible for you to monitor some address in the ISP. You need to be sure that the address that you are tracking is reached through the local ISP. You do not want the monitor to report the address is successfully reachable - but is reached via the failover route. The usual solution is a static route for an address that specifies both an exit interface (the interface used to get to the firewall) and specifies a next hop (the address of the firewall).
Address translation on the firewall is fine. My point was that the address translation needs to work with source addresses from the lans on both sites.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide