10-24-2013 06:34 AM - edited 03-04-2019 09:24 PM
We are looking to obtain Internet redundancy from two or three sepearte carriers (2 fiber, and a 4g lte).
My research indicates we would need to apply to ARIN for our own /24 block of IP addresses and then pay for an AS Number. All ISP's were in talks with support this and BGP. This way if a fiber gets cut or a pole gets hit and both fibers go down LTE can fail over and our busness can still function.
It's important to note here that we host services (web site, mobile web site, e-mail, lync, third party vpn's, etc...) Hence the want for BGP so people can still "find us" if a link goes down. I think redundant outbound internet is simple, it's just allowing the rest of the world to "come in" which adds complexity.
So after reading articles on ARIN, it sounds like the request for a /24 (which is required for ASN and BGP) are pretty strict. They want 50% usage in a year. We don't have that many IP's. Sure I could stretch it and say some are for research or make many multiple external IP's or do 1:1 or 2:1 external IP to internal IP mapping, etc... but I need a simple, workable solution to this problem.
I'm posting here because were using all Cisco stuff. ASA firewall pair, 2800 series routers, 3750x core switching running ip routing, etc...
Any ideas are appreciated for Internal / External redundancy if we cannot get a /24 out of ARIN?
Hosted solutions maybe, where each last mile ISP connection is on it's own Cisco router VPN'd to a 3rd party, and that 3rd party handles it all?
10-24-2013 04:44 PM
You could use an external service to provide global load balancing down both of your internet links, like Akamai. These services run checks to your servers and will forward to either/both public IP addresses of your externally facing resources.
10-25-2013 12:17 AM
Hello.
I guess you could try some sort of external DoS protection service.
They announce the addresses themselves and builds GRE to your equipment.
If you buy prefix from the service provider and build 3 tunnels (over primary ISP, over secondary and LTE), I guess you could solve your problem.
10-25-2013 04:11 AM
Yeah our main ISP who we have today and who we have a few scattered /29's with, said we could bring in other providers and VPN to their data center and they could handle the failover. Here's my concerns:
1. Were still tied to that ISP. Yes we are in a contract, but I just wish we could own our own /24 so we could be free if a single ISP's shackles when that contract expires.
2. For LTE failover, how much monthly bandwidth will it take to maintain that VPN connection? LTE is pay as you go and you have to buy in data buckets. The overage charges are pretty big. I guess we need to know how many GB/s per month it takes to maintain a VPN connection.
10-25-2013 01:19 PM
Keeping the VPN up should not take much bandwidth. To determine how much you would start by determining what will be the lifetime of the Security Association (assuming that it is IPSec). Then in the interval of the lifetime you need 1 packet (perhaps a 100 byte ping) of "interesting" traffic and the number of packets to do the crypto negotiation. That would be a quite small amount of traffic. I would be much more concerned about trying to estimate how often you would need to use this backup and the amount of traffic going over it during that time. This would be the significant part of the expense.
HTH
Rick
10-27-2013 12:38 PM
Why not just look at a dns load balancer?
Sent from Cisco Technical Support iPad App
10-27-2013 10:50 PM
you can find resellers who will sell you /24 net and AS
10-31-2013 11:03 AM
What if we apply two or three IP addresses for each name?
Like if you do an nslookup on google.com, you get 5 different IPv4 addresses back. So say hypothetically we have two providers, one gives us 1.1.1.1 and another gives us 2.2.2.2.
Say today with Provider A, we have a webserver sitting at 1.1.1.1 and DNS lookup reflects that.
What if we put another DNS record and patch provider 2's supplied IP address 2.2.2.2 to that same webserver internally through our ASA 5500 series (I guess that could do it, or a router in front of it)....
Now if you resolve webserver.domain.com it returns 1.1.1.1 and 2.2.2.2. How would the client looking for "webserver.domain.com" connect in? Would it use 1.1.1.1 or 2.2.2.2? What if the physical connection for 1.1.1.1 was down... would the client know to try 2.2.2.2? Or based on it's ISP would it just connect to the IP that has the shortest path (most efficient) route?
How about other VPN's, like we have some provider issued Cisco 2800 series VPN's in our rack to 3rd parties. I would surely communicate to them the new IP addresses, but if 1.1.1.1 dropped would the VPN resume on 2.2.2.2 in this case? I guess I want to see if some kind of DNS round robin scenereo would work and if one link goes down, what is the time to failover (does it look at the TTL, or since there's already multiple IP's returned for that DNS name, does the client know to just try the other IP's returned)?
Would it be advisable to invest in load balancing hardware (not sure if Cisco makes one)... like an F5, Barracuda, Esessa, etc... ?
10-31-2013 12:05 PM
I found something that sounds really slick called the Peplink
http://www.peplink.com/knowledgebase/understanding-inbound-load-balancing/
I think this may be what I'm looking for. I have an inquery into them for more information.
01-14-2016 12:45 PM
I have the same problem/need for redundant Internet circuits, but we don't have our own ASN or /24 prefix.
What did you end up doing?
Is there any other way to achieve this?
01-14-2016 02:01 PM
We ended up getting two Ecessa PL600 load balancers in an active/standby failover configuration. Works great! Their support is excellent and I highly recommend them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide