cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3351
Views
0
Helpful
9
Replies

WAN failover solutions

Steve Coady
Level 1
Level 1

Hello

Anyone out there recommend a redundant solution?

Scenario:

I have a remote Data Center on a private 100MM AT&T AVPN link.I have a toal of (17) sites including the Data Center on the AVPN cloud

I am inquiring with other providers (Verizon (FIOS), Comcast, local communications companies) to get a redundant solution in place.

To keep costs down, I would rather not have to bring a second WAN link placed at each of my (17) remote offices.

AT&T offers an ANIRA solution wich essentially uses a Comcast or local internet provider to route traffic acorss a redundant link, which then get's tunneled back into my AT&T AVPN cloud.

My first question is "How can I use a secondary WAN provider and have them tunnel traffic back into my private network on another service provider"

POP redundancy is important so they both do not ride the same "last mile".

Anyone out there recommend a redundant solution?

sMc
3 Accepted Solutions

Accepted Solutions

nimely5050
Level 1
Level 1

Have you considered using site-site VPN or maybe DMVPN? Whichever you choose will depend on what fits your architecture. But a Comcast internet is the cheapest when deployed with VPN. I have 21 branch offices using MPLS, and I'm using IPSEC VPN as backup.


Sent from Cisco Technical Support Android App

View solution in original post

For redundancy from physical faults you may need to buy secondary WAN links. You should check with the ISP for the information of WAN services provided by them?

Make sure you do not have your Primary and Backup link from the same ISP. Buy your backups from a different one.

View solution in original post

Steve,

Anira also supports 4g connections if you can get them in your area. I'm not sure if you're using their AVPN solution (mpls), but they can tie your internal subnets into their mpls cloud. If you fail over to the netgate, their network will have a route pointing to your netgate for internal subnets. Not the fastest solution by far, but it gets you off of a wire...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

9 Replies 9

nimely5050
Level 1
Level 1

Have you considered using site-site VPN or maybe DMVPN? Whichever you choose will depend on what fits your architecture. But a Comcast internet is the cheapest when deployed with VPN. I have 21 branch offices using MPLS, and I'm using IPSEC VPN as backup.


Sent from Cisco Technical Support Android App

For redundancy from physical faults you may need to buy secondary WAN links. You should check with the ISP for the information of WAN services provided by them?

Make sure you do not have your Primary and Backup link from the same ISP. Buy your backups from a different one.

Vishesh

Thank you for the reply

Last mile diversification between providers is always a must.

sMc

J

Thank you for the reply

I currently use the AT&T ANIRA, IPSEC VPN, for my remotes sites. Comcast provide most of the links. For my data Center, Comcast would require construction  in excess of $50k.

Last mile diversification between providers is always a must.

sMc

Steve,

Anira also supports 4g connections if you can get them in your area. I'm not sure if you're using their AVPN solution (mpls), but they can tie your internal subnets into their mpls cloud. If you fail over to the netgate, their network will have a route pointing to your netgate for internal subnets. Not the fastest solution by far, but it gets you off of a wire...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

John

Thanks for the reply.

I employ the Verizon USB551L 4G modem with the ANIRA solution. The 4G is my tertiary link and it has worked well when needed.

sMc

nimely5050
Level 1
Level 1

While buying another WAN link is another solution, you don't really have to do so if you want to reduce Cost. The cheapest, yet effective and worth considering is using a VPN as a backup. I'm not just saying it, I'm doing it right now.

Sent from Cisco Technical Support Android App

J

My goal is to utilize my VPN as a backup while as a emporary fix. The ANIRA soltuion would be my intermediate fix until I can develop a proposal for the full redundancy with VZ or whomever.With that beinf said. To implement the VPN failover, I am somewhat limited by the network at the remote Data center. Their routing is based on static routes in the Firewall.

What I am trying to develop now is a plan to test this failover. Please take a moment to look over this plan and advise.

The goal of this VPN test is to ping an actual server, across VPN tunnel, without the remotest possibility of causing any outage.

I have a L3 3750 switch behind my firewall and the default gateway is the firewall. I want to create a loopback ip address on this device for VPN tunnel test purposes. I then will source a ping from the loopback to the server Ip address at my remote Data Center. My AVPN links do not pass through the firewall.

Per the data center, they have routing setup that all 192.168.0.0/16/ /10.0.0.0/8 address'  will be routed out their AVPN WAN link. The data center states

I need to create a unique ip address to source the pings from so it will go back out their Checkpoint fw and then the tunnel between us.

I think the loopback address could look as follows 100.255.255.1/32

If I ping the server ip addrress from the L3 switch with the loopback address as source, it will go out my AVPN WAN link because that is how routing is setup.

The question is how can I mask the destination server IP address so that the ping does not take the AVPN path but takes the fw and then the tunnel?

My thought is a 1-1 nat in the firewall for the destination DC server.

     static (inside,outside) (natted server ip) (current server IP) netmask 255.255.255.255

    

I then add this "natted server ip" to the REMOTE NETWORK in the VPN policy.

                The natted ip address would also have to be an ip outside the 192.168.0.0/10.0.0. scopes

                Could this natted server ip be 100.255.254.1?

I could then ping the natted server ip address from the loopback source.

One question I have is Would the remote data center have to reverse the nat on their end to allow the ping to reach the correct destination?

sMc

My Topology

sMc
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco