Cisco Support Community
Community Member

Building ISP Redundancy Between Organizations

Here's the scenario.  Two organizations maintain separate LANs separated by a firewall.  The organizations utilize shared resources that are strictly controlled by this firewall.  Right now, organization A has an ISP connection to the internet.  Organization B uses Organization A's ISP for Internet.  Organization B is planning to purchase services from an ISP.  Org A will primarily use Org A's ISP and Org B will primarily use Org B's ISP.  In the event of a single ISP failure, the other Org will connect to the internet through the other's ISP. 

Since these Orgs are connected by a LAN, the transport to allow for routing between each organization's router is a flat layer 2 VLAN.  Don't read into this. The routers will be doing the routing.  I just need a way to logically connect them so that they can become neighbors.  In the attached diagram, I show a physical cable connecting each organization.  VLAN 10 is trunked over this cable along with all other internal VLANs.  I also show a physical cable that connects the inside switch to the external switch of each organization.  VLAN 10 is configured as access ports on each side of this cable.

My first question is this... Is this a secure way of providing a transport to facilitate ISP sharing given the infrastructure?  In my mind I know that a physical connection between each organization's external switch would be desireable.  What are the security concerns in doing this?  What are some ways that I can mitigate those risks?

My second question is this... Assuming that this "transport" VLAN is secure enough, could I eliminate the need for one or both external switches by running VLAN 10 inside of its own VRF on the inside switch and physically cable to the outside interface of the firewall and the inside interface of the router?  I've shown this in my second attached diagram.

Thanks for all your input in advance.


CreatePlease to create content