Link failover plan

angrynetguy · ‎11-10-2008

Hello,

My boss wants to do something that I don't think is possible. I'd like some ammunition in saying so. We currently have a Cisco 5510 firewall with two outbound Ethernet links. One of these links goes to a private network, and the other to the public Internet. The way that traffic is currently configured, all Internet traffic is routed through the private network to the data center, using the outbound link there. The public link on the 5510 is in place just in case that private network link fails, so we can preserve at least some connectivity.

My boss feels this link is being wasted. He wants a solution that allows that link to be married to the other Ethernet link into the private network. (Within the private network, we have 2821s with two serial links combined into a multilink PTP connection. I think that's where he got the idea.) Then, and this is the kicker, if and when the device at the far end of that link fails, he wants the two Ethernet connections to recognize that, and automatically switch to start routing traffic across the Internet. With no engineer intervention.

I think he understands that this won't work with a firewall, but he's wondering if there's any hardware we could add to facilitate this. I'm sure there's hardware that can handle this, but that assumes that it's even possible in the first place. And I honestly can't picture how you would set this up with a private network and the Internet.

Any help at all is appreciated. I've been chasing a triple-CCIE for a few weeks now, and my boss is running out of patience.

Edison Ortiz · ‎11-10-2008

I'm a little confused about the task at hand.

Your boss wants to convert the internet link to a private link hence having 2 links between networks but if the private link (I'm assuming both links fail) goes down, the previous internet link goes back to its internet configuration?

I don't think that's possible.

__

Edison.

angrynetguy · ‎11-11-2008

That's exactly what he wants. The idea is that we would have 200Mbps (hypothetically) to the private, and if the far end went down, we'd then have 200Mbps to the Internet.

Edison Ortiz · ‎11-11-2008

It /may/ be accomplished with some provisioning from the ISP. The ISP will be the best candidate to ask this kind of scenario and can be accomplished with some kind of VPN between sites.

If the remote site goes down, the VPN breaks (no longer the connection is private), the use of the internet will remain.

Again, bring the ISP to the table and see what services they can offer.

HTH,

__

Edison.

Giuseppe Larosa · ‎11-11-2008

Hello Terry,

>> I think that's where he got the idea.) Then, and this is the kicker, if and when the device at the far end of that link fails, he wants the two Ethernet connections to recognize that, and automatically switch to start routing traffic across the Internet. With no engineer intervention.

To do this you need to keep a link on the public internet that is the current scenario what is going to move the ethernet links ?

with a router you could:

add a LAN switch where you place the two ethernet links, the private link, the public internet link.

then you use some form of reliable static routing see

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html

To decide when to switch back to public internet.

If this can be done on your firewall I don't know.

The real point here is that to use the backup ethernet for primary link you introduce a single point of failure like the lan switch where all of the links are connected and this no good at all.

From a redundancy point of view your current scenario is more correct and the one commonly used.

Try to use these arguments: the cost of backup link is less important then to achieve the desired/required level of fault tolerance

Hope to help

Giuseppe