We are looking to obtain Internet redundancy from two or three sepearte carriers (2 fiber, and a 4g lte).
My research indicates we would need to apply to ARIN for our own /24 block of IP addresses and then pay for an AS Number. All ISP's were in talks with support this and BGP. This way if a fiber gets cut or a pole gets hit and both fibers go down LTE can fail over and our busness can still function.
It's important to note here that we host services (web site, mobile web site, e-mail, lync, third party vpn's, etc...) Hence the want for BGP so people can still "find us" if a link goes down. I think redundant outbound internet is simple, it's just allowing the rest of the world to "come in" which adds complexity.
So after reading articles on ARIN, it sounds like the request for a /24 (which is required for ASN and BGP) are pretty strict. They want 50% usage in a year. We don't have that many IP's. Sure I could stretch it and say some are for research or make many multiple external IP's or do 1:1 or 2:1 external IP to internal IP mapping, etc... but I need a simple, workable solution to this problem.
I'm posting here because were using all Cisco stuff. ASA firewall pair, 2800 series routers, 3750x core switching running ip routing, etc...
Any ideas are appreciated for Internal / External redundancy if we cannot get a /24 out of ARIN?
Hosted solutions maybe, where each last mile ISP connection is on it's own Cisco router VPN'd to a 3rd party, and that 3rd party handles it all?
You could use an external service to provide global load balancing down both of your internet links, like Akamai. These services run checks to your servers and will forward to either/both public IP addresses of your externally facing resources.
I guess you could try some sort of external DoS protection service.
They announce the addresses themselves and builds GRE to your equipment.
If you buy prefix from the service provider and build 3 tunnels (over primary ISP, over secondary and LTE), I guess you could solve your problem.
Yeah our main ISP who we have today and who we have a few scattered /29's with, said we could bring in other providers and VPN to their data center and they could handle the failover. Here's my concerns:
1. Were still tied to that ISP. Yes we are in a contract, but I just wish we could own our own /24 so we could be free if a single ISP's shackles when that contract expires.
2. For LTE failover, how much monthly bandwidth will it take to maintain that VPN connection? LTE is pay as you go and you have to buy in data buckets. The overage charges are pretty big. I guess we need to know how many GB/s per month it takes to maintain a VPN connection.
Keeping the VPN up should not take much bandwidth. To determine how much you would start by determining what will be the lifetime of the Security Association (assuming that it is IPSec). Then in the interval of the lifetime you need 1 packet (perhaps a 100 byte ping) of "interesting" traffic and the number of packets to do the crypto negotiation. That would be a quite small amount of traffic. I would be much more concerned about trying to estimate how often you would need to use this backup and the amount of traffic going over it during that time. This would be the significant part of the expense.
What if we apply two or three IP addresses for each name?
Like if you do an nslookup on google.com, you get 5 different IPv4 addresses back. So say hypothetically we have two providers, one gives us 188.8.131.52 and another gives us 184.108.40.206.
Say today with Provider A, we have a webserver sitting at 220.127.116.11 and DNS lookup reflects that.
What if we put another DNS record and patch provider 2's supplied IP address 18.104.22.168 to that same webserver internally through our ASA 5500 series (I guess that could do it, or a router in front of it)....
Now if you resolve webserver.domain.com it returns 22.214.171.124 and 126.96.36.199. How would the client looking for "webserver.domain.com" connect in? Would it use 188.8.131.52 or 184.108.40.206? What if the physical connection for 220.127.116.11 was down... would the client know to try 18.104.22.168? Or based on it's ISP would it just connect to the IP that has the shortest path (most efficient) route?
How about other VPN's, like we have some provider issued Cisco 2800 series VPN's in our rack to 3rd parties. I would surely communicate to them the new IP addresses, but if 22.214.171.124 dropped would the VPN resume on 126.96.36.199 in this case? I guess I want to see if some kind of DNS round robin scenereo would work and if one link goes down, what is the time to failover (does it look at the TTL, or since there's already multiple IP's returned for that DNS name, does the client know to just try the other IP's returned)?
Would it be advisable to invest in load balancing hardware (not sure if Cisco makes one)... like an F5, Barracuda, Esessa, etc... ?
I found something that sounds really slick called the Peplink
I think this may be what I'm looking for. I have an inquery into them for more information.
I have the same problem/need for redundant Internet circuits, but we don't have our own ASN or /24 prefix.
What did you end up doing?
Is there any other way to achieve this?
We ended up getting two Ecessa PL600 load balancers in an active/standby failover configuration. Works great! Their support is excellent and I highly recommend them.