[119124] in North American Network Operators' Group
Failover how much complexity will it add?
daemon@ATHENA.MIT.EDU (adel@baklawasecrets.com)
Sun Nov 8 06:52:19 2009
To: <nanog@nanog.org>
Date: Sun, 08 Nov 2009 11:51:37 +0000
From: adel@baklawasecrets.com
Reply-To: adel@baklawasecrets.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
HI,
I was recently brought onto a project where some failover is desired, but I=
think that the number of connections provisioned is excessive. Also hopin=
g to get some guidance with regards to how well I can get the failover to a=
ctually work. So currently 4 X 100Mb/s Internet connections have been prov=
isioned. One is to be used for general Internet, out of the organisation, =
it also terminates VPNs from remote sites belonging to the organisation and=
some publicly accessible servers -routed DMZ and translated IPs. Second I=
nternet connection to be used for a separate system which has a site-to-sit=
e VPN to a third party support vendor. Internet connections 3 and 4 are cu=
rrently thought of as providing backups for one and two. Both connections =
firewalled by a Juniper SSG of some description.
Now I couldn't get any good answers as to why Internet connections 1 and 2 =
need to be separate. I think the idea was to make sure that there was enou=
gh bandwidth for the third party support VPN. I feel that I can consolidat=
e this into one connection and just use rate limiting to reserve some porti=
on of the bandwidth on the connection and this should be fine. Now if I wa=
s to do this then I can make a case for just having one backup Internet con=
nection. However I'm still concerned about failover and reliability issues=
. So my questions regarding this are:
- Should I make sure that the backup Internet connection is from a separate=
provider?
- How can I acheive a failover which doesn't require me to change all the r=
emote VPN endpoints in case of a failover? Its possible to configure failo=
ver VPNs on the Junipers, which should take care of this, but how do I take=
care of the DMZ hosts and external translation?
- In fact I think I'm asking what are my options with regard to failover be=
tween one Internet connection and the other?
I'm hoping to figure out whether adding an extra Internet connection actual=
ly gives us that much, in fact whether it justifies the complexity and spen=
d.
Many Thanks for your comments.
Adel
