Two ISP Fail over Internally vs Externally Fail over
-
Ok so this goes along with the VyOS post I made earlier today in which I asked what would you do internally to protect from a failed firewall so services remained functional.
What I left out was that there are 2 ISPs servicing the site. Although I thought it was expressed in the fact that you'd have 2 firewalls on separate hypervisors.
In sidebar it was determined that BGP would be used at the ISP level in order to determine if either firewall was offline, and then the ISP's route the traffic in that scenario to the other working firewall.
So going to a more direct question.
What do you do to protect from a failed firewall in a 2 ISP situation internally between the 2 local firewalls?
-
What services do you host onsite, if any?
-
@Dashrender Why would the services hosted locally matter, its a question of "how do you make sure that your internet is always available?"
-
And I mean that in the most honest approach.
The goal is to always have your internet and services available should your firewall fail. Just curious how this would be configured internally. If it could at all.
-
There are so many factors here. Like... is each ISP only going to give you a single connection line? If so, it can only connect to one thing. So if that is the case, you need one router for each line if you don't want a single router to be responsible for both.
-
@DustinB3403 said in Two ISP Fail over Internally vs Externally Fail over:
The goal is to always have your internet and services available should your firewall fail. Just curious how this would be configured internally. If it could at all.
Have a spare firewall is one of the most reliable things that you can do.
-
@DustinB3403 said in Two ISP Fail over Internally vs Externally Fail over:
@Dashrender Why would the services hosted locally matter, its a question of "how do you make sure that your internet is always available?"
Because you don't care about outgoing traffic in most cases, in that case, you just get two ISPs into one firewall (or clustered firewalls). That equipment handles all the fail over for outbound traffic. Websites will complain, and possibly make you log back in, but otherwise users should barely notice the difference...
But If you are hosting services for the internet, then you have a lot harder challenge of having sessions stay active, and keeping the IPs the same, etc.
-
isp1 - bgp router1 - fw1 - your switch
isp2 - bgp router2 - fw2 - your switch2
bgp routers have a direct connection as well as your switches.
Not only that saves you when one of the devices (or ISP) fails, it also allows you to use both internet connection. It's up to you how to (if) load balance such traffic.
Check http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html for more info.
Use keepalived, etc. for fw fail-over. -
I was just having a phone conversation with someone about this.
From an IT engineering point of view, we can do lots and lots of things in the UK quite cheaply to mitigate these, often automatically.
What it boils down to is how badly do you want a connection and are you serving resources from on-site as well?
If you plan and do it right, you can easily solve this without spending masses of money.
-
@Kris_K said in Two ISP Fail over Internally vs Externally Fail over:
isp1 - bgp router1 - fw1 - your switch
isp2 - bgp router2 - fw2 - your switch2
bgp routers have a direct connection as well as your switches.
Not only that saves you when one of the devices (or ISP) fails, it also allows you to use both internet connection. It's up to you how to (if) load balance such traffic.
Check http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html for more info.
Use keepalived, etc. for fw fail-over.Why do you need a router? can't the firewalls do this themselves?
-
I am actually looking at a PEPLINK to do this right now in a colocation facility where we are bringing in a unmetered Intneret circuit and the facility is providing a metered circut as part of the lease. I can use the facility circuit as a fail over only in case our unmetered circuit goes down.
https://forum.peplink.com/t/configuring-1-1-backup-by-high-availability-ha/8045
I'm still waiting for pricing on their boxes. I have a demo unit one of our previous technicians...ummm..."acquired" so i'm hoping pricing isn't too bad for a second box -
what does it do that the ER-L doesn't? I know someone else (the guy at SW who swears more than JB) recommended the Peplink to me years ago... but I think the ER-L can do many of the same things now.
-
@jt1001001 I've heard great things about the Peplink.
-
@Dashrender said in Two ISP Fail over Internally vs Externally Fail over:
what does it do that the ER-L doesn't? I know someone else (the guy at SW who swears more than JB) recommended the Peplink to me years ago... but I think the ER-L can do many of the same things now.
Yes @PSX_Defector recommends them.
-
Peplink do real load balancing. It's a decently big deal.
-
@Dashrender said in Two ISP Fail over Internally vs Externally Fail over:
what does it do that the ER-L doesn't? I know someone else (the guy at SW who swears more than JB) recommended the Peplink to me years ago... but I think the ER-L can do many of the same things now.
Much like Tivo and generic DVRs, they function the same, but the actual execution is more refined.
Outbound load balance has been a feature for many different devices for a while now. I've got an ER-L right now, yeah it does the load balance between the two circuits. But since they are very different speeds, they don't balance as evenly as Peplink can do it. They also don't offer bonded VPN and their interface is easy as fuck to deal with.
Yeah, I can buy a TWC DVR, but my Tivo does more.
