a...@baklawasecrets.com wrote: > HI, > > I was recently brought onto a project where some failover is desired, but I > think that the number of connections provisioned is excessive. Also hoping > to get some guidance with regards to how well I can get the failover to > actually work. So currently 4 X 100Mb/s Internet connections have been > provisioned. One is to be used for general Internet, out of the > organisation, it also terminates VPNs from remote sites belonging to the > organisation and some publicly accessible servers -routed DMZ and translated > IPs. Second Internet connection to be used for a separate system which has a > site-to-site VPN to a third party support vendor. Internet connections 3 and > 4 are currently thought of as providing backups for one and two. Both > connections firewalled by a Juniper SSG of some description. > > Now I couldn't get any good answers as to why Internet connections 1 and 2 > need to be separate. I think the idea was to make sure that there was enough > bandwidth for the third party support VPN. I feel that I can consolidate > this into one connection and just use rate limiting to reserve some portion > of the bandwidth on the connection and this should be fine. Now if I was to > do this then I can make a case for just having one backup Internet > connection. However I'm still concerned about failover and reliability > issues. So my questions regarding this are: > > - Should I make sure that the backup Internet connection is from a separate > provider? > > - How can I acheive a failover which doesn't require me to change all the > remote VPN endpoints in case of a failover? Its possible to configure > failover VPNs on the Junipers, which should take care of this, but how do I > take care of the DMZ hosts and external translation? > > - In fact I think I'm asking what are my options with regard to failover > between one Internet connection and the other?
Forget all of that and just multihome to two separate providers with BGP. Also make sure that of the providers you choose that one is not a customer of the other. Instant, painless redundancy. Having multiple circuits to one provider *will not* back anything up if that provider has an outage as they are %99.999 likely to be part of the same larger circuit and certainly share the same infrastructure at the provider. > > I'm hoping to figure out whether adding an extra Internet connection actually > gives us that much, in fact whether it justifies the complexity and spend. > Only if you calculate the cost (money, time, angry customers, etc.) of an outage to be greater than the cost of additional connectivity. > Many Thanks for your comments. > ~Seth
