Svar: Failover internet connections, and implementation...

Hi Dan,

Here is what i would do in such a case - it requeres 2 good and service
minded ISP's.

Get by RIPE a PI IP range (provider independent) Also apply for a AS
number in BGP.

Find 2 service providers where you can setup a router at their premesis
and get 1 router for your own location.
The 2 service provider routers must be configurable by you - or it can
be their equidment, doesnt really matter! The important thing is, that
you can make configuration changes on them in case of DDoS.
What you want is a setup where - eventhough one service provider is
down, your BGP will guide the traffic though the other ISP.
The reson for you to be able to controlle the router at ISP is that in
case of DDoS - you may want to filter certain traffic types - BEFORE
they enter your WAN link. Either that or the ISP is willing to do
changes in the router config whitin 15mins.

We have this setup running at a costumor - the failover time is about
2mins - then the internet goes in from another ISP. Works like a charm
;-)

Also configure the ISP routers to only allow 2% icmp traffic on your wan
links.
Do QoS, prioritize your important trafic - comming from ISP to you -
could be: smtp, https,http.
Dont forget to prioritize your BGP routing ;-)

Happy configging!

Best Regards
Ove Dalgård Christensen
Cisco Certified Network Professionel (CCNP)
Cisco Certified Security Professionel (CCSP)



"Dan Denton" <ddenton@xxxxxxxxxxxx> 23-10-07 20:18 >>>
I've a question about failover internet connections. I'm interesting in
knowing what kind of implementations that other SMB's use for
redundancy,
and to switch to in the case of a DOS attack.

Do any of you have redundant highspeed internet connections for your
offices
(versus those for datacenters)? If so, what kind of setup do you have?

Here's the setups I'm considering...

1. Have a second cable modem/dsl modem active, but not hooked into the
network. In the event of a failure, move the connection for perimeter
devices over to the standby connection and reconfigure the perimeter
device
to use a different IP.

2. Have a second set of perimeter devices (firewalls) programmed to use
the
IP's on the second connection, as a hot standby.

My problem with the first option is the time it would take to
reconfigure
firewalls and IDS' to use the other ISP's connection. The problem I have
with the second is the expense of firewalls and IDS' just sitting there
idle.

Any input is greatly appreciated!


Dan

Relevant Pages

  • Re: DSL connection
    ... upgraded to a different speed from the same ISP. ... rate and the connection seemed to be slugish at times. ... You state that you have no router, nor any security systems that would interfere ...
    (microsoft.public.windowsxp.network_web)
  • Re: A Sorry Tale
    ... result I now have a perfectly good ASDL router that will only work on a 10. ... certain Well-Known Trick to make sure it's not actually the ISP. ... system which *does not support DTMF*, so I can't get through the ISP's ... I notice the connection is now back up. ...
    (alt.sysadmin.recovery)
  • Re: CEICW Fails at Firewall
    ... Plug the one connect to your ISP, named it "ISP Connection". ... > set the router information. ... > More detail information about to how to configure internet access, ...
    (microsoft.public.windows.server.sbs)
  • Re: Changing internet static IP
    ... I have plenty of servers out there connected to the isp router. ... maybe reboot and run the internet connection wizard. ... >>> There can also be changes required if you are doing certain things in ISA ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant ping my SBS2003 from home cable modem net anymore
    ... Is by any chance the dialup account the same ISP as the T1? ... > I then pinged my company router addresses and got responses, ... > ISP and was able to ping everything and make my remote connection. ... >>>> my ISA packet filters for hours and can not see anything that might ...
    (microsoft.public.windows.server.sbs)