[c-nsp] Two routers with Single ISP Scenario

Tue Apr 20 11:32:01 EDT 2010

On Mon, 2010-04-19 at 14:29 +0200, Peter Rathlev wrote:
> On Mon, 2010-04-19 at 14:11 +0200, shadow floating wrote:
> > I've one of my customers who wants to stick to single ISP but wants to
> > implement the full redundancy (no single point of failure) network
> > scenario, is there a way to connect to 2 routers internet facing with
> > in an active/standby fashion to a single ISP with a single IP range?
> 
> The provider and the customer could both use HSRP (or VRRP or GLBP). It
> needs a L2 connection between the two sites though, and that might not
> be optimal. It can work fine though. We currently use this as a customer
> of AS3308.
> 
>  +----------+           +----------+
>  | ISP PE 1 |--- (?) ---| ISP PE 2 |
>  +----------+           +----------+
>        |                      |
>        |                      |
>     +------+              +------+
>     | CE 1 |--------------| CE 2 |
>     +------+              +------+
> 
> The top link (between ISP PE 1 and PE 2) is not strictly necessary and
> the ISP might prefer not having it.

A much simpler and more robust approach is to get a private ASN from
your ISP and run BGP. This is the scenario private ASN's are intended
for and eliminates many layer 2 dependencies. All you need to do is
accept a default route from the ISP and advertise your prefix to the
ISP. Don't forget to test and verify that the ISP is passing on your
prefixes from your advertisements rather than static routing. You will
regret depending on a link failure being detected by the interfaces on
both ends.

Of course, if you really care about redundancy, you need to make sure
the two paths between your routers and the ISP's routers are physically
diverse so that when one fails, the other has a fighting chance of
staying up. Watch out for common paths not just getting to the ISP but
also from the ISP's points of presence you are using to their upstream
connections. Also consider physical diversity of the routers at each
end, you probably don't want a site problem (e.g. fire or extended power
outage) to take you off the Internet either. 

Lot's of possibilities, your choices are limited only by your budget.
For example, you may want to extend your routing through your firewalls
to your internal sites so an internal network problem does not isolate
the survivors (yes, you can dynamically route through firewalls without
sacrificing security. But just like it is easy to add redundancy that
sacrifices, rather than improves, availability; it takes care and effort
to route through firewalls without degrading your security). Bottom line
is you can protect against everything except your ISP fat fingering
their routing tables and going completely off the air.

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com