Re: Dual Internet Connection
- From: "Jay" <jschwarzkopf@xxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 3 Oct 2001 10:26:02 -0400
I have been discussing this same issue with Cisco (using Cisco 2611), AT&T
(T1 provider) and Speakeasy (DSL provider).
The only way to effectively provide load balance and failover is by using
BGP to have each ISP advertise the other's route as secondary. If the ISP
manages your routers, they will even configure it for you. Unfortunately,
most DSL providers (including Speakeasy) do not provide BGP services.
To get some redundancy and load balancing, I have been thinking of
subnetting the DSL network, and then giving public address to the Sonicwall
firewall behind the 2611 (need to add static routes to 2611), and then
NATing the T1 network to the public address of the ISA. This would require
subnetting the AT&T managed router and adding static routes to get to our
2611, and then reverse proxy the T1 to the Sonicwall.
It does not provide auto failover or load balance. But we can direct all VPN
connections over the T1; web connections (no round robin) over the DSL; and
set redundant MX records for both, with preference to DSL. That would
effectively load balance.
As for failover: smtp would auto failover with the dual MX records; web we
would need to change DNS record; and VPN connections users would need to
manually change client-gateway config, while we would manually change
Security Associations in remote Sonicwalls.
I haven't configured it as yet, but if it works I'll let you know.
If anyone has tried this and can lend insight whether I'm wasting my time,
please let me know.
----- Original Message -----
From: "Jim Harrison" <jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, October 03, 2001 10:06 AM
Subject: [isalist] Re: Dual Internet Connection
> http://www.ISAserver.org
>
>
> Inline...
>
> Jim Harrison
> MCP(2K), A+, Network+, PCG
>
> ----- Original Message -----
> From: "Russ Highton Jr." <RussH@xxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, October 03, 2001 6:48 AM
> Subject: [isalist] Dual Internet Connection
>
>
> http://www.ISAserver.org
>
>
> I know this has been discussed before, but I'm looking into installing a
> redundant internet connection.
>
> My first, and primary connection, is a DSL.
>
> I want to install a Cable connection in addition to that.
>
> Questions:
>
> - Can I have my ISA Server external interface with 2 gateways?
>
> * ISA can only have one external interface; multiple "gateway"
functionality
> is totally dependent on the hardware that ISA faces; most are not set up
to
> allow "dead gateway detection", which is all multiple gateways is for.
The
> short answer; no gain.
>
> - I have a Cisco router that's not doing anything, so I can put the
> cable connection in the same IP subnet if needed.
>
> * Again, no real gain. You're trying to load-balance using the "add
another
> pipe to share the water pressure" theory and that's not how TCP/IP works.
> * Better that you install another ISA (in an array, ideally) and use the
> client settings to share the array. Bear in mind that secureNAT clients
> won't get any benefit from this arrangement.
>
>
> Thanks for the info.
>
> Russ Highton Jr.
> Systems Engineer
> Broden, Inc.
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
>
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jschwarzkopf@xxxxxxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
