Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: router with 2 redundant inferfaces

From: "Paul D. Robertson" <paul () compuwar net>
Date: Thu, 17 Apr 2008 15:38:46 -0400 (EDT)
On Sun, 13 Apr 2008, shadow floating wrote:


Hi guys,
my company is having 2 leased lines internet connections and they were
about to buy two routers to make them standby to each other, each with
one of the internet connections, as they were discussing with some
network consultant...he convinced them to reduce cost and put 2 wics
in one router only each connected to the each internet connection
instead of buying 2 routers....is that appropriate??


It's been a while since I did a fully redundant configuration, but the 
principle points of failure are normally the same:

1.  Power circuit.
2.  Physical environment.
3.  Backup power
4.  Path into building.
5.  Carrier/path.
6.  Addressing.

If you're looking for redundancy, then two routers make more sense, but 
you're still likely to have single points of failure in most environments- 
so likelyhood of failure tends to be important.

1.  Are both routers on the same power circuit?  This is an easy thing to 
fix and guards against circuit-level failures.

2.  Is it necessary to guard against local events like fire/water damage 
by splitting physical faclilities or rooms?

3.  Are you plugging things into a single UPS or generator circuit?  Is 
that appropriate for your environment?

4.  Are you getting all your circuits down one path from the street to 
your facility?  When I've been involved in new building design, we've 
specified dual paths into the building for carrier access, one carrier per 
path so that JBO (Joe Backhoe Operator) can't kill coms with one swoop.  
What sort of service also starts to impact this, though moreso on voice 
(SONNET rings are a good thing, as is foreign exchange fail-over from your 
telco.)

5.  Single carriers terminating at single routers in single facilities 
aren't good for redundancy.  Multiple carriers who use the same fiber path 
also aren't.  In the US, it's getting more difficult to get access to 
carrier's fiber maps, so eliminating SPFs isn't always easy, especially if 
you're somewhere that has limited long-haul circuits due to terrain or 
cost issues (see Baltimore tunnel fire event a few years back.)

6.  If you want it to be complete, you need to advertise the same address 
space with each carrier.  If you're really paranoid, get addressing from 
each carrier, make them share routing for each other's blocks and 
dual-address or NAT each device.  Easier is split addressing with DNS 
server zones for each address block, but it doesn't fail over, but it's 
interesting load sharing.

If you have local environmental issues (power, cooling, dust, power 
spike on line...) that make a router  failure more likley, then dual 
routers are cheap (depending on pipe size) insurance.

You can save even more money by not having the extra connection- I'm 
guessing that someone's already made that call, so what criteria was it 
made under?  What was the business case, and how does a single router 
impact that case?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
             http://www.fluiditgroup.com/blog/pdr/
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: