Looking for some
advice on how this will work for us in a disaster recovery scenario. Right now we are like most businesses on a
fiber internet connection, and have fiber between our remote offices. If in a disaster we lost fiber to our
headquarter facility, we want to use the Verizon WAN HWIC-1T solution to get us by
until fiber service is restored. What
would this look like for us when the disaster happens? How would I route us out through Verizon?
Right now we have
everyone with a default gateway of our main switch. That main switch has its default gateway as
our firewall. When the disaster happens,
do I just change the main switches default gateway to my new router with the
Verizon HWIC card in it?
I know this will
only allow for outbound traffic to the internet, and nothing inbound, but will
that work?
My other more
pressing concern is, will this be safe?
Since traffic will now be routed through Verizon and a router only, no
firewall?
Any thoughts or
suggestions would be appreciated!
To put some IP
Numbers into this mix to get a clearer picture and explanation, I am going to
assume the following layout:
Fiber Internet (1.X.X.1) Verizon WWAN (2.X.X.1)
|
(1.X.X.2) | (2.X.X.2)
Firewall Cisco
2801
|
(10.1.0.1, 10.2.0.1, 10.3.0.1 /24s)
| (10.1.0.2, 10.2.0.2,
10.3.0.2 /24s)
---------------------Main
Switch-------------------------
| |
| Various Branch Office Uplinks
HQ Subnets (10.3.0.X /24)
(10.1.0.X /24)
(10.2.0.X /24)
From the diagram you
can see that you would simply define all of the VLANs on the Cisco 2801 and
give them a layer 3 address in each VLAN.
You would also independantly configure the Cisco 2801 for NAT. As long as the fiber solution is up, all
traffic will be routed out of the firewall and nothing should end up in the
router. In the event of a failure of the
fiber circuit, there are several options that can be employed depending on the
capabilities of the firewall and "main switch".
1. If the switch
supports basic static layer 3 routes, I would still define both routes on the
device, however, I would not make them equal cost. Instead I would make the 3G network, say 100
compared to 10 for the fiber circuit.
This will ensure that traffic never "automatically" goes to
the 3G circuit. As mentioned, with
static routing failover is not automatic unless the interface goes down. So in the event the firewall fails and brings
the interface down, it would act as an automatic failover. However, if the circuit goes down and the
interface remains up, having the route in place allows you to failover the path
much quicker and easier by simply shutting down the interface going to the
firewall. This prevents the need to
define a more complex route statement while you are in the middle of an outage.
2. If the main
switch supports ip slas of some type, you can automate the failover of the
static route.
3. If the firewall supports ip slas of some type
AS WELL AS hairpinning, you may be able to use the firewall to failover to the
3G network if the fiber circuit fails.
This would be a bit of a complex configuration.
One additional point
I would like to make is that you can make to further subnet your network and
place "important" users into their own WS-X45-SUP7L-E Since your failover circuit will be a 3G
circuit, speeds will not be that stellar and can probably only reliably support
maybe 10 simultaneous users at one time.
I would consider essentially allowing the network to be down when the
fiber circuit is down for everyone except these "VIPS". Otherwise, if internet access is granted
company wide over the 3G network, the speeds will be some horrendous that
everyone might as well be down.
没有评论:
发表评论