Redundant T1 lines

[alocurto]

My friends company has a T1 line run to his office. The problem is that the T1 is shakey. It often cuts off and on and what not. Needless to say this is a real bad thing. He asked me if there was anyway to get 2 T1 lies run to his office (2 separate ISPs) and have them work redundantly. If the first one goes out the second one would take over with minimal if any interruption in service. Off the top of my head I said there is probably cisco equipment that can do it. My concern with the whole thing is the IP address it self. Can you have 2 ISP register the same IP? I would think not.

So basically the question is = Is there anyway to have redundant T1s from 2 companies using the same IP?

If you can get specific as far as hardware names that would be awesome.

 

[ScottMac]

One method, and I believe it's probably the most popular (for straight redundancy) uses Virtual Router Redundancy Protocol (VRRP) or the Cisco flavor, that they call Hot Standby Router Protocol (HSRP).

They are not interoperable. HSRP and VRRP won't work together as a teamed pair.

Both operate basically the same way, and can be used for two OR MORE paths. For the sake of discussion, I'll use a pair:

Each router has it's assigned IP address (as it normally would). In addition, each router pair (or more) with VRRP/HSRP enabled presents a "virtual" router (it looks like one router) address (both IP and MAC). Of the pair, one router is "Primary" the other is in "standby." The Primary or Active router is all handling the traffic pointed to the Virtual Router. If that router dies, or the path goes down, the standby router engages and handles all of the traffic.

As far as the clients/hosts on that segment can tell...nothing happened, because their "Default Gateway" address is the Virtual Router's. They may lose the session, but many/most applications/protocols can recover or re-start the session. The key ppoint is that the clients/hosts can continue external connectivity without re-configuration (or new DHCP assignment).

That's the basics. Now it get's interesting (I s'pose).

At this point, many people reach the understanding of "Well, nuts! I'm wasting a whole T1 just sitting there doin' nuthin'." It doesn't have to be that way ..... because of VLANs.

If you have the same router pair, and they both have the same two Dot1q VLANs, you can make Router A the Primary router for VLAN "A," and Router B the Primary Router for VLAN "B" .... and each router becomes the standby router for the other. Now you have (sort of) load balancing to the two T1s, with a redundant path. I say "sort of" load balancing, because it is a manual process .... the amount of traffic will depend on which VLAN you assign to a particular group of hosts.

There are some other methods of getting redundancy, some pretty elegant (policy routing) and some pretty basic (parallel paths, same administrative distance, Cisco load balances). IMHO, the median .... the middle ground between complexity and functionality, is HSRP/VRRP. Recovery is very fast (seconds, at most), it's reliable, you can specifically control the traffic, it's mature, it's supported .... life is good. AND, as I mentioned before, there is NO reconfiguration of the host/client - he always sees the same "Default Gateway."

We used to play with this in the Lab a lot. It's a Good Thing. The only thing I like better is Virtual PVCs in ATM with a ~20msec recovery .... and ATM outside the cloud is (unfortunately) virtually dead.

In the above examples, I called the devices "routers" (because it's easier than saying "Layer Three (L3) device"), we can also be talking about L3 switches (which are really routers). We could also be talking about one L3 switch that's been partitioned into two logical port groups (you lose some of the redundancy - the single switch becomes a single-point-of-failure).

Most, if not all, Cisco and Nortel routers can do HSRP and VRRP (respectively). There may be other "real" router manufacturers (i.e., NOT SOHO) that will do VRRP. I think 3COM used to be VRRP capable before they stopped making "real" routers ... and their L3 Switches probably still support it. I don't know "fer sher."


FWIW / .02

Scott

 

[jonmullen]

Why do you need to keep the same IP are you doing any hosting...on site?

 

[gunrunnerjohn]

Personally, I'd try to find out if you could get DSL or cable as a backup, so you'd have different services totally.

 

[alocurto]

ScottMac: Thanks for typing all that. I can't say I followed all of it but I now I have a better understanding I can use to find out more.

jonmullen: Yes, there are external accesses to the network. PCAnywhere and other connections.

gunrunnerjohn: That is not a bad idea at all, I will tell him that.

Thanks a lot.

Any other opinions are welcomed

 

[Kadarin]

HSRP and VRRP strike me as being unnecessarily complex in this situation. Wouldn't the purpose be served equally well by configuring one gateway router with two equally weighted default routes, each going out its own T1?

 

[alocurto]

Will that allow the lines to share an IP address? The important thing here is to have both lines use the same IP either load balanced or redundant.

 

[FracturedSoul]

Or you could call the T1 provider and get them looking into it.

 

[alocurto]

Wouldn't HSRP focus more on router failure?

In my head I was seeing this:

T1(1)-----------------\
========= Router ===== Switch =Bunch of stuff
T1(2)-----------------/

The router would use one line and if that went down init the other line with the same ip and keep going. Kinda more like a hotswapable T1 as opposed to hotswap routers. Am I making sense? Can you correct me on this? Maybe a more basic description?

 

[goldboyd]

Originally posted by: alocurto
Wouldn't HSRP focus more on router failure?

HSRP can be setup to track an interface and then decrease the standby priority if that interface goes down. Then, the other router will become the active router for that virutal IP, assuming that it was configured with the "preempt" option.

However, since you also need inbound redundany also, you're going to need a more complicated (BGP) setup, unless you get the second circuit from the same ISP.

 

[goldboyd]

 

[alocurto]

He is definitly using 2 different ISPs

 

[alocurto]

In the diagram I made above the T1 lines go into the router, the spacing is off for whatever reason.

Can anyone recommend a site where I can go to maybe read up a little more on this task using cisco?

 

[cmetz]

alocurto, the solution to your problem is BGP multi-homing. DO NOT try this if you don't know what you're doing. You can do a LOT of damage using BGP incorrectly.

Another solution (where you could do less damage) would be to get a Nexland or similar "dual router" and set it up to use NAT or PAT over the second line if the first goes down. This can be done on a Cisco, too, but it's a little tricky to set up. The upshot of this approach is that you could use a DSL line as your backup.

I'd also strongly urge you to raise hell and don't back down on the issue of your T1 being flaky. No T1 circuit is 100% reliable, and frankly they're not even five-nines most of the time, but if your line is going down enough for it to be a real problem, that's unacceptable and needs to be fixed. The fix might be as simple as dumping your current ISP and starting over with a better one (who in turn will have a better relationship with your LEC). You get what you pay for - most folks I know who used the bargain basement T1 ISP regretted it.

 

[alocurto]

Yeah, that makes sense. Anyone know how to do this that would be interested in helping out remotely? I will talk to my friend I am sure he will be willing to pay as he usually takes care of me.

 

[alocurto]

Has anyone actually ever done this and have it up and running?

 

[Kadarin]

Hypothetical situation... (with made up ip addresses)

ISP1--------------216.52.128.32/24 (e1) (Cisco box) (e3) 214.86.85.1/24 -------------- (company network)
ISP2--------------152.34.116.15/24 (e2)

The Cisco gateway router has three interfaces configured with public ip addresses. Configure two default routes, equally weighted out e1 and e2..

ip route 0.0.0.0 0.0.0.0 216.52.128.1
ip route 0.0.0.0 0.0.0.0 152.34.116.1

And get each ISP to configure a static route to your 214.86.85.0/24 network (and then have them advertise this route). If they'll do this, then you can put vpn or other publicly accessible servers in 214.86.85.0/24, and they'll have redundant paths to the outside. No need for HSRP or VRRP (which, as previously stated, are designed for router redundancy, not path redundancy, in spite of the track port feature).

Talk to your ISP(s), let them know what you want to do; they should have some solutions for you. Also, as stated, work on the quality of your T1. Good luck!

 

[eliteorange]

ISDN BDR? or FR backup?

 

[Garion]

All of these solutions are valid, but very complicated. Some notes:

Most ISP's won't let you run BGP with anything less than a /21. If they do, they won't for very long. You probably don't need 2,000 public IP's (or have that many assigned to you!), so it's probably not worth it. Asking two ISP's to distribute the same route could also make some interesting things happen and it would be a real pain to troubleshoot. Exotic is cool, but it's not worth it in the long run if you're not ready to support it.

There are some more simple solutions out there:

Use a hardcore solution, like a Fat Pipe SuperStream box to load balance your traffic. If that's too much dough, look at a Nexland route with dual interfaces that will do the trick. (Although, they have been bought by Symantec and I'm not sure if the products are still available or not). You could even use dual routers with HSRP and some tricks with multiple default routes to make it work, but it'd be better to use a product meant for it like the FatPipe or the Nextland.

The catch with these ideas is that they don't offer INBOUND redundancy. This should only really matter if you're hosting a website or something that is TOTALLY IP-dependant. If you are, you probably shouldn't be anyhow. *grin*.

If all you're doing is mail and inbound VPN/PCAW, there are alternatives for both of these. Mail is easy - Just setup a higher-cost MX record to point to your alternate ISP and make sure the firewall is setup propery. For PCAnywhere/VPN, just give your users two icons and tell them that if one doesn't work, use the other one.

- G

 

[cmetz]

Garion, /24 is the longest prefix folks support in my experience, regardless of high octet. I have not yet seen a real ISP filter any of my /24s, both old class Cs and slices out of provider blocks. I believe /21 (actually /20 now) is the longest prefix ARIN will give you for a portable block, but real ISPs can slice you a /24 for multi-homing.

alocurto, Garion raises a good point. If you have critical inbound services and you're having reliability problems, it's going to be more cost effective to colocate them and make reliability someone else's problem. And once you do that, then a solution of multiple PAT down multiple lines (the Nexland router, or for strict failover, a Cisco can do it if carefully configured) becomes totally reasonable.

 

[alocurto]

Anyone have more info?