From: 1cmpecho (1cmpecho@hotpop.com)
Date: Thu Jan 15 2004 - 16:23:08 GMT-3
ahh...i see - the source address of the vpn relationship would change on
the second nat (off of the isp devices)...
2 active vpn tunnels (with some concept of floating statics based on a
tunnel would work) i know sonicwall does this, and you could on a cisco
device, be able to reference a tunnel interface as a next_hop interface
(perhaps if you create a gre tunnel) - and if that interface were to fail,
then it would be removed from the routing table....follow? you could
stagger the floating statics and have failover - or likely load balance on
source/destination flows/conversations...
At 08:11 PM 1/14/2004 -0500, asadovnikov wrote:
>This is exactly what I was trying to say. Sorry for not putting a picture
>in.
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>1cmpecho
>Sent: Tuesday, January 13, 2004 8:09 PM
>To: Andrew Moriarty; ccielab@groupstudy.com
>Subject: Re: OT:Fault tolerant CEO's home network setup.
>
>
>you _could_ push the vpn device back inside a little and have it forwarding
>to the 2 internet devices
>
>
> /cablemodem
>pc's -----vpn device----tunnel--------------------------------------vpn
>headend
> \dsl
>
>if the tunnel is established behind the isp's - then it could maintain the
>session theoretically :)
>
>
>
>At 07:41 PM 1/13/2004 -0500, Todd Veillette wrote:
> >Linksys also has one that just came out that does stateful, dhcp, 8
> >port 10/100, etc, etc, and supports 50 IPSEC tunnels.
> >
> >-TV
> >
> >----- Original Message -----
> >From: "Ertai Wizard" <ertai_wizard@hotmail.com>
> >To: <ccielab@groupstudy.com>
> >Sent: Tuesday, January 13, 2004 6:47 PM
> >Subject: FW: OT:Fault tolerant CEO's home network setup.
> >
> >
> > > Try
> > >
> > > Hawking FR24 Dual WAN Broadband Router - US $65.00 retail
> > > Xincom Twin WAN Router (XC-DPG402) - US $200.00 retail
> > > Symantec Firewall/VPN200 (a.k.a. Nexland pro800Turbo) - US
> > > $900.00 retail
> > > etc...
> > >
> > > In these routers, they provide NAT (or Stateful inspection in
> > > Symantec
> >kit),
> > > DHCP Client IP addressing, Static Addressing, and DHCP server
> >functionality.
> > >
> > > They provide fault tolerance; and to a limited degree, load
> > > balancing
> >across
> > > both WAN connections.
> > >
> > > Anyway, ask the customer does he watch the Red Green show? Does he
> > > need duct tape? Eh? I hear you can duct tape two DSL/Cable modem
> > > routers and create a new fangled contraption that might work.
> > >
> > > :-)
> > >
> > >
> > >
> > >
> > > >From: "Andrew Moriarty" <amgroupstudy@hotmail.com>
> > > >Reply-To: "Andrew Moriarty" <amgroupstudy@hotmail.com>
> > > >To: ccielab@groupstudy.com
> > > >Subject: OT:Fault tolerant CEO's home network setup.
> > > >Date: Wed, 07 Jan 2004 00:53:20 -0500
> > > >
> > > >Ever have the feeling that you are missing something incredibly
> > > >basic
> >that
> > > >will make you look stupid later? I do right now, and I hope someone
> > > >can help.
> > > >
> > > >The scenario: The customers CEO often works from home. He accesess
> >company
> > > >servers in california, and he lives in Canada. Because of where he
> >lives,
> > > >all he can get at his house is a relatively basic DSL from one
> > > >provider, and a basic cable modem setup from another. Both of these
> > > >are "Home user" type setups, with addresess assigned by DHCP. The
> > > >DSL provider is frequently down for a day or more. Problem is,
> > > >thats the high speed connection! The cable in this area is much
> > > >slower, and not much more reliable. (Don't ask me to explain why
> > > >this so- it just is!- and before anyone makes any canada jokes, yes
> > > >he can get a canoe at the local supermarket, all the TV netoworks
> > > >carry hockey, and yes, there are wild
> >elk
> > > >running around in the parking lot)
> > > >
> > > >The CEO has a relatively robust home network- a unix based
> > > >firewall, and
> >a
> > > >half dozen computers behind it.
> > > >
> > > >His goal is to have seemless fail-over, for as cheap as possilbe.
> > > >He
> >wants
> > > >to be connected in to a contact management system all day long, and
> > > >not worry about which ISP is up or down. In other words, he might
> > > >buy a
> >router
> > > >or two, but he won't upgrade his personal "Home" service to a
> > > >business class service. (its not available in that area anyways)
> > > >
> > > >Each ISP provides him with a public IP address. Right now he only
> > > >uses
> >one
> > > >of them, and uses NAT on his unix firewall to provide internet
> > > >access for his six machines. He wants to add the second ISP to the
> > > >configuration, to povide fault tolerance.
> > > >
> > > >I've suggested buying a router and connecting it to both ISP's, and
> > > >using one interface as the primary and one as the backup, with
> > > >static routes
> >and
> > > >NAT.Cheap, simple solution. Problem is, if one ISP fails, there
> > > >goes his public address that the NAT is using, and he'll have to
> > > >log out of his contact managment software, and restart his session,
> > > >potentially loosing data. He does NOT want to do that. Its no good
> > > >flipping over to the
> >second
> > > >ISP/NAT connection, because then his public address will change,
> > > >and his session will be invalid and have to start again.
> > > >
> > > >He doesn't have any public ip addresses inside his house, can't get
> > > >any either with the services on offer in that area. He's not going
> > > >to do anything complex like run BGP etc. The ISP's won't let him
> > > >anyways.
> > > >
> > > >I'm not sure I can solve his problem, but I've got a tickle in the
> > > >back
> >of
> > > >my mind about something, thinkingI saw this somewhere before. I
> > > >even got out my Halabi and Doyle books and re-read some stuff.
> > > >
> > > >Does anyone have any suggestions on what to do here? Or even
> > > >something to research.....
> > > >
> > > >am
> > > >
> > > >_________________________________________________________________
> > > >The new MSN 8: smart spam protection and 2 months FREE*
> > > >http://join.msn.com/?page=features/junkmail
> > >
> > >http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2fj
> > >oin.ms
> >n.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
> > > >
> > > >___________________________________________________________________
> > > >____
> > > >Please help support GroupStudy by purchasing your study materials from:
> > > >http://shop.groupstudy.com
> > > >
> > > >Subscription information may be found at:
> > > >http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _________________________________________________________________
> > > Rethink your business approach for the new year with the helpful
> > > tips
> >here.
> > > http://special.msn.com/bcentral/prep04.armx
> > >
> > > ____________________________________________________________________
> > > ___
> > > Please help support GroupStudy by purchasing your study materials from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:44 GMT-3