From: asadovnikov (asadovnikov@comcast.net)
Date: Fri Jan 16 2004 - 00:37:56 GMT-3
The VPN option can actualy be implemented on Cisco platform and not all that
expensive either (as a side not the first option could not).
Let me go into details of VPN option...
\ Internet /
\_______________/
|
| NAT point to Internet
+---------------+
| Reliable site |
| central office|
| |
| cental router|
| router |
/\
/ \
/ \ This is dual VPN connectivity
| | done via Internet to make your CEO
| | home office to look like if it was
| | in you cenral office reliably connected
ISP1 ISP2 to Internet
\ /
\ /
\/
home router
|
---------- You can use enterprise IP address space on private
LAN
private LAN and no NAT is needed here (although still can do it)
Home router and cenral router will establish 2 GRE IPsec protected tunnels
(if security is not a conideration just GRE without IPSec will do). Then
you can run a routing protocol in this GRE tunnels. Static routes pointing
to ISP1 and ISP2 will be needed to make sure each GRE tunnel goes different
interface. All other traffic to be routed via the tunnel. For hardware
2611XM is a good option and 2621XM even better, add Ipsec AIM for
encryption. Router(s) will loadbalance over the tunnels if both available,
but if one ISP is down routeres will learn about it by means of dynamic
routing protocol you run and the remaining tunnel will be used. By
weighting tunnels diferently you can do active/backup versus to
loadbalancing. Do not need floating statics (will not work anyway) and NAT
in home network router.
As I said earlier 3rd party products can provide similar functionality at
smaller cost.
Best regards,
Alexei
-----Original Message-----
From: 1cmpecho [mailto:1cmpecho@hotpop.com]
Sent: Thursday, January 15, 2004 2:23 PM
To: asadovnikov; 'Andrew Moriarty'; ccielab@groupstudy.com
Subject: RE: OT:Fault tolerant CEO's home network setup.
ahh...i see - the source address of the vpn relationship would change on
the second nat (off of the isp devices)...
2 active vpn tunnels (with some concept of floating statics based on a
tunnel would work) i know sonicwall does this, and you could on a cisco
device, be able to reference a tunnel interface as a next_hop interface
(perhaps if you create a gre tunnel) - and if that interface were to fail,
then it would be removed from the routing table....follow? you could
stagger the floating statics and have failover - or likely load balance on
source/destination flows/conversations...
At 08:11 PM 1/14/2004 -0500, asadovnikov wrote:
>This is exactly what I was trying to say. Sorry for not putting a
>picture in.
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>1cmpecho
>Sent: Tuesday, January 13, 2004 8:09 PM
>To: Andrew Moriarty; ccielab@groupstudy.com
>Subject: Re: OT:Fault tolerant CEO's home network setup.
>
>
>you _could_ push the vpn device back inside a little and have it
>forwarding to the 2 internet devices
>
>
> /cablemodem
>pc's -----vpn device----tunnel--------------------------------------vpn
>headend
> \dsl
>
>if the tunnel is established behind the isp's - then it could maintain
>the session theoretically :)
>
>
>
>At 07:41 PM 1/13/2004 -0500, Todd Veillette wrote:
> >Linksys also has one that just came out that does stateful, dhcp, 8
> >port 10/100, etc, etc, and supports 50 IPSEC tunnels.
> >
> >-TV
> >
> >----- Original Message -----
> >From: "Ertai Wizard" <ertai_wizard@hotmail.com>
> >To: <ccielab@groupstudy.com>
> >Sent: Tuesday, January 13, 2004 6:47 PM
> >Subject: FW: OT:Fault tolerant CEO's home network setup.
> >
> >
> > > Try
> > >
> > > Hawking FR24 Dual WAN Broadband Router - US $65.00 retail
> > > Xincom Twin WAN Router (XC-DPG402) - US $200.00 retail
> > > Symantec Firewall/VPN200 (a.k.a. Nexland pro800Turbo) - US
> > > $900.00 retail
> > > etc...
> > >
> > > In these routers, they provide NAT (or Stateful inspection in
> > > Symantec
> >kit),
> > > DHCP Client IP addressing, Static Addressing, and DHCP server
> >functionality.
> > >
> > > They provide fault tolerance; and to a limited degree, load
> > > balancing
> >across
> > > both WAN connections.
> > >
> > > Anyway, ask the customer does he watch the Red Green show? Does
> > > he need duct tape? Eh? I hear you can duct tape two DSL/Cable
> > > modem routers and create a new fangled contraption that might
> > > work.
> > >
> > > :-)
> > >
> > >
> > >
> > >
> > > >From: "Andrew Moriarty" <amgroupstudy@hotmail.com>
> > > >Reply-To: "Andrew Moriarty" <amgroupstudy@hotmail.com>
> > > >To: ccielab@groupstudy.com
> > > >Subject: OT:Fault tolerant CEO's home network setup.
> > > >Date: Wed, 07 Jan 2004 00:53:20 -0500
> > > >
> > > >Ever have the feeling that you are missing something incredibly
> > > >basic
> >that
> > > >will make you look stupid later? I do right now, and I hope
> > > >someone can help.
> > > >
> > > >The scenario: The customers CEO often works from home. He
> > > >accesess
> >company
> > > >servers in california, and he lives in Canada. Because of where
> > > >he
> >lives,
> > > >all he can get at his house is a relatively basic DSL from one
> > > >provider, and a basic cable modem setup from another. Both of
> > > >these are "Home user" type setups, with addresess assigned by
> > > >DHCP. The DSL provider is frequently down for a day or more.
> > > >Problem is, thats the high speed connection! The cable in this
> > > >area is much slower, and not much more reliable. (Don't ask me to
> > > >explain why this so- it just is!- and before anyone makes any
> > > >canada jokes, yes he can get a canoe at the local supermarket,
> > > >all the TV netoworks carry hockey, and yes, there are wild
> >elk
> > > >running around in the parking lot)
> > > >
> > > >The CEO has a relatively robust home network- a unix based
> > > >firewall, and
> >a
> > > >half dozen computers behind it.
> > > >
> > > >His goal is to have seemless fail-over, for as cheap as possilbe.
> > > >He
> >wants
> > > >to be connected in to a contact management system all day long,
> > > >and not worry about which ISP is up or down. In other words, he
> > > >might buy a
> >router
> > > >or two, but he won't upgrade his personal "Home" service to a
> > > >business class service. (its not available in that area anyways)
> > > >
> > > >Each ISP provides him with a public IP address. Right now he only
> > > >uses
> >one
> > > >of them, and uses NAT on his unix firewall to provide internet
> > > >access for his six machines. He wants to add the second ISP to
> > > >the configuration, to povide fault tolerance.
> > > >
> > > >I've suggested buying a router and connecting it to both ISP's,
> > > >and using one interface as the primary and one as the backup,
> > > >with static routes
> >and
> > > >NAT.Cheap, simple solution. Problem is, if one ISP fails, there
> > > >goes his public address that the NAT is using, and he'll have to
> > > >log out of his contact managment software, and restart his
> > > >session, potentially loosing data. He does NOT want to do that.
> > > >Its no good flipping over to the
> >second
> > > >ISP/NAT connection, because then his public address will change,
> > > >and his session will be invalid and have to start again.
> > > >
> > > >He doesn't have any public ip addresses inside his house, can't
> > > >get any either with the services on offer in that area. He's not
> > > >going to do anything complex like run BGP etc. The ISP's won't
> > > >let him anyways.
> > > >
> > > >I'm not sure I can solve his problem, but I've got a tickle in
> > > >the back
> >of
> > > >my mind about something, thinkingI saw this somewhere before. I
> > > >even got out my Halabi and Doyle books and re-read some stuff.
> > > >
> > > >Does anyone have any suggestions on what to do here? Or even
> > > >something to research.....
> > > >
> > > >am
> > > >
> > > >_________________________________________________________________
> > > >The new MSN 8: smart spam protection and 2 months FREE*
> > > >http://join.msn.com/?page=features/junkmail
> > >
> > >http://join.msn.com/?page=dept/bcomm&pgmarket=en-ca&RU=http%3a%2f%2
> > >fj
> > >oin.ms
> >n.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca
> > > >
> > > >_________________________________________________________________
> > > >__
> > > >____
> > > >Please help support GroupStudy by purchasing your study materials
from:
> > > >http://shop.groupstudy.com
> > > >
> > > >Subscription information may be found at:
> > > >http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _________________________________________________________________
> > > Rethink your business approach for the new year with the helpful
> > > tips
> >here.
> > > http://special.msn.com/bcentral/prep04.armx
> > >
> > > __________________________________________________________________
> > > __
> > > ___
> > > Please help support GroupStudy by purchasing your study materials
from:
> > > http://shop.groupstudy.com
> > >
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >_____________________________________________________________________
> >__
> >Please help support GroupStudy by purchasing your study materials from:
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:44 GMT-3