«

Hi

I'm a programmer with very limited net design / admin knowledge, so
forgive me if this question sounds naive.

We are a small company (10 people) with 2 T1 connections. One T1 gives
us public internet access through a Cisco 1700 router (there's a
Watchguard Firebox behind the router for security). The second
connection is exclusively for access to special purpose data from a
single data vendor. I believe this line puts us on the vendors
intranet, or it may be a point to point line) It's not on the public
internet. The connection on this second line is via a Cisco 1600 doing
the job of a boundary router (lan to wan address traslation only). Both
T1 connections go onto the our company ethernet (one segment for
everyone).

The private data source can give us data over the public internet when
their intranet line fails (which it does occasionally). We fail over to
the data vendors public internet in a pretty crude way: Each user of
the data vendors intranet connection has a persistent route to the
intranet set in their (Windows XP) computer. When the intranet goes
down, we have these users run a batch file that executes the Windows
"route" utility and substitutes an ip address of our private data
vendor that's available via the public internet. When the intranet T1
line comes back, the users execute a second batch file that replaces
the persistent route in their computers back to the intranet T1.

I'm wondering whether (and how) I can remove all persistent routes in
the users computers and substitute some settings in the two cisco
routers so the failover to the public internet and back to the intranet
happens automagically as the intranet T1 goes down and returns? Is this
a job that's doable by a programmer or should I look for a by-the-hour
comms expert to do it?

Thanks in advance for your advice.

Lenny

lenny wrote:
> Hi
>
> I'm a programmer with very limited net design / admin knowledge, so
> forgive me if this question sounds naive.
>
> We are a small company (10 people) with 2 T1 connections. One T1 gives
> us public internet access through a Cisco 1700 router (there's a
> Watchguard Firebox behind the router for security). The second
> connection is exclusively for access to special purpose data from a
> single data vendor. I believe this line puts us on the vendors
> intranet, or it may be a point to point line) It's not on the public
> internet. The connection on this second line is via a Cisco 1600 doing
> the job of a boundary router (lan to wan address traslation only). Both
> T1 connections go onto the our company ethernet (one segment for
> everyone).
>
> The private data source can give us data over the public internet when
> their intranet line fails (which it does occasionally). We fail over to
> the data vendors public internet in a pretty crude way: Each user of
> the data vendors intranet connection has a persistent route to the
> intranet set in their (Windows XP) computer. When the intranet goes
> down, we have these users run a batch file that executes the Windows
> "route" utility and substitutes an ip address of our private data
> vendor that's available via the public internet. When the intranet T1
> line comes back, the users execute a second batch file that replaces
> the persistent route in their computers back to the intranet T1.
>
> I'm wondering whether (and how) I can remove all persistent routes in
> the users computers and substitute some settings in the two cisco
> routers so the failover to the public internet and back to the intranet
> happens automagically as the intranet T1 goes down and returns? Is this
> a job that's doable by a programmer or should I look for a by-the-hour
> comms expert to do it?
>
> Thanks in advance for your advice.
>
> Lenny
>

You could remove all persisitant routes and add the relevent entries to
whatever the client points to as a default gateway. You would still
have to config change it at failover, but only at one place. To make it
seamlessly fail over would take a lot more discussion about the
scenario, address translation and route population.

Only exception to this working would be if the clients point to a
firewall that will not send and receive the sampe packet out the same
port (I.E. PIX).

--
-------------------------
Paul Stewart
Lexnet Inc.
Email address is in ROT13

You probably will want to get a qualifed Ciscco CCIE netwrok engineer
to assist you with this.

You would want to see if you can establish a VPN tunnel from your
Ciscco 1700 to the Data Vendor environment. Hopefully this would allow
you to have the same IP address for the data vendor server. regardless
of the transport path ( ie. vaia the 1700 or 1600).

You would run a dynamic routing protocl between the 1600 and 1700 to
allow you to know when the data vendor server IP address is not
reachable via the 1600, then the 1700 could punt it out on the VPN
tunnel..



You could implement HSRP between the Cisco 1700 and the Cisco 1600, so
that the users machine would not have to have any routes other than
default to the HSRP address for any destination otehr that you local

If you wish to discuss further send me private email to
""

"lenny" <> wrote in message
news: ups.com...
> Hi
>
> I'm a programmer with very limited net design / admin knowledge, so
> forgive me if this question sounds naive.
>
> We are a small company (10 people) with 2 T1 connections. One T1 gives
> us public internet access through a Cisco 1700 router (there's a
> Watchguard Firebox behind the router for security). The second
> connection is exclusively for access to special purpose data from a
> single data vendor. I believe this line puts us on the vendors
> intranet, or it may be a point to point line) It's not on the public
> internet. The connection on this second line is via a Cisco 1600 doing
> the job of a boundary router (lan to wan address traslation only). Both
> T1 connections go onto the our company ethernet (one segment for
> everyone).
>
> The private data source can give us data over the public internet when
> their intranet line fails (which it does occasionally). We fail over to
> the data vendors public internet in a pretty crude way: Each user of
> the data vendors intranet connection has a persistent route to the
> intranet set in their (Windows XP) computer. When the intranet goes
> down, we have these users run a batch file that executes the Windows
> "route" utility and substitutes an ip address of our private data
> vendor that's available via the public internet. When the intranet T1
> line comes back, the users execute a second batch file that replaces
> the persistent route in their computers back to the intranet T1.
>
> I'm wondering whether (and how) I can remove all persistent routes in
> the users computers and substitute some settings in the two cisco
> routers so the failover to the public internet and back to the intranet
> happens automagically as the intranet T1 goes down and returns? Is this
> a job that's doable by a programmer or should I look for a by-the-hour
> comms expert to do it?
>
> Thanks in advance for your advice.
>
> Lenny

depending on how "smart" you want this setup it could either be done with
HSRP and interface tracking (that would give you the failover, but wouldnt
give you dynamic routing), or alternatively combine HSRP and a dynamic
routing protocol to give you full manipulation of your traffic path.

SysAdm

One has to ask, is the direct privately addressed connection necessary
at all? There is no real security benefit if data can be routed via the
internet anyway.

Since redundancy appears to be a requirement, perhaps both sites having
a 2nd internet connection would be a cleaner solution. This combined
with an encrypted vpn for secure data transfer would give you the
security and availability required.

If both internet connections terminated on the same router at each end,
failing over if one link died would be trivial to set up. The vpn would
be more complex and require some expertise.

cheers,

Ben


SysAdm wrote:
> "lenny" <> wrote in message
> news: ups.com...
>
>>Hi
>>
>>I'm a programmer with very limited net design / admin knowledge, so
>>forgive me if this question sounds naive.
>>
>>We are a small company (10 people) with 2 T1 connections. One T1 gives
>>us public internet access through a Cisco 1700 router (there's a
>>Watchguard Firebox behind the router for security). The second
>>connection is exclusively for access to special purpose data from a
>>single data vendor. I believe this line puts us on the vendors
>>intranet, or it may be a point to point line) It's not on the public
>>internet. The connection on this second line is via a Cisco 1600 doing
>>the job of a boundary router (lan to wan address traslation only). Both
>>T1 connections go onto the our company ethernet (one segment for
>>everyone).
>>
>>The private data source can give us data over the public internet when
>>their intranet line fails (which it does occasionally). We fail over to
>>the data vendors public internet in a pretty crude way: Each user of
>>the data vendors intranet connection has a persistent route to the
>>intranet set in their (Windows XP) computer. When the intranet goes
>>down, we have these users run a batch file that executes the Windows
>>"route" utility and substitutes an ip address of our private data
>>vendor that's available via the public internet. When the intranet T1
>>line comes back, the users execute a second batch file that replaces
>>the persistent route in their computers back to the intranet T1.
>>
>>I'm wondering whether (and how) I can remove all persistent routes in
>>the users computers and substitute some settings in the two cisco
>>routers so the failover to the public internet and back to the intranet
>>happens automagically as the intranet T1 goes down and returns? Is this
>>a job that's doable by a programmer or should I look for a by-the-hour
>>comms expert to do it?
>>
>>Thanks in advance for your advice.
>>
>>Lenny
>
>
> depending on how "smart" you want this setup it could either be done with
> HSRP and interface tracking (that would give you the failover, but wouldnt
> give you dynamic routing), or alternatively combine HSRP and a dynamic
> routing protocol to give you full manipulation of your traffic path.
>
> SysAdm
>
>

Contributors:

Thanks for your replies. I can see from the content of the replies that
it would take me a long time (and as a programmer, time not well
spent) to learn enough to configure a HSRP setup (with or without
dynamic routing).

Looks like my best bet is to use a by-the-hour (or by- the-job)
expert. I'm guessing that someone familiar with this could implement it
in just a couple of hours. These replies give me an idea of what to
ask a prospective consultant.

Do you think it would be best to have somone phyically present at our
site, or could this all be done remotely? (I could temporarily wire the
console port of the Cisco 1600 router to a dial modem, for the intranet
router's configuration, if need be).

The design and configuration prepration could be done by someone
offsite.

You also need to have a thorough failure testing plan prepared. That
plan should include the physical failure of each router. This testing
is probably best done on site.