How can I failover an intranet connection to the internet

Discussion in 'Cisco' started by lenny, Feb 5, 2005.

  1. lenny

    lenny Guest


    I'm a programmer with very limited net design / admin knowledge, so
    forgive me if this question sounds naive.

    We are a small company (10 people) with 2 T1 connections. One T1 gives
    us public internet access through a Cisco 1700 router (there's a
    Watchguard Firebox behind the router for security). The second
    connection is exclusively for access to special purpose data from a
    single data vendor. I believe this line puts us on the vendors
    intranet, or it may be a point to point line) It's not on the public
    internet. The connection on this second line is via a Cisco 1600 doing
    the job of a boundary router (lan to wan address traslation only). Both
    T1 connections go onto the our company ethernet (one segment for

    The private data source can give us data over the public internet when
    their intranet line fails (which it does occasionally). We fail over to
    the data vendors public internet in a pretty crude way: Each user of
    the data vendors intranet connection has a persistent route to the
    intranet set in their (Windows XP) computer. When the intranet goes
    down, we have these users run a batch file that executes the Windows
    "route" utility and substitutes an ip address of our private data
    vendor that's available via the public internet. When the intranet T1
    line comes back, the users execute a second batch file that replaces
    the persistent route in their computers back to the intranet T1.

    I'm wondering whether (and how) I can remove all persistent routes in
    the users computers and substitute some settings in the two cisco
    routers so the failover to the public internet and back to the intranet
    happens automagically as the intranet T1 goes down and returns? Is this
    a job that's doable by a programmer or should I look for a by-the-hour
    comms expert to do it?

    Thanks in advance for your advice.

    lenny, Feb 5, 2005
    1. Advertisements

  2. lenny

    PES Guest

    You could remove all persisitant routes and add the relevent entries to
    whatever the client points to as a default gateway. You would still
    have to config change it at failover, but only at one place. To make it
    seamlessly fail over would take a lot more discussion about the
    scenario, address translation and route population.

    Only exception to this working would be if the clients point to a
    firewall that will not send and receive the sampe packet out the same
    port (I.E. PIX).
    PES, Feb 5, 2005
    1. Advertisements

  3. lenny

    merv.hrabi Guest

    You probably will want to get a qualifed Ciscco CCIE netwrok engineer
    to assist you with this.

    You would want to see if you can establish a VPN tunnel from your
    Ciscco 1700 to the Data Vendor environment. Hopefully this would allow
    you to have the same IP address for the data vendor server. regardless
    of the transport path ( ie. vaia the 1700 or 1600).

    You would run a dynamic routing protocl between the 1600 and 1700 to
    allow you to know when the data vendor server IP address is not
    reachable via the 1600, then the 1700 could punt it out on the VPN

    You could implement HSRP between the Cisco 1700 and the Cisco 1600, so
    that the users machine would not have to have any routes other than
    default to the HSRP address for any destination otehr that you local
    merv.hrabi, Feb 5, 2005
  4. lenny

    merv.hrabi Guest

    If you wish to discuss further send me private email to
    merv.hrabi, Feb 5, 2005
  5. lenny

    SysAdm Guest

    depending on how "smart" you want this setup it could either be done with
    HSRP and interface tracking (that would give you the failover, but wouldnt
    give you dynamic routing), or alternatively combine HSRP and a dynamic
    routing protocol to give you full manipulation of your traffic path.

    SysAdm, Feb 6, 2005
  6. lenny

    Ben Guest

    One has to ask, is the direct privately addressed connection necessary
    at all? There is no real security benefit if data can be routed via the
    internet anyway.

    Since redundancy appears to be a requirement, perhaps both sites having
    a 2nd internet connection would be a cleaner solution. This combined
    with an encrypted vpn for secure data transfer would give you the
    security and availability required.

    If both internet connections terminated on the same router at each end,
    failing over if one link died would be trivial to set up. The vpn would
    be more complex and require some expertise.


    Ben, Feb 7, 2005
  7. lenny

    lenny Guest


    Thanks for your replies. I can see from the content of the replies that
    it would take me a long time (and as a programmer, time not well
    spent) to learn enough to configure a HSRP setup (with or without
    dynamic routing).

    Looks like my best bet is to use a by-the-hour (or by- the-job)
    expert. I'm guessing that someone familiar with this could implement it
    in just a couple of hours. These replies give me an idea of what to
    ask a prospective consultant.

    Do you think it would be best to have somone phyically present at our
    site, or could this all be done remotely? (I could temporarily wire the
    console port of the Cisco 1600 router to a dial modem, for the intranet
    router's configuration, if need be).
    lenny, Feb 7, 2005
  8. lenny

    merv.hrabi Guest

    The design and configuration prepration could be done by someone

    You also need to have a thorough failure testing plan prepared. That
    plan should include the physical failure of each router. This testing
    is probably best done on site.
    merv.hrabi, Feb 7, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.