Networking Guru's

ruffneck · 24 Sep 2012 at 16:41

Am I barking up the wrong tree?

Let me just draw you a simplistic picture of the current set up.

Site A - Headquarters
Firewall
Core Switch

Site B - Branch Office
Firewall
Core switch

Now Site A and B are connected two ways, one is a 100 MB site to site fibre connection that terminates on the core switches and the other is a site to site VPN that terminates at the firewalls. Now obviously the site to site 100 MB link is the fastest and currently its the default route for traffic intended for each site on the core switches. What I'm trying to do is essentially automate fail over.

If the 100 MB site to site link fails I would like the core switches to route the traffic over the VPN without me having to modify the core switch config and manually change the IP routes.

Is RIP the answer I'm looking for here? If I enabled RIP on both the core switches and firewalls will this do what I want?

Thanks for your help

ashrobbo · 24 Sep 2012 at 18:14

You haven't given the firewall or switch models,

but couldn't you plug the 100mb fibre into the firewall and it could monitor if a link is down?

RIP should work (AFAIK) as thats its purpose, but haven't got enough experience to comment.

matthab · 24 Sep 2012 at 18:40

Ok just thinking out loud you could as said above run the fibre into the firewall and use nsrp to control the links.

You could use ospf and use link costs, but this would require some routers or a firewall capable. This would also allow you to load balance.

Trifid · 24 Sep 2012 at 18:45

A routing protocol (such as RIP if you really want to) over the 100MB circuit and a static route with a higher AD to take over when the main link fails.

ruffneck · 24 Sep 2012 at 18:47

Firewalls are SonicWALL NSA 2400 and Switches are Procurve 3400cls

Hulkster · 25 Sep 2012 at 13:40

How are the the interfaces and routing managed? is the site to site fibre connection layer 2? What do machines use as default GW?

Really though that's probably by the by and 2 static routes for 0.0.0.0 with a higher metric for the preferred link should sort it. You don't really need to run RIP or OSPF for a point to point connection but I am a little vague on how it's set up. If you do want to run a dynamic protocol (no harm in doing so) I would suggest RIP in your case since it's very easy to set up!

ruffneck · 25 Sep 2012 at 15:14

Hi Hulkster

The site to site fibre connection is indeed layer 2, all machines in the sites use their local core switch as the default gateway.

the core switch then routes internal traffic over the site to site link and anything else to the firewall. It's a fairly simple setup.

Hulkster · 25 Sep 2012 at 15:54

ruffneck said:
Hi Hulkster

The site to site fibre connection is indeed layer 2, all machines in the sites use their local core switch as the default gateway.

the core switch then routes internal traffic over the site to site link and anything else to the firewall. It's a fairly simple setup.

A couple of other things to consider then -

- Does each site have it's own Internet connection? Should each site use it's own internet connection?
- Is each site on it's own subnet or have you left flat layer 2?
- If own own subnet, how are you routing between the two?

I dont know your switches but they appear to be layer 3.

Based on this additional info though, and if each site has it's own internet (assumed since you have VPN), my previous post regarding 0.0.0.0 isn't correct, as you will want your default route for internet traffic, rather you will probably use a specific route for the other side of the link in the new setup.

If you have 2 internet connections you could also redirect internet traffic over the other site if a local connection fails, if you wanted to.

ruffneck · 25 Sep 2012 at 16:48

Hulkster said:
- Does each site have it's own Internet connection? Should each site use it's own internet connection?
- Is each site on it's own subnet or have you left flat layer 2?
- If own own subnet, how are you routing between the two?

I dont know your switches but they appear to be layer 3.

Yes each site has its own internet connection
Each site is on its own subnet
The core switches are indeed layer 3 and routing traffic between vlans.

I think I'm going to change the setup of the network, make the firewalls the default gateways and use them to control the IP routes.

#Chri5# · 25 Sep 2012 at 17:03

If you are going to be using the NSAs, you can add Network Probes against the static routes so could disable the route down the LES/EES circuit if you can't ping over night. I've never tried that with a VPN fall back though.

bods · 26 Sep 2012 at 07:34

Could you advertise a less preferred static route to the remote subnet [via the firewall]such that if the 100Mbps link goes down, this second static route would have preference?

ruffneck · 26 Sep 2012 at 11:54

I've set it up pretty much like #Chri5# has suggested. The static route is set up to direct traffic intended for the other site over the LES but I've assigned a network probe to it. If the probe fails the route is disabled and the firewall should route the traffic over the VPN....in theory.

Will need to run a few tests.