For small businesses and home offices, the concept of seamless Internet access backup and failover is a complicated pipe dream. Most small businesses today use one connection to the Internet, using DSL, Cable Modem or T-1 services, will deploy a simple, yet effective NAT/router, and assign RFC1918 private IP addresses to users on site.
For businesses looking for more redundancy, adding a second DSL, Cable, T-1 or even wireless connection may not be as straight-forward as most network administrators think it is. Here’s a few popular use cases and how to engineer your way around some of the complications.
#1: Shadow Services from Same Provider
In the days of T-1 lines being the predominant local access technique, many ISPs offered a service called “Shadow T-1” service. The idea is that an ISP would bring two T-1 lines to your office, fed from diverse POPs on the ISP’s side, and in the event one T-1 went down, the other would simply take over the traffic load for your office. The benefits are pure and simple: redundancy for your Internet access, relatively simple to set up and finally, effective. The drawbacks are obvious: no diversity in providers and in the case of T-1, relatively expensive.
#2: Diverse Services from Two Providers and BGP Routing
Another option is to purchase Internet Access from two ISPs and to locally run Border Gateway Protocol (BGP) between the two providers. BGP is the Internet’s routing protocol and is used to exchange information about IP addresses between networks. In this case, you’ll need to run BGP in order to “announce” your IP addresses to both of your ISPs, since you need both ISPs to be aware of the paths to your network. This has many advantages, but also many drawbacks.
The advantages to running BGP routing yourself: it gives you more control over your routes to the Internet and puts you in control to decide which ISPs route to a particular network is the best. The redundancy is excellent and you’re not tied into one provider or another. You can easily change ISPs without going down on the other. The flow of inbound and outbound traffic is easy to manage and there’s no need for complicated NAT setups.
However, with all of the advantages, the drawbacks can outweigh them. You’ll need to hire experienced staff knowledgeable with BGP to operate your local router and network. You’ll need to obtain an autonomous system number (ASN) from a Regional Internet Registry (RIR). You’ll need to obtain IP address blocks of a /24 or greater, either from an RIR (PI-space), or one of your providers (PA-space), in which case you’re bound to keeping that provider around (unless you want to renumber your network, again). Lastly, the router you’ll need to purchase to fully take advantage of the services you purchased today will be a significant investment (around $20,000) to the multiple BGP feeds you’ll be taking.
Lastly, in the small business space, ISP options in the sub-$100 per month area simply won’t offer BGP service to their customers. This makes this option a complex and daunting reality to consider.
#3: Diverse Services from Two Providers and Dynect Failover
A third option, rarely considered, is to obtain Internet Access from two ISPs and to use DNS as a failover mechanism between the two connections. In this case, one connection is marked primary and the second is marked backup. Using a device such as Cisco’s Dual Port WAN router or a Barracuda Link Balancer, you can control which ISP is handling your Internet access connection. This works great for users at your office accessing the Internet, but does nothing for remote users trying to connect externally, which is where Dynect Failover steps in.
In this case, the problem is the WAN IP addresses used to route an external user into your office network are not shared between providers. Each provider gives you one or more of their own unique WAN IP addresses to use. When someone connects to one of those IP addresses (say an address from provider A), they will enter the network via the link from provider A. In the event provider A goes down, using the same IP address will result in a connection failure. Provider B has no way to take an IP address from provider A and make it work. This is usually the point where this strategy fails and option #1 or option #2 listed above are used.
However, by using Dynect Active Failover, and/or Dynamic DNS with Dynect Platform, you can control which IP address remote users connect to and can instruct them to come down the currently available connection to your network. By giving users a DNS hostname to connect to, say “vpn.mycompany.com”, you can control the underlying IP address beneath that hostname. This means on failure, you simply update the DNS entry for “vpn.mycompany.com” in Dynect, and users are back up and connected.
Too complicated, you say? Well, you can use Dynect Active Failover monitor your two Internet connections, and if (and when) one of them goes down, automatically failover to the currently available external IP address. This means failover between your two ISP connections is completely automated. Want to use both available connections simultaneously? Use Dynect Load Balancing to balance connections between the two links and in the event of a failure of one, only users on the failed link will need to connect via the other link.
Have multiple IP addresses from each provider? Also not a problem by using NAT for the internal network, and by setting up multiple Dynect Active Failover services for your WAN IPs. All failover scenarios can be handled in under 2 minutes by using Dynect Platform: from monitoring to DNS changes to cache propagation and all in under 2 minutes!
Summary: Diversity is Better!
Each option presented above provides a means to achieve high availability for connectivity to your small business, home office, or branch office. Option #1 is effective, but ties customer’s into a single ISP. Option #2 gives the flexibility of multiple ISPs, at the cost of expensive router hardware and staff time. Option #3 lays out a simple means to utilized valued-priced Internet access and to use DNS as a backup mechanism without lock-in to one ISP or another.