need 24/7 internet - what are my options ?

We need to have our internet up 24/7 now.

The only option that I know of, is to have a firewall with 2 internet connections with fail over.

Am I missing something ?

We need to have static Ip's for both internet connections for the VPNs.

Sounds about right. Make sure you have service from two different/types providers. One cable, one DSL/fiber, etc.

And don't mess around with residential service, get business service. I can't tell you how many people I get to support when they have a hardware malfunction, and blow a gasket because we (the manufacturer) can't get them a replacement unit TODAY!!!!! because their business relies on the Internet. With business services, the ISP provides the equipment and are responsible for getting you back up in case of modem failure, etc.

Edit,

Just thought of this - make sure you have UPS's for your networking equipment as well. Nothing worse than a little power blip knocking you offline for who knows how long.

Depending on just how much uptime you need, don't forget to have a backup firewall/router device with a tested config ready to go. Be sure to update that config anytime you change something on the primary device. Test by swapping devices every so often. Trying to remember all of the settings on a replacement firewall when the villagers are banging on your door sucks.

You can do a VPN from a dynamic IF you are the initiating end. If you are the receiving end, static is much better.

Also, watch out for hidden single points of failure. Internal switches, a shared power circuit, etc. Unless you have a very rich budget, you can't have spares for everything, but you can have a replacement plan figured out ahead of time.

Your really going down a bad rabbit hole. What is your ture need for internet that's always up...

Um.
work.

Funny, I recently tried to do something similar and went and asked Spectrum business for service and quotes. Their prices seemed unbelievably too low for Business class internet. Then I found out the reason why. Their SLA for business class service is the same for residential. The only difference is that if you want a static IP, they can give you one for a price but their bandwidth is so asymmetrical its ridiculous. 100 dl /10ul. I'd be happier with 50 dl/ and 20/ul. There is also no QOS. You are on a shared block and if someone is really sucking down the bytes, then everybody suffers.

I know its considered old technology, but depending on your requirements (for work and location), I wold look at a T-1. I have T-1s at multiple locations and my SLA on them ( ISP equipment) is 4 hours. That or like Dead Parrot said if you have a hefty budget, lie down some fiber and have multiple routers. You can even have them running in hot-standby mode.

a T-1 might have a great SLA, but will it provide enough bandwidth to support your needs should your primary connection go down?

I would recommend dedicated internet access via fiber from one provider and another provider's cable modem or LTE for the failover.

DSL may be suitable in your area as well, just make sure it can provide the necessary performance. I guess the same goes for LTE.

I'd only worry about having 1 link that is asymmetrical, that has the most bandwidth and QOS. Then go get a shit DSL/Cable link that is the backup link.

EDIT: Fuck T1's, 1.5mb is not enough for anything now unless you are talking about no web traffic going across that link.

Geeezus I thought T1s died back in the 2000's. People/companies still use them? WTF

Hell even DS3's are slow by today's standards.

And, think about your own AS number, and run ebgp to your providers, that should give you relatively transparent failover. If you're not VERY familiar with bgp, I'd hire a consultant to set up your internet connections. There's nothing worse to troubleshoot than an asymmetrical route.

Oh, while firewalls may be routers with a pretty gui, bgp will suck up your firewall cpu cycles quick. I'd get an ha pair of routers (or one if you are comfortable with a single point of failure), it depends on your risk analysis.

Dont know about that. Could depend on the router model, version, known bugs/issues... The only thing taxing my router at the moment is me via SSH! I'm not running the newest router or version with over 400 subnets with no issues.





olympic-pip# sh proc cpu sort 5min
CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 1%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
130 261480 4212431081 0 0.15% 0.16% 0.15% 0 Ethernet Msec Ti
58 1260 878 1435 0.00% 0.04% 0.12% 388 SSH Process
13 111412916 1681459 66260 0.00% 0.13% 0.08% 0 Licensing Auto U
6 100844040 15476014 6516 0.00% 0.10% 0.07% 0 Check heaps
14 94172844 100887368 933 0.55% 0.11% 0.06% 0 Environmental mo





olympic-pip#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.3(3)M3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 28-May-14 05:53 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

olympic-pip uptime is 3 years, 10 weeks, 3 days, 23 hours, 15 minutes

Cisco CISCO2911/K9 (revision 1.0) with 2506752K/114688K bytes of memory.

Holy crap, you guys went into the weeds super quick...without even knowing any of the specific requirements. If all the OP needs is the most uptime as possible, then it's simple as this:

• Get two internet circuits - ideally from two different providers. There is nothing wrong with a business class cable + DSL, and if you want true piece of mind, a tertiary wireless carrier (like a Verizon USB730L - https://www.verizonwireless.com/internet-devices/verizon-global-modem-usb730l/)
• Get a business-grade firewall w/ support - I would recommend, depending on the number of users, a pair of Meraki MX64 (you only need to purchase 1 license in an HA pair, which saves you money). You can get the MX64W if you need wireless on it as well. But, again, depends on building size and users
• The Meraki can allow you to even load balance or set link preferences - such as sending all the guest wireless traffic out the DSL, etc.. and keep the higher capacity biz class cable free for business purposes
  • https://documentation.meraki.com/MX...haping/MX_Load_Balancing_and_Flow_Preferences
• Set up the HA firewalls with a basic L2 switch (but must participate in STP) to connect the two firewalls and both modems
  • https://documentation.meraki.com/MX-Z/Deployment_Guides/NAT_Mode_Warm_Spare_(NAT_HA)
• Connect all of this gear to a UPS

Three words. Service Level Agreement. You need to be sure to have a good SLA with whatever 2 providers that you decide to go with. The higher the SLA the more expensive the monthly cost.

As other have stated, don't have your gateway being the single point of failure, make sure that you have failover for everything if you desire the unobtainable 100% up-time.

More realistically you should be able to achieve 99.9% up-time. That means that you would have approximately 42 minutes of downtime per month. If you're in a situation where you really need higher up-time than this, you need to get a proper network engineer out to design your systems. The cost for that should be budgeted into the project.

Another thing to consider as well since it wasnt mentioned what the OP was doing other than work, is offsite VPS hosting may be the more ideal solution. The provider maintains the power, network, ISP, server, and storage with a SLA and takes the overhead off you and your home network.

Nowhere in this thread has anyone asked if the need is inbound services or outbound. If the OP is asking about inbound services ie they are hosting a sever internally with external users then the required solution is going to be completely different than a solution that covers internal users needing external access.

So OP please explain exactly what your need is and then someone can give you a proper answer.

Yea you want 24/7 service, good luck. I've seen several outages with Google Apps in the past two weeks. If they can't keep their services online 24/7 with 0 downtime, no one can. (Like Durpity said, you can shoot for 99.9% reasonably, but even to obtain that you might need additional help beyond just putting in a 2nd ISP)

So sure 2 ISPs will provide some additional fault tolerance, but it certainly doesn't mean much in my book as far as getting better uptime. We've had dual ISPs at different sites and depending upon the location both of their fiber is on the exact same pole. The pole that either the truck or the backhoe hits and you're still down waiting the exact same amount of time for someone to fix the break regardless of how much you pay for your SLA or not. Some locations it's simply not setup to where they can reroute the traffic so they can fail over. Other locations once again it won't matter if you have an SLA or not, if they see a bad router the traffic is going to get rerouted if possible either way. The only thing the SLA does for you is give you money back when there is an outage. Maybe other peoples experiences are better than ours is but SLA or not it really comes down to how good the company you're buying the service from is about actually fixing issues.

All of that out of the way, Nicklebon is on point. We don't know what you're trying to keep up 24 / 7, nor do we know if it's even worth considering a second ISP. If you don't have an onsite generator, then having dual ISPs will be a moot point. Same goes for redundant firewall, routers, primary switches, and redundant servers.

We have locations with diverse physical fiber paths to redundant routers, connected via diverse physical fiber paths in to a datacenter with redundant power, redundant UPS on each power circuit, redenduant generators powering those UPS's, with main power feed coming in from 4 different substations, that has dual internet connections, meshed over redundant internet routers with BGP and our own ASN. Even that isn't 100%

100% = impossible

Yep, as most folks here mentioned, full 24/7 uptime is impossible. If you really are serious about this, you need to figure out your SLA and uptime. Generally this is handled by 9's.. 99%-99.xxxx...%

There are formulas out there for this. But, for starters, be sure all your equipment is dual power supplied with each PS on a separate redundant circuits backed by separate generators.
ISP1 -> router1
ISP2 -> router2 and so on in a cross mesh with iBGP between.
Announce your ARIN blocks to each of your ISPs and make sure they are advertising properly via eBGP.
Your routers should go into a pair of outside switches or if you are using something like Nexus 7ks, into an outside VDC... then to a pair of your favorite firewalls and then back into a pair of your inside switching.
To extend your 9's uptime, you will want to have a DR site ready to go... this can be handled via GSLB on a pair of F5s or so and all the same equipment at the DR location.

For the ISPs you choose, try and choose a pair that do not share many initial hops because if an upstream router throws an error and doesn't fail for BGP to take effect, you are out. There are services out there that you can use to try and circumvent this, such as Internap or I believe Equinix Link or whatever it's called, but those I think are only really available in a datacenter.

Anyways, ya man..you are a LONG ways off of full 24/7 uptime when you are thinking 2 ISPs to a firewall.. lol.

Good info here guys - Thanks! My father is looking to set up a home office and this will help!

So a 24/7 requirement also has a budget. Depending on the budget, you can design a solution.

We have two locations that need 24/7 connectivity for work. One is a business that is open 24x7 and uses Internet for cc processing. That solution was provided (forced down our throats) by our franchise agreement. At the second location, we have two different ISPs. It hasn't happened often (maybe twice a year), but the only time we have downtime is when both isps are out. And the nature of our work can tolerate the downtime considering our budget. It's all about how much $$ downtime costs you. If it's $1000/hr you have a higher budget than if it costs you $10/hr.