need 24/7 internet - what are my options ?

Discussion in 'Networking & Security' started by troyquigley, Nov 10, 2017.

  1. troyquigley

    troyquigley Limp Gawd

    Messages:
    389
    Joined:
    Jul 13, 2005
    We need to have our internet up 24/7 now.

    The only option that I know of, is to have a firewall with 2 internet connections with fail over.

    Am I missing something ?

    We need to have static Ip's for both internet connections for the VPNs.
     
  2. jardows

    jardows Gawd

    Messages:
    749
    Joined:
    Jun 10, 2015
    Sounds about right. Make sure you have service from two different/types providers. One cable, one DSL/fiber, etc.

    And don't mess around with residential service, get business service. I can't tell you how many people I get to support when they have a hardware malfunction, and blow a gasket because we (the manufacturer) can't get them a replacement unit TODAY!!!!! because their business relies on the Internet. With business services, the ISP provides the equipment and are responsible for getting you back up in case of modem failure, etc.

    Edit,

    Just thought of this - make sure you have UPS's for your networking equipment as well. Nothing worse than a little power blip knocking you offline for who knows how long.
     
    Wyodiver and scobar like this.
  3. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,080
    Joined:
    Mar 4, 2013
    Depending on just how much uptime you need, don't forget to have a backup firewall/router device with a tested config ready to go. Be sure to update that config anytime you change something on the primary device. Test by swapping devices every so often. Trying to remember all of the settings on a replacement firewall when the villagers are banging on your door sucks.

    You can do a VPN from a dynamic IF you are the initiating end. If you are the receiving end, static is much better.

    Also, watch out for hidden single points of failure. Internal switches, a shared power circuit, etc. Unless you have a very rich budget, you can't have spares for everything, but you can have a replacement plan figured out ahead of time.
     
  4. Vengance_01

    Vengance_01 [H]ardness Supreme

    Messages:
    5,147
    Joined:
    Dec 23, 2001
    Your really going down a bad rabbit hole. What is your ture need for internet that's always up...
     
  5. troyquigley

    troyquigley Limp Gawd

    Messages:
    389
    Joined:
    Jul 13, 2005
  6. Daedalus0101101

    Daedalus0101101 [H]Lite

    Messages:
    99
    Joined:
    Mar 31, 2015
    Funny, I recently tried to do something similar and went and asked Spectrum business for service and quotes. Their prices seemed unbelievably too low for Business class internet. Then I found out the reason why. Their SLA for business class service is the same for residential. The only difference is that if you want a static IP, they can give you one for a price but their bandwidth is so asymmetrical its ridiculous. 100 dl /10ul. I'd be happier with 50 dl/ and 20/ul. There is also no QOS. You are on a shared block and if someone is really sucking down the bytes, then everybody suffers.

    I know its considered old technology, but depending on your requirements (for work and location), I wold look at a T-1. I have T-1s at multiple locations and my SLA on them ( ISP equipment) is 4 hours. That or like Dead Parrot said if you have a hefty budget, lie down some fiber and have multiple routers. You can even have them running in hot-standby mode.
     
  7. Ehren8879

    Ehren8879 Gots the Vaporwares

    Messages:
    4,197
    Joined:
    Sep 24, 2004
    a T-1 might have a great SLA, but will it provide enough bandwidth to support your needs should your primary connection go down?

    I would recommend dedicated internet access via fiber from one provider and another provider's cable modem or LTE for the failover.

    DSL may be suitable in your area as well, just make sure it can provide the necessary performance. I guess the same goes for LTE.
     
    wolfofone likes this.
  8. thrash408

    thrash408 Limp Gawd

    Messages:
    245
    Joined:
    Jan 22, 2010
    I'd only worry about having 1 link that is asymmetrical, that has the most bandwidth and QOS. Then go get a shit DSL/Cable link that is the backup link.

    EDIT: Fuck T1's, 1.5mb is not enough for anything now unless you are talking about no web traffic going across that link.
     
  9. Motley

    Motley 2[H]4U

    Messages:
    2,189
    Joined:
    Mar 29, 2005
    Geeezus I thought T1s died back in the 2000's. People/companies still use them? WTF

    Hell even DS3's are slow by today's standards.
     
  10. pek

    pek prairie dog

    Messages:
    199
    Joined:
    Nov 7, 2005
    And, think about your own AS number, and run ebgp to your providers, that should give you relatively transparent failover. If you're not VERY familiar with bgp, I'd hire a consultant to set up your internet connections. There's nothing worse to troubleshoot than an asymmetrical route.

    Oh, while firewalls may be routers with a pretty gui, bgp will suck up your firewall cpu cycles quick. I'd get an ha pair of routers (or one if you are comfortable with a single point of failure), it depends on your risk analysis.
     
  11. Daedalus0101101

    Daedalus0101101 [H]Lite

    Messages:
    99
    Joined:
    Mar 31, 2015
    Dont know about that. Could depend on the router model, version, known bugs/issues... The only thing taxing my router at the moment is me via SSH! I'm not running the newest router or version with over 400 subnets with no issues.





    olympic-pip# sh proc cpu sort 5min
    CPU utilization for five seconds: 1%/0%; one minute: 1%; five minutes: 1%
    PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
    130 261480 4212431081 0 0.15% 0.16% 0.15% 0 Ethernet Msec Ti
    58 1260 878 1435 0.00% 0.04% 0.12% 388 SSH Process
    13 111412916 1681459 66260 0.00% 0.13% 0.08% 0 Licensing Auto U
    6 100844040 15476014 6516 0.00% 0.10% 0.07% 0 Check heaps
    14 94172844 100887368 933 0.55% 0.11% 0.06% 0 Environmental mo





    olympic-pip#sh ver
    Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.3(3)M3, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2014 by Cisco Systems, Inc.
    Compiled Wed 28-May-14 05:53 by prod_rel_team

    ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

    olympic-pip uptime is 3 years, 10 weeks, 3 days, 23 hours, 15 minutes

    Cisco CISCO2911/K9 (revision 1.0) with 2506752K/114688K bytes of memory.
     
  12. Cmustang87

    Cmustang87 2[H]4U

    Messages:
    4,039
    Joined:
    Oct 4, 2007
    Holy crap, you guys went into the weeds super quick...without even knowing any of the specific requirements. If all the OP needs is the most uptime as possible, then it's simple as this:
     
    Last edited: Nov 14, 2017
  13. Durpity

    Durpity n00bie

    Messages:
    56
    Joined:
    Dec 15, 2013
    Three words. Service Level Agreement. You need to be sure to have a good SLA with whatever 2 providers that you decide to go with. The higher the SLA the more expensive the monthly cost.

    As other have stated, don't have your gateway being the single point of failure, make sure that you have failover for everything if you desire the unobtainable 100% up-time.

    More realistically you should be able to achieve 99.9% up-time. That means that you would have approximately 42 minutes of downtime per month. If you're in a situation where you really need higher up-time than this, you need to get a proper network engineer out to design your systems. The cost for that should be budgeted into the project.
     
  14. Daedalus0101101

    Daedalus0101101 [H]Lite

    Messages:
    99
    Joined:
    Mar 31, 2015
    Another thing to consider as well since it wasnt mentioned what the OP was doing other than work, is offsite VPS hosting may be the more ideal solution. The provider maintains the power, network, ISP, server, and storage with a SLA and takes the overhead off you and your home network.
     
  15. Nicklebon

    Nicklebon Limp Gawd

    Messages:
    483
    Joined:
    May 22, 2006
    Nowhere in this thread has anyone asked if the need is inbound services or outbound. If the OP is asking about inbound services ie they are hosting a sever internally with external users then the required solution is going to be completely different than a solution that covers internal users needing external access.

    So OP please explain exactly what your need is and then someone can give you a proper answer.
     
    bman212121 and Cmustang87 like this.
  16. bman212121

    bman212121 [H]ard|Gawd

    Messages:
    1,158
    Joined:
    Aug 18, 2011
    Yea you want 24/7 service, good luck. I've seen several outages with Google Apps in the past two weeks. If they can't keep their services online 24/7 with 0 downtime, no one can. (Like Durpity said, you can shoot for 99.9% reasonably, but even to obtain that you might need additional help beyond just putting in a 2nd ISP)

    So sure 2 ISPs will provide some additional fault tolerance, but it certainly doesn't mean much in my book as far as getting better uptime. We've had dual ISPs at different sites and depending upon the location both of their fiber is on the exact same pole. The pole that either the truck or the backhoe hits and you're still down waiting the exact same amount of time for someone to fix the break regardless of how much you pay for your SLA or not. Some locations it's simply not setup to where they can reroute the traffic so they can fail over. Other locations once again it won't matter if you have an SLA or not, if they see a bad router the traffic is going to get rerouted if possible either way. The only thing the SLA does for you is give you money back when there is an outage. Maybe other peoples experiences are better than ours is but SLA or not it really comes down to how good the company you're buying the service from is about actually fixing issues.

    All of that out of the way, Nicklebon is on point. We don't know what you're trying to keep up 24 / 7, nor do we know if it's even worth considering a second ISP. If you don't have an onsite generator, then having dual ISPs will be a moot point. Same goes for redundant firewall, routers, primary switches, and redundant servers.
     
    Last edited: Nov 15, 2017
  17. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,521
    Joined:
    Aug 24, 2005
    We have locations with diverse physical fiber paths to redundant routers, connected via diverse physical fiber paths in to a datacenter with redundant power, redundant UPS on each power circuit, redenduant generators powering those UPS's, with main power feed coming in from 4 different substations, that has dual internet connections, meshed over redundant internet routers with BGP and our own ASN. Even that isn't 100%

    100% = impossible
     
    bman212121 likes this.
  18. Kelter

    Kelter Limp Gawd

    Messages:
    302
    Joined:
    Dec 23, 2005
    Yep, as most folks here mentioned, full 24/7 uptime is impossible. If you really are serious about this, you need to figure out your SLA and uptime. Generally this is handled by 9's.. 99%-99.xxxx...%

    There are formulas out there for this. But, for starters, be sure all your equipment is dual power supplied with each PS on a separate redundant circuits backed by separate generators.
    ISP1 -> router1
    ISP2 -> router2 and so on in a cross mesh with iBGP between.
    Announce your ARIN blocks to each of your ISPs and make sure they are advertising properly via eBGP.
    Your routers should go into a pair of outside switches or if you are using something like Nexus 7ks, into an outside VDC... then to a pair of your favorite firewalls and then back into a pair of your inside switching.
    To extend your 9's uptime, you will want to have a DR site ready to go... this can be handled via GSLB on a pair of F5s or so and all the same equipment at the DR location.

    For the ISPs you choose, try and choose a pair that do not share many initial hops because if an upstream router throws an error and doesn't fail for BGP to take effect, you are out. There are services out there that you can use to try and circumvent this, such as Internap or I believe Equinix Link or whatever it's called, but those I think are only really available in a datacenter.

    Anyways, ya man..you are a LONG ways off of full 24/7 uptime when you are thinking 2 ISPs to a firewall.. lol.
     
    bman212121 likes this.