Configuration Enquiry

[saitir]

Hi guys.

So I've reached the end of my somewhat limited network infrastructure knowledge and we need to make some changes to our network here and I hoped you people could offer some suggestions.

We're a small company (20 users or so) and currently we have a very dumb network - Cat5 connected to generic 1 gigabit 24 port routers between machines and servers.  Our internet connection is current a pair of ADSL connections through a Draytek router for a small amount of load balancing/failover for our e-mail server.  The draytek just plugs directly into the rest of the network.

We're about to start offering some web services to our clients and I've convinced my boss that that means SDSL in the short term and possibly proper leased lines later on (external hosting solutions are currently our of the question due to his security paranoia regarding some potentially market sensitive data and so on).

So my query is this:

As I understand things, if I just plug the SDSL into our network I can easily configure it to point to our web server and mail server for incoming traffic, and because its not our default gateway no outgoing traffic from staff will 'litter' the connection at all.  Which is a fine default position.

However, there is the issue of what to do in a network outage situation (I mean our adsl goes offline).  While we'd continue receiving e-mail on the SDSL we lose our desktop internet connections even though a connection is available.

On the other side there's the issue of the SDSL going down and not being able to collect e-mail using our other connections (although I think that's as simple as keeping the other ADSL IP addresses in the MX list).

Part of me says its easy enough to just change everyone's default gateway on a need by need basis if the event occurs, but that lacks some finesse and is a pig if I'm not in the office.

It feels like some better hardware with some routing rules sitting between all the internet connections and our network is the way to go, but I'm pretty much out of ideas beyond that.

Anyone have any thoughts or ideas?

Many thanks.

[Michael McNamara]

Hi saitir and welcome to the forums!

You could certainly proceed as you've outlined below, but I would really re-think the option of hosting your offering with a hosting provider.

In today's day and age almost everyone is moving to a hosting solution. There are so many different options available out there, from shared hosting to virtual private hosting to physical server hosting.

Here are some reasons you might want to ask your boss,
 - who's going to backup the server?
 - what happens if the power fails where the server is place?
 - how are we going to serve up any decent SLAs over a xDSL line (bandwidth)?
 - what if we come under a DoS or hacking attack, who will help us?

You can even contract with hosting providers such that they just provide you a leased physical server and you take responsibility for everything else. You can even encrypt the data if there that much paranoia. You can also get SSL certificates and utilize SSH so all your communications with the hosted server are encrypted and safe from prying eyes.

Good Luck!

[saitir]

Hi Michael

Thanks very much for the reply.

Let me begin by saying that I, personally, very much agree with you on this.

My boss, however, has very much the mentality that there's nothing he can't do in house and evidence really doesn't seem to sway him.

Regarding SLAs and such, we're not going to be providing that kind of service.  We manage shareholder information on behalf of listed companies - as part of their corporate governance legal obligations.  Alongside this we manage takeovers and mergers, stock offers and so on.  We receive transactions from the markets and are legally required to process them in a certain amount of time (that side of things is on a private encrypted network and is, in a large way, responsible for my bosses paranoia - if X has to be done on a private network with physical encryption devices, then we're certainly not relying on software only over a public network) and this meaning we have a backup generator.  The types of services we'd be providing are simply allowing our clients shareholders to register votes for AGMs online, check stockholdings within this subset of companies and for our clients to manage certain aspects of their data with us.  We know from experience that response rates for these types of actions come in at around 8% and over what timescales, so we have a good handle on our currently required bandwidth.

Phew, all that is to say that right now, in the short term, xDSL will handle the requirements.  However, we've been on a steady growth path for the last few years and I personally don't see it managing for very long.

I had hoped that the prices of fixed lines over 10MB would start to concern him, but alas not so far.

So if I'm going to be doomed in the short term (at least) then I'd like to push for a follow up to question, with specific regard to:

"It feels like some better hardware with some routing rules sitting between all the internet connections and our network is the way to go, but I'm pretty much out of ideas beyond that."

As in, what sort of hardware would I need to be able to setup rules to manage multiple wan/internet connections on the internal network, with rules only allowing certain devices access and so on?

[Michael McNamara]

Thanks for the background...

There are really only two options available that come immediately to mind. These options would allow you to have two Internet connection terminate on the same router/switch yet allow different routing and segmentation based on VLAN and IP address assignment.

- Route maps on a Cisco switches/routers with VLANs
- Virtual Routing and Forwarding with VLANs (available on Nortel and Juniper equipment)

I'm not sure if VRF is available on the low end Cisco switches/routers although it's definitely a major part of the Nexus 7000 product. I believe the Juniper switches/routers also support route maps but I could be wrong.

The big problem you have is specifying different default route for different source VLANs and/or IP networks. This can be done on the Cisco 3800 router and Cisco 6500 switch using route maps. You can also use VRF solutions that essentially virtualize a switch, creating multiple logical switches that utilize the same hardware but operate and are configured completely independent of each other.

With all that said you'll probably need a significant budget to get started. You could purchase an ERS 8606 chassis with a single 8695SF and a single 8648GTRS although that might be overkill if you weren't going to use it for anything but Internet access. You might also want to look at the Juniper SRX product line. It looks like a great product and has a ton of features.

Good Luck!