Cisco Cisco IPS 4510 Sensor 백서
7
Architecture Overview
August 2012 Series
7
High Availability Overview
The decision to use a single or dual Internet connection should be made on
your organization’s connection availability requirements. If a loss of Internet
access will cause a business interruption that has a greater cost impact
than the cost of a backup Internet connection, then the Dual ISP design
should be used. A backup Internet connection assures continued Internet
access in the event of a failure to the primary Internet connection, although
some services may experience a temporary outage during the switch to the
backup link. Most outbound services should be available in a few seconds.
The Dual ISP design provides the following:
The decision to use a single or dual Internet connection should be made on
your organization’s connection availability requirements. If a loss of Internet
access will cause a business interruption that has a greater cost impact
than the cost of a backup Internet connection, then the Dual ISP design
should be used. A backup Internet connection assures continued Internet
access in the event of a failure to the primary Internet connection, although
some services may experience a temporary outage during the switch to the
backup link. Most outbound services should be available in a few seconds.
The Dual ISP design provides the following:
• Resilient outbound Internet access and inbound email services.
• Additional inbound services that can be provisioned to recover in
• Additional inbound services that can be provisioned to recover in
the event of a failure, although some services may experience longer
outages.
outages.
• Inbound web service that does not have seamless failover protection
and requires user interaction to point the Domain Name System (DNS)
records at the alternate IP address on the secondary ISP. To achieve
higher web-service availability, an organization can host its web service
at a colocation facility or use a fully redundant Border Gateway Protocol
(BGP) design that advertises the same IP address out to different ISPs.
Organizations with services that require a very high level of Internet
availability should consider hosting these services at a provider’s
Internet colocation facility.
records at the alternate IP address on the secondary ISP. To achieve
higher web-service availability, an organization can host its web service
at a colocation facility or use a fully redundant Border Gateway Protocol
(BGP) design that advertises the same IP address out to different ISPs.
Organizations with services that require a very high level of Internet
availability should consider hosting these services at a provider’s
Internet colocation facility.
Internet Routing
There are a variety of ways to control routing to and from the Internet. BGP
and other dynamic routing options offer various methods to influence
Internet routing. For the majority of organizations with up to 10,000 con-
nected users, a static default route is adequate to establish access to the
Internet and has the least operational complexity.
There are a variety of ways to control routing to and from the Internet. BGP
and other dynamic routing options offer various methods to influence
Internet routing. For the majority of organizations with up to 10,000 con-
nected users, a static default route is adequate to establish access to the
Internet and has the least operational complexity.
If an organization’s routing requirements exceed what can be
addressed by static routing, refer to the Cisco Enterprise Internet
addressed by static routing, refer to the Cisco Enterprise Internet
Edge Design Guide, which covers more complex Internet con-
nectivity deployments:
nectivity deployments:
Reader Tip
Active/Standby vs. Active/Active Internet Connectivity
The Dual ISP design is a resilient design with primary and backup Internet
connections. If Internet access via the primary link is lost, the design will
automatically fail over to the secondary link. These configurations are typi-
cally sufficient for organizations of up to 10,000 connected users that are not
hosting critical content or eCommerce in their DMZ. In the Dual ISP design,
Cisco Adaptive Security Appliance (Cisco ASA) firewalls send Internet Control
Message Protocol (ICMP) probes to an Internet IP address. If the firewall stops
getting responses to the probes, it will fail over to the secondary link. This
resilient design offers a simple but effective solution to maintain the users’
Internet access and email (with an appropriately configured DNS). Further
detail on configuration of this capability will be addressed in the ‘Firewall’ and
‘Intrusion Prevention’ sections of this document.
The Dual ISP design is a resilient design with primary and backup Internet
connections. If Internet access via the primary link is lost, the design will
automatically fail over to the secondary link. These configurations are typi-
cally sufficient for organizations of up to 10,000 connected users that are not
hosting critical content or eCommerce in their DMZ. In the Dual ISP design,
Cisco Adaptive Security Appliance (Cisco ASA) firewalls send Internet Control
Message Protocol (ICMP) probes to an Internet IP address. If the firewall stops
getting responses to the probes, it will fail over to the secondary link. This
resilient design offers a simple but effective solution to maintain the users’
Internet access and email (with an appropriately configured DNS). Further
detail on configuration of this capability will be addressed in the ‘Firewall’ and
‘Intrusion Prevention’ sections of this document.
The Dual ISP design does not address multi-homed routing
options, e.g., using BGP with multiple Internet connections to
multiple ISPs. For more information on multi-homed Internet
connectivity designs, refer to the Cisco Enterprise Internet Edge
options, e.g., using BGP with multiple Internet connections to
multiple ISPs. For more information on multi-homed Internet
connectivity designs, refer to the Cisco Enterprise Internet Edge
Design Guide in the Cisco Design Zone:
Reader Tip