Re: Wan link backup posted 03/02/2004
Thanks for your inputs.Since it's possible that dual DNS servers
(or single DNS with 2 NIC) can do the trick,then why some company
still using hardware like linkproof to connect to different ISP?Anyone?
----- Original Message -----
From: "Jay Hennigan" <jay@xxxxxxxx>
To: "Alex Hsieh" <ccie21@xxxxxxxxxxx>
Cc: "CCIE R&S Mailing list" <ccielab@xxxxxxxxxxxxxx>
Sent: Tuesday, March 02, 2004 12:08 AM
Subject: Re: Wan link backup
> On Mon, 1 Mar 2004, Alex Hsieh wrote:
> > hi Church:
> > Thanks for your input.ISP is unable to help us.
> Look for another ISP. This should be trivial for them to set up.
> Hint: Most good ISPs don't do a good job of delivering HBO or installing
> pay phones. The reverse is true as well.
> > I've sorted to all resources still can't get this work.
> You can make DNS work, but it's less than optimal. Set up a DNS server
> with two IP addresses, one on each network. Use two zone files, the
> main one pointing to the addresses on the DS-3 link and a standby one
> pointing to the DSL.
> They will want to have short TTLs, I'd recommend five minutes. Too long
> and it will take some time for things to switch. Too short and you'll
> wind up with a lot of DNS traffic which will hurt payload throughput on
> the DSL link.
> You'll need a script on the nameserver to detect link failure on the
> DS-3 line and swap zone files, or you can do this manually.
> * Many browsers have their own cache. If someone has viewed the WWW
> page on the main link, they may have to close and restart their web
> browser to see it on the standby link.
> * You'll need to modify your own outbound routing on the fly to get
> packets back out to the net.
> * Determining "failure" of the DS-3 can be tricky depending on the nature
> of the failure. If the link is up but the ISP has a routing porblem,
> it gets harder to detect. At a minimum, use the "down-when-looped"
> command on the serial interface so that when (not if) someone at the
> carrier loops the wrong line it will show as down.
> * Not everyone follows standards. Some applications will give up if the
> first nameserver is unreachable.
> * Chuck's secondary MX thing would work well if everyone else followed the
> standards. Everyone doesn't. Spammers especially don't. If you do
> this, expect your "standby" mail server to get a lot of mail most of
> the time, much of it spam.
> * Keep in mind that listed DNS servers are checked more or less randomly,
> so the IP of your nameserver on the standby link will see half of your
> DNS traffic.
> > I think what you're saying is having two different DNS servers valid,
> > each network block. These two are both registered with Network
> > (or whatever they're calling themselves these days). One as a primary,
> > one as a secondary. So if the DS3 goes down, the primary is now
> > and the secondary would become active, giving out addresses valid on the
> > backup link, whereas the primary DNS was giving out addresses valid on
> > DS3 block.
> I like to use a single box dual-homed and swap zone files on-the-fly.
> > The problem would be caching of DNS records. You're TTL for the
> > nameservers would have to be extremely low for this to work, and
> > not a good solution. I'm not sure if NetSol would even accept a TTL of
> > minutes for an NS record.
> Not an issue. Done all the time but the overhead on the DNS box increases
> a bit.
> > The incoming mail problem is easily solved with
> > multiple MX records. For incoming HTTP, you might want to talk to a
> > company that can redirect your WWW records to different hosts. No luck
> > static routes from the ISP?
> I agree that a clueful ISP is by far the best solution here. As a DS-3
> customer, you should be able to lean on them a bit.
> > > What if I setup one DNS server for each link,and register
> > > DNS record with both of my DNS server address.Will it work?
> Yes, but they both will get hit all of the time. You need to change
> entries on-the-fly with short TTL.
> Jay Hennigan - CCIE #7880 - Network Administration - jay@xxxxxxxx
> WestNet: Connecting you to the planet. 805 884-6323 WB6RDV
> NetLojix Communications, Inc. - http://www.netlojix.com/