Combining Internet Connections
Load Balancing or WAN aggregation is a method of combining multiple internet connections for redundancy, bandwidth, and reliability.
Also see: Internet & Network Bandwidth & Monitoring & QOS for a discussion of maximizing bandwidth
Load Balancer Appliances/Vendors
- F5 BIG-IP
- FatPipe WARP or Extreme
- Barracuda Link Balancer
- Elfiq http://www.elfiq.com/
- Mushroom Networks http://www.mushroomnetworks.com/
- Peplink http://www.peplink.com/
- Radware http://www.radware.com/
- XRoads http://www.xroadsnetworks.com/
- Xtera http://www.xtera.com/
Combining Internet Connections for Robust Redundant Connectivity
One option is to install a Fatpipe Extreme to load balance a connection from various sources (such as Comcast and ATT.) You will end up with the combined connections that will load balance and provide redundancy. Fatpipe can bind different types of connections for redundancy and is worth looking at. You can use round-robin dns with your dns provider (e.g. dnsmadeeasy.com) for your internal website.
Several dual or twin WAN devices exist to effectively combine Internet connections (such as T1, Cable, DSL). Effectively managed, you can load balance between the line so that "x" percent uses the cable Internet and "y" percent uses a T1. Even in load balancing mode, if one connection should fail, the other picks up the drop and your users are none the wiser. There are many different devices available. On the more basic, small scale, Xincom. On more enterprise-level, Barracuda's link balancer.
We have two bonded t1s from AT&T, and last year I also had Charter Cable put in a "business cable" circuit. Both cable and the T1s pass through our Fortigate Firewall to provide internet for our campus. Our primary traffic goes out (and comes in) on the T1s, but with load balancing and directing campus dhcp traffic over the cable most of the student internet traffic is directed over the cable (20mbps down and 2mbps up). If the cable drops - which isn't often - it only impacts the students and the business side of things keeps on going. The bonded AT&T has been quite reliable, and of course moving student traffic to the cable circuit reduces the load on our primary circuit. I think we pay about $1,300/month for the bonded T1s (we are way out in the sticks and there aren't many options) and about $250/month for the cable. I have no idea if we are REALLY getting that kind of throughput from the cable circuit, but it seems like we are getting pretty good bang-for-our-buck with the cable backup.
In addition to the bonded T1s, we have a Comcast cable modem for extra downstream bandwidth (between 16Mb and 23Mb extra downstream to be exact!). Behind Paetec's Adtran router, we have a Sonicwall router/firewall that does load balancing between our bonded T1s and the Comcast cable. This gives us the reliability and guaranteed upstream speed of T1s, supplemented by the incredible downstream of cable (for only an extra $100/month, assuming you already have a router than can load-balance two WAN ports). If the cable modem goes down (which it does briefly from time to time), it's no problem...the network keeps moving right along on the T1s without a significant hiccup.
T1 plus Cable Modem
- We've had a T-1 for a number of years, and this year added a Comcast Business Internet connection at 8/1 w/ static IP for our campus of 300+ PCs. The T-1 is used for incoming traffic (intranet stuff) and outgoing email, the Comcast connection is used for just about everything else. We run an ISA Server, which doesn't support multiple gateways, so we route all of this through a pfSense box (www.pfsense.org) I set up in front of the ISA Server. The pfSense box has the two connections in a fail-over pool, so that if the cable modem goes down, traffic will flow over the T1. I can set up rules that route traffic over different interfaces based on protocol, source ip, dest ip, etc. It works very well for us, and has made a dramatic difference in our access speeds. It gives us the reliability/SLA of a T-1 for critical incoming and outgoing services, yet it also gives us the bandwidth to support media-rich sites for less critical activities, all without breaking the bank. Our T-1 costs us about $500 month after taxes, the Comcast connection is $170, and the pfSense box was around $500 (little 1U server, software is free/open source). All in all, a very cost effective solution. I can't imagine finding something better until business-class FIOS is available in the area. On important note, it was necessary for us to get a static IP on the Comcast connection for our subscription services, so make sure you look into that (it was only $8 month). I'd be happy to offer any other information you're looking for.
- It seems that Comcast's service depends on your region and the network they have there. We're in an area with a decent network and have two Comcast Workplace Enhanced lines feeding into our Sonicwall 3060. We've had this setup for over a year and have only lost our connection when a squirrel chewed through the rigid line running down our street. There have been some other minor problems but overall we've been very pleased with their service. At about $160 per line per month the price is incredibly cheaper than what we used to pay for our T1s. The Sonicwall 3060 will do failover and allow you to use two connections but it doesn't do true load balancing. The unit will do round robin and percentage based load sharing but does not actively analyze bandwidth usage and adjust things to balance the load. You should easily be able to combine a T1, Cable connection or DSL together using the Sonicwall. As someone mentioned you can create routes on it to direct traffic to specific lines. Get Comcast to give you a trial period and try the cable line with your T1 connection and the Sonicwall. You won't need any additional equipment other than the cable modem. It's pretty easy to setup and you'll know what you might be getting into.
- I've set up routes on the Sonicwall to port forward specific apps to the cable modem and other apps to the T1.
Multiple ISP Connections for Back-up Internet
We have three DSL connections servicing our campus. They are configured as follows:
Firewall1 -> 1.5Mbps SDSL. Dedicated for our email and WTS traffic. Vendor: SDSL.NET
Firewall2 -> 2 Verizon ADSL 7.1Mbps/768KB links. They are connected to a Hotbrick load balancing router (http://www.hotbrick.com/produto.asp?tipo=2&codPro=55 ) The unit supports up to 8 WAN connections.
We also called Time Warner for a cable modem connection to be added to our pool of WAN connections.
You may also want to look at www.peplink.com. Their load balancing firewall/routers are highly rated. If I had to do it again I would have used Peplink. Lastly, configure the gateway addresses on all you campus computers to point to firewall2 first and then firewall1. This allows for the failure of either firewall or one/more DSL connections and still have Internet connectivity. You might think all this is expensive but we only pay about $500/month for all three connections. Another great benefit of this setup is that it allows all user traffic to be routed through the load balancing router while routing mission critical traffic through the SDSL connection.
BGP is a routing and DNS method to allow one internet connection to fail over to a different one without interrupting DNS servcie
Comments from ISED-L on various vendors
- Peplink. I run a Balance 380. I love mine. I have been very happy with it. Coming up on a year shortly.
- We just upgraded from a Barracuda Link Balancer 330 to a 430 in order to handle the Comcast "Speed Burst" which pushed the total bandwidth past the maximum 65MB. The new model can dandle up to 250MB. We also have three T1's and will be adding a third source (a dedicated 10MB line from Broadview).
- I have been very happy with the Peplink Balance. It is such a great tool to unify ISP connections and it's a remarkable way to be able to transition between connections. I am moving things over to a new main connection and it is great to be able to have the Balance to basically abstract the provider to the rest of the firewalls. It also provides great bandwidth reporting and outbound rules management.