Questions

To Dual WAN or not to Dual WAN?

+
0 Votes
Locked

To Dual WAN or not to Dual WAN?

howard_davis
I am trying to figure out for our new building what is best. Small Charter School, approx. 70 computers. Going to have 2 ISP's to separate admin from students (long story, lots of better ways but this is what worked out). Never messed with something like this AT ALL. Assuming I will need two separate networks (at least AD's), but I am trying to figure out foresting. Anyways, do I have to use two separate routers, or can I use a dual port that will separate the traffic, not share but separate. Or should I just share? (One ISP is T1, other is TW Cable 15 down, 2 up)
  • +
    0 Votes
    robo_dev

    The simplest solution is to physically separate the two networks, the middle solution is to physically separate the two networks with a router/firewall in between the two, and the trickier yet most elegant solution is to create multiple VLANs.

    In general, I do not understand how it makes sense to have two ISPs to keep students apart from teachers, that can be done easily simply with VLANs, and that introduces more problems and cost that it cures, in my opinion.

    There are multi-wan routers, which would be the most logical solution for multiple ISP connections, but again, if your goal is to keep students away from teachers, and vice-versa, that's more of a VLAN design issue.

    +
    0 Votes
    lyle148806

    The separation of the two internal network is a separate issue, either using physical separate networks or VLANs is the way for this, along with firewalls etc.

    The two ISP links could provide redundant or load balanced access to the net, but unless your setting up to physically separate networks should not be part of the separation of the students and the teachers

    +
    0 Votes
    howard_davis

    I guess I did not state why the two ISP's. It was not for separating originally. Our current T1 has a 5 year contract (not my choice, signed the month before I started). To increase bandwidth was insane cost. So I added second line, cable with 15 down 2 up, for increased bandwidth (do not need the up speed). After some investigation, I am going with a Radware Load balancer. This comes after the two modems, before firewall. Firewall will act as DHCP (we only have approx. 80 computers). Thanks for the help. (If my idea is a nightmare, other ideas appreciated)

    +
    0 Votes
    -Lukin-

    Use the t1 for backup connectivity and the cable line as your main. Depending on the router you are using this is fairly simple to set up, as the T1 would just be a fail over in case of an outage with the cable.

    Just create seperate vlans for students and teachers as was explained earlier, and the rest can be done through AD/Group policy depending on how you have your AD set up.

    +
    0 Votes
    howard_davis

    Why not use the T1 for load balancing? I would like to use all the bandwidth I can. I currently use AD/GP for separating out everything in regards to the admin/student privileges, with our size really do not need VLAN.

    +
    0 Votes
    robo_dev

    First of all, load balancing makes good sense.

    Second, note that the 'advertised' throughput of a cable modem may not be all that consistent, as the CMTS (cable modem transmission system) relies on a shared topology to a set group of homes/businesses, so the fine print that says 'up to' 15mbs very much applies.

    T1 service tends to be very consistent, and the bandwidth you pay for is the bandwidth you get. Also, depending on the provider, the availability of the CMTS may be inconsistent. In other words, you get what you pay for....

    +
    0 Votes
    howard_davis

    Exactly right on the cable. That is one reason I am keeping the T1. I did find out something. The firewall that I purchased for the new building says it has load balancing. I think I may start with it before purchasing a separate load balancer that costs big $$. Sonicwall NSA 240 is the firewall.

    +
    0 Votes
    eugene.haney

    Dual WAN with load balancing = great way to aggregate traffic. Firewall should be able to do that depending on licensing/firmware (check). This is a tricky implementation, if you have a lot of experience with the firewall/router manufacturer then go for it.

    Make sure you configure VPN traffic for the dual ISPs for failover.

    I agree with most posters here that regardless of the size of the organization you **should** implement VLANs to separate student/teacher traffic.

    +
    0 Votes
    howard_davis

    Going back over our Sonicwall, realized it has simple LB that should work for our school. 80 computers, max of 40-50 using internet at once should be all that is going out. If it causes too much of a bottleneck, I will look at getting a separate LB.

    +
    0 Votes
    robo_dev

    As a couple of people doing some Torrent downloads could kill that connection.

    A proxy server that does caching can help things tremendously, especially if a whole classroom were going to the same web page, or if a whole bunch of students are looking at online videos.

    +
    0 Votes
    howard_davis

    Our filter blocks any Torrent downloads or anything. At most there are 15-30 students on at a time. I feel our 16+ down will be sufficient, if not we can up with TW Cable or our T1 provider if necessary. It will be a **** of a lot better than current setup (single T1, worst network infrastructure I have ever seen in my life).

    +
    0 Votes
    Churdoo

    It's already been pointed out that separating the internet bandwidth and separating LAN functionality are 2 distinct issues, and it sounds like you've figured your your LAN design to some extent, so I'll speak only about your internet circuits.

    You haven't mentioned, but are you hosting your own email on campus? Hosting any of your own websites? Hosting any other inbound services?

    Seems to me, to LB a 15mb connection with a 1.5mb connection, is only adding 10% capacity to the cable connection for total aggregate bandwidth. And I understand that the cable spec isn't true sustainable throughput, but even if sustainable is half the spec you're still only adding 20% for total aggregate bandwidth.

    IF you're hosting any inbound services like email, www, etc., consider dedicating the T1 to these hosted services, as the T1 likely carries an SLA more appropriate to hosting such services. In this scenario I would not add the T1 to the aggregate bandwidth pool for all "other" services (outbound browsing, etc.), but I would dedicate it to the inbound hosted services full time and use it as FAILOVER only for general outbound services.
    My two cents even if that's all it's worth.
    --C

  • +
    0 Votes
    robo_dev

    The simplest solution is to physically separate the two networks, the middle solution is to physically separate the two networks with a router/firewall in between the two, and the trickier yet most elegant solution is to create multiple VLANs.

    In general, I do not understand how it makes sense to have two ISPs to keep students apart from teachers, that can be done easily simply with VLANs, and that introduces more problems and cost that it cures, in my opinion.

    There are multi-wan routers, which would be the most logical solution for multiple ISP connections, but again, if your goal is to keep students away from teachers, and vice-versa, that's more of a VLAN design issue.

    +
    0 Votes
    lyle148806

    The separation of the two internal network is a separate issue, either using physical separate networks or VLANs is the way for this, along with firewalls etc.

    The two ISP links could provide redundant or load balanced access to the net, but unless your setting up to physically separate networks should not be part of the separation of the students and the teachers

    +
    0 Votes
    howard_davis

    I guess I did not state why the two ISP's. It was not for separating originally. Our current T1 has a 5 year contract (not my choice, signed the month before I started). To increase bandwidth was insane cost. So I added second line, cable with 15 down 2 up, for increased bandwidth (do not need the up speed). After some investigation, I am going with a Radware Load balancer. This comes after the two modems, before firewall. Firewall will act as DHCP (we only have approx. 80 computers). Thanks for the help. (If my idea is a nightmare, other ideas appreciated)

    +
    0 Votes
    -Lukin-

    Use the t1 for backup connectivity and the cable line as your main. Depending on the router you are using this is fairly simple to set up, as the T1 would just be a fail over in case of an outage with the cable.

    Just create seperate vlans for students and teachers as was explained earlier, and the rest can be done through AD/Group policy depending on how you have your AD set up.

    +
    0 Votes
    howard_davis

    Why not use the T1 for load balancing? I would like to use all the bandwidth I can. I currently use AD/GP for separating out everything in regards to the admin/student privileges, with our size really do not need VLAN.

    +
    0 Votes
    robo_dev

    First of all, load balancing makes good sense.

    Second, note that the 'advertised' throughput of a cable modem may not be all that consistent, as the CMTS (cable modem transmission system) relies on a shared topology to a set group of homes/businesses, so the fine print that says 'up to' 15mbs very much applies.

    T1 service tends to be very consistent, and the bandwidth you pay for is the bandwidth you get. Also, depending on the provider, the availability of the CMTS may be inconsistent. In other words, you get what you pay for....

    +
    0 Votes
    howard_davis

    Exactly right on the cable. That is one reason I am keeping the T1. I did find out something. The firewall that I purchased for the new building says it has load balancing. I think I may start with it before purchasing a separate load balancer that costs big $$. Sonicwall NSA 240 is the firewall.

    +
    0 Votes
    eugene.haney

    Dual WAN with load balancing = great way to aggregate traffic. Firewall should be able to do that depending on licensing/firmware (check). This is a tricky implementation, if you have a lot of experience with the firewall/router manufacturer then go for it.

    Make sure you configure VPN traffic for the dual ISPs for failover.

    I agree with most posters here that regardless of the size of the organization you **should** implement VLANs to separate student/teacher traffic.

    +
    0 Votes
    howard_davis

    Going back over our Sonicwall, realized it has simple LB that should work for our school. 80 computers, max of 40-50 using internet at once should be all that is going out. If it causes too much of a bottleneck, I will look at getting a separate LB.

    +
    0 Votes
    robo_dev

    As a couple of people doing some Torrent downloads could kill that connection.

    A proxy server that does caching can help things tremendously, especially if a whole classroom were going to the same web page, or if a whole bunch of students are looking at online videos.

    +
    0 Votes
    howard_davis

    Our filter blocks any Torrent downloads or anything. At most there are 15-30 students on at a time. I feel our 16+ down will be sufficient, if not we can up with TW Cable or our T1 provider if necessary. It will be a **** of a lot better than current setup (single T1, worst network infrastructure I have ever seen in my life).

    +
    0 Votes
    Churdoo

    It's already been pointed out that separating the internet bandwidth and separating LAN functionality are 2 distinct issues, and it sounds like you've figured your your LAN design to some extent, so I'll speak only about your internet circuits.

    You haven't mentioned, but are you hosting your own email on campus? Hosting any of your own websites? Hosting any other inbound services?

    Seems to me, to LB a 15mb connection with a 1.5mb connection, is only adding 10% capacity to the cable connection for total aggregate bandwidth. And I understand that the cable spec isn't true sustainable throughput, but even if sustainable is half the spec you're still only adding 20% for total aggregate bandwidth.

    IF you're hosting any inbound services like email, www, etc., consider dedicating the T1 to these hosted services, as the T1 likely carries an SLA more appropriate to hosting such services. In this scenario I would not add the T1 to the aggregate bandwidth pool for all "other" services (outbound browsing, etc.), but I would dedicate it to the inbound hosted services full time and use it as FAILOVER only for general outbound services.
    My two cents even if that's all it's worth.
    --C