RE: [FW1] Multiple WAN Links.

["iden fw" <iden_fw@FW1-NOSPAMhotmail.com>]

Comments in-line...


> From: "Mark L. Decker" <mdecker@rainfinity.com>
> Reply-To: <mdecker@rainfinity.com>
> To: "'iden fw'" <iden_fw@hotmail.com>, <cryptotech@gmx.de>
> CC: <gmathur@chat4help.com>, <fw-1-mailinglist@lists.us.checkpoint.com>
> Subject: RE: [FW1] Multiple WAN Links.
> Date: Fri, 3 Nov 2000 15:58:52 -0800
>
> iden_fw wrote:
> > Regarding the negatives to BGP:
> > 1. uneven load sharing --  If you have 2 circuits with the
> > same ISP, this is not an issue.  Otherwise, if you have a circuit
> > with 2 ISPs (as the original poster indicated) -- load sharing
> > becomes uneven, and requires a more
> > complex configuration.  And constant tweaking...
>
> True, but if both circuits go to the same ISP, you don't have much
> redundancy.  A problem with the carrier or ISP is likely to simultaneously
> take down both links in that case.  Using different types of links (e.g. a
> T1 and a DSL) to two different providers yields the most fault tolerant
> design.

An organization can work with their ISP to have their T1s terminate on 
different switches, and different routers.  You would be surprised how many 
customers order 2 circuits to their ISP, and then don't know that the T1s 
terminate in the same channelized DS-3 card in the same Cascade 9000/500 
switch, that can ride the same fiber over to the ISPs router.  Or maybe you 
wouldn't be surprised... ;)

Some ISPs even offer the ability to terminate a T1 in another POP.  More $$

Telco could be the problem... if both circuits are ordered from the same 
carrier, and ride common facilities... again, alot of times customers do not 
ask for circuit path diversity.

> > How does Rainfinity load-balance incoming traffic?
>
> For connections initiated from inside, the return traffic is load balanced
> because the source address alternates between the two ISP ranges as it 
> heads
> out.  For connections initiated from outside to a webserver hosted
> internally, RainWall doesn't do any load balancing of the links.  You'd 
> need
> some kind of intelligent DNS to do that, maybe custom scripting or a 
> product
> like 3DNS.

Yet another product to configure, troubleshoot, keep up-to-date on patches, 
purchase, support contracts... ugh.

> > 3. requires AS number and cooperation from both ISPs --
> > Requires little
> > effort, and a little $.  The only cooperation you need from
> > the ISPs is for
> > them to configure a BGP session with you, which any ISP
> > should be able to do
> > in their sleep.  I would not classify this as a negative to a
> > BGP solution.
>
> Sure, if you are a big company with your own Class B (i.e., clout).  If
> you're a smaller company, many major ISPs won't peer with you.  They don't
> want to be bothered advertising your routes unless you have a dozen Class
> C's or more.  Some smaller ISPs may have more lenient BGP peering policies,
> but even they tend to draw the line at a full Class C.  Those using NAT 
> with
> a CIDR block smaller than /24 are typically out of luck.

You don't need to peer with your ISP, and you don't need a Class B.  You 
just need to establish a BGP session.  Any ISP should be able to setup a BGP 
session with a customer.

The /24 is a valid point.  The large ISPs tend to accept route announcements 
less than a /24, but will not advertise those routes to their peers.

> > 4. giant routing tables that eat gobs of router CPU and RAM,
> > etc -- ;)  A
> > full routing table is in the neighborhood of 88000 network
> > entries.  I have
> > recommended, that if you are going to take full feeds from 2
> > providers on
> > one router that the customer have 128 megs on at least a  36XX Cisco.
>
> I agree.  That would be my minimum spec as a BGP router; 128M should be 
> able
> hold the ever-growing routing tables for at least a year or two.  If you
> don't want the router to be a single point of failure, I'd recommend two of
> them with HSRP.

;)  That's exactly what I was referring to...

> > What is the list price of a Rainfinity solution?  What are
> > the maintenance
> > contract costs?
>
> RainWall is US $5,000 for active/standby, or US $12,000 for active/active
> with load balancing.  Standard support is 25% of the software list price 
> for
> a 1-year contract.  For comparison, a pair of Cisco 3640s with 128M DRAM
> running BGP/HSRP will cost over US $24,000, before you even put any LAN or
> WAN modules in them.

So that's $3,000 a year for support...

I think your estimate of $12,000 for an empty 3640 chassis might be a bit 
high.  Maybe not...

> Mark L. Decker
> Rainfinity

Bottom line is that redundancy is a very expensive word.  We haven't even 
discussed redundant power, ethernet switches, redundant switches/routers for 
the inside of the firewall, etc...



-iden_fw
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at 
http://profiles.msn.com.



================================================================================
    To unsubscribe from this mailing list, please see the instructions at
              http://www.checkpoint.com/services/mailing.html
================================================================================