if you
want TRUE redundancy, you'll have to consider ALOT more than just another
link....
first,
you'll need to run BGP between your ISPs and you network. IMHO, this is nothing
less than required. this will make your inbound connection redundant and
failed-over. however BGP typically requires alot of router memory (65+Mb). that
limits your choice of routers to a very small number (Cisco 3640, 72xx, etc).
although it can certainly be done with smaller routers, if you limit the amount
of inbound routes. if you don't implement BGP, you will spend hours/days/months
trying to figure out the routing and trying to make one firewall work with
different ISPs. for example: which ISPs IP address will you hide behind? how
will "the Internet" know which T-1 to use to connect to your
network?
continue reading ONLY if you are, or will, consider
BGP.
second, you'll probably want to make sure that the two ISPs are being
carried by two separate Telcos. otherwise, if the telco has a problem with it's
network, you'll probably lose BOTH T-1s
third,
you'll want to consider two of those above routers. what if the router
fails?
fourth, what about redundant firewalls? it'll look real dumb if you have
two ISPs, but a power supply/NIC/Hard Drive/etc in that unnamed piece of
hardware running that unnamed OS fails.
fifth,
what do you *really* want to achieve by having multiple ISPs. I think there are
ALOT more points of failure that need to be considered before anyone thinks they
are redundant.
we
have spent many many hours and dollars on making them redundant, but we still
have failures and downtime. you will NEVER achieve 100% uptime. you are dreaming
if that's what you think. in my experience, 90% of the downtimes are caused
by software problems, not T-1s/Telcos. I would make sure i have two of
everything (router, FW, T-1s, ISPs, Telcos) before I consider it
"redundant".
Just
my $0.02....
Dave
O.
Hi all,
We have Checkpoint firewall 4.1 setup as shown
below
ISP---->Router------>NIC1 (External)----nat -----> NIC2
(internal)
|
|
NIC3 DMZ
web & mail servers on static nat
ISP leased line (HDLC)--->Router (serial
port)-->Router Ethernet ports--> CP 4.1 Ext interface --->Internal
NIC and DMZ NIC (Natted to Private zone & DMZ).
Now I have to add one more leased line to this
setup for link redundancy. The second link will be taken from a different
ISP which in turn assigns us with different pool of Valid IP
addresses.
Could some one help me with information, who have
setup or come across this sort of situation.
Thanks
Regs
sathish m
r
|