NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Multiple links



David/ Hi all,
 
Thanks a lot for the information.
 
Please tell me if this works.. (+ & - Points) of the following setup and if we have to achieve atleast 90% uptime.
 
Setup 1
 
ISP1---->Router1------>NIC1 (External)----------------------------------nat -----> NIC2 (internal)
                                                           |                              |
                                                          |                             |
ISP2---->Router2--------------------->NIC4(External)             NIC3 DMZ
 
with the above setup can I have
 
1.Is it possible to define two nat's to two external NIC's (if we take extra license for the NIC4 Valid IP)
 
 
Setup 2
 
                                                       Server 1
ISP1---->Router1------>NIC1 (External)----nat -----> NIC2 (internal)
                                                        |
                                                        |
                                                 NIC3 DMZ
                                                 web & mail servers on static nat
 
                                                       Server 2
ISP2---->Router2------>NIC1 (External)----nat -----> NIC2 (internal)
                                                        |
                                                        |
                                                 NIC3 DMZ
                                                 web & mail servers on static nat
If I replicate the setup...
 
1. with this I think I have to use Stonebeat software for loadbalancing
 
Thanks once again.
 
regs
 
sathish m r
 
 
 
 
 
 
 
 
 
                                                 web & mail servers on static nat----- Original Message -----
Sent: Monday, February 19, 2001 1:37 PM
Subject: RE: [FW1] Multiple links

if you want TRUE redundancy, you'll have to consider ALOT more than just another link....
 
first, you'll need to run BGP between your ISPs and you network. IMHO, this is nothing less than required. this will make your inbound connection redundant and failed-over. however BGP typically requires alot of router memory (65+Mb). that limits your choice of routers to a very small number (Cisco 3640, 72xx, etc). although it can certainly be done with smaller routers, if you limit the amount of inbound routes. if you don't implement BGP, you will spend hours/days/months trying to figure out the routing and trying to make one firewall work with different ISPs. for example: which ISPs IP address will you hide behind? how will "the Internet" know which T-1 to use to connect to your network?
 
continue reading ONLY if you are, or will, consider BGP.
 
second, you'll probably want to make sure that the two ISPs are being carried by two separate Telcos. otherwise, if the telco has a problem with it's network, you'll probably lose BOTH T-1s
 
third, you'll want to consider two of those above routers. what if the router fails?
 
fourth, what about redundant firewalls? it'll look real dumb if you have two ISPs, but a power supply/NIC/Hard Drive/etc in that unnamed piece of hardware running that unnamed OS fails.
 
fifth, what do you *really* want to achieve by having multiple ISPs. I think there are ALOT more points of failure that need to be considered before anyone thinks they are redundant.
 
we have spent many many hours and dollars on making them redundant, but we still have failures and downtime. you will NEVER achieve 100% uptime. you are dreaming if that's what you think. in my experience, 90% of the downtimes are caused by software problems, not T-1s/Telcos. I would make sure i have two of everything (router, FW, T-1s, ISPs, Telcos) before I consider it "redundant".
 
Just my $0.02....
 
Dave O.
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, February 19, 2001 1:20 AM
To: [email protected]
Subject: [FW1] Multiple links

Hi all,
 
We have Checkpoint firewall 4.1 setup as shown below
 
 
                            
ISP---->Router------>NIC1 (External)----nat -----> NIC2 (internal)
                                                        |
                                                        |
                                                 NIC3 DMZ
                                                 web & mail servers on static nat
 
 
ISP leased line (HDLC)--->Router (serial port)-->Router Ethernet ports--> CP 4.1 Ext interface --->Internal NIC and DMZ NIC (Natted to Private zone & DMZ).
 
Now I have to add one more leased line to this setup for link redundancy. The second link will be taken from a different ISP which in turn assigns us with different pool of Valid IP addresses.
 
Could some one help me with information, who have setup or come across this sort of situation.
 
Thanks
 
Regs
 
sathish m r


 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.