[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Multiple links
Title: RE: [FW1] Multiple links An easier solution then BGP is to use a product like LinkProof from Radware, but of course you will need two of their systems if you want complete redundancy. I have never tried to get BGP up and running myself, but from people I have talked who have, the time saved on trying to get BGP working would pay for the additional hardware. They have been the only company I have found with a product that makes implementing multiple ISP or Link a breeze. If anyone knows of another out there please let me know because I like to look at all possible solutions.
-----Original Message-----
David/ Hi all, Thanks a lot for the information. Please tell me if this works.. (+ & - Points) of the following setup and if we have to achieve atleast 90% uptime. Setup 1 ISP1---->Router1------>NIC1 (External)----------------------------------nat -----> NIC2 (internal)
with the above setup can I have 1.Is it possible to define two nat's to two external NIC's (if we take extra license for the NIC4 Valid IP)
Server 1
Server 2
1. with this I think I have to use Stonebeat software for loadbalancing Thanks once again. regs sathish m r web & mail servers on static nat----- Original Message -----
if you want TRUE redundancy, you'll have to consider ALOT more than just another link.... first, you'll need to run BGP between your ISPs and you network. IMHO, this is nothing less than required. this will make your inbound connection redundant and failed-over. however BGP typically requires alot of router memory (65+Mb). that limits your choice of routers to a very small number (Cisco 3640, 72xx, etc). although it can certainly be done with smaller routers, if you limit the amount of inbound routes. if you don't implement BGP, you will spend hours/days/months trying to figure out the routing and trying to make one firewall work with different ISPs. for example: which ISPs IP address will you hide behind? how will "the Internet" know which T-1 to use to connect to your network? continue reading ONLY if you are, or will, consider BGP. second, you'll probably want to make sure that the two ISPs are being carried by two separate Telcos. otherwise, if the telco has a problem with it's network, you'll probably lose BOTH T-1s third, you'll want to consider two of those above routers. what if the router fails? fourth, what about redundant firewalls? it'll look real dumb if you have two ISPs, but a power supply/NIC/Hard Drive/etc in that unnamed piece of hardware running that unnamed OS fails. fifth, what do you *really* want to achieve by having multiple ISPs. I think there are ALOT more points of failure that need to be considered before anyone thinks they are redundant. we have spent many many hours and dollars on making them redundant, but we still have failures and downtime. you will NEVER achieve 100% uptime. you are dreaming if that's what you think. in my experience, 90% of the downtimes are caused by software problems, not T-1s/Telcos. I would make sure i have two of everything (router, FW, T-1s, ISPs, Telcos) before I consider it "redundant". Just my $0.02.... Dave O.
Hi all, We have Checkpoint firewall 4.1 setup as shown below
ISP leased line (HDLC)--->Router (serial port)-->Router Ethernet ports--> CP 4.1 Ext interface --->Internal NIC and DMZ NIC (Natted to Private zone & DMZ). Now I have to add one more leased line to this setup for link redundancy. The second link will be taken from a different ISP which in turn assigns us with different pool of Valid IP addresses. Could some one help me with information, who have setup or come across this sort of situation. Thanks Regs sathish m r
|