[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] More than One ISP but One Firewall
we also have a number of ISPs running BGP and running iBGP between the edge routers and HSRP tracking upstream interfaces. We then use a route map to assign weights to each BGP route across our providers to try and do rudimentary load sharing across our ISPs, it works(ish). We then have a FW1 HA solution behind this front end. This solution works very well. Our edge routers are in different buildings using different fibre points of entries from different providers to try and get some physical resilience. Some users may notice some downtime as the BGP is kicking round but that will depend on what ISP they use. ----- Original Message ----- From: "Joe Pampel" <[email protected]> To: <[email protected]> Sent: Wednesday, March 13, 2002 4:46 PM Subject: Re: [FW-1] More than One ISP but One Firewall I do this. We run edge routers with diverse T1's (different loop providers, different POP's and different carriers) and behind the router is a HA firewall solution. The good part as others have mentioned is that you need only statics on the FW, and failover is very clean. The firewall can just focus on doing FW stuff (not dynamic routing!) We've had maybe 7 outages in the past year involving at least one of our T's (the worst day we had 5 down!, the longest outage was 9 days when a genious at an associated ISP (not our provider) lost our B8ZS circuit in a shelf full of AMI circuits.. "gee, what's that doing here? and dumped it. By the time the fingerpointing was over, it had been nearly a week!!! Diversity rules and BGP WILL pay for itself IMHO. Something like this need only happen once, you know?) Anyhow, not a single user ever noticed. BGP converges for most local stuff in around a minute or 2. I sleep much better than I used to. ;-) It's worth mentioning that we don't r! un a site to site VPN, and BGP would not save your VPN session.. but for any "normal" traffic - http, smtp, etc it's great and you could re-establish your VPN after a couple minutes anyhow. Not the end of the world in most cases I'd guess. We're moving to a setup with redundant edge routers which will complete the project. If I can make it another month or so, it will have been a full year without so much as a second of outage. (oops! now I'm gonna get it..) - Joe >>> Russell Washington <[email protected]> 03/12/02 11:17AM >>> The traditional topology for this is to have a router terminate both ISP connections, and then have your firewall sitting behind the router. This topology assumes that your entire point in having 2 ISP connections is to have a failover option, and while routers generally have the ability to failover via BGP, your firewall almost certainly won't. I don't quite understand 'protect them with single ISP.' The ISP doesn't protect a thing, the firewall does. Maybe you could clarify. -----Original Message----- From: harsh bhasin [mailto:[email protected]] Sent: Monday, March 11, 2002 9:59 PM To: [email protected] Subject: [FW-1] More than One ISP but One Firewall Hi Is that possible that i have two internet links freom two different ISP's and protect them with single ISP If yes then what issues are involved if no then why. Regards Harsh Bhasin __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|