Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] More than One ISP but One Firewall

To: [email protected]
Subject: Re: [FW-1] More than One ISP but One Firewall
From: Joe Pampel <[email protected]>
Date: Wed, 13 Mar 2002 14:19:42 -0500
Comments: To: [email protected]
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

It's not gonna look as nice as Visio, but here goes. ;-)


ISP#1                 ISP#2
 |                            |
  |                          |
     |                     |
            |          |
        EDGE.ROUTER  w/RPS unit.
                 |
                 |
           Switch ----- Switch  (linked redundant switches w/RPS unit)
                 |              |
                 |              |
                FWa --   FWb=======paralell feed to DMZ (dual switches again..)
                 |              |
                 |              |
           Switch------Switch + RPS (network core or whatever)
                 |
           Core router w/RPS  (default gateway for LAN segment)

This is the basic idea. Ideally you want redundant edge & core routers, use iBGP to have the edge talk to the core and figure out the best exit from the network. FWa & FWb share a VIP, so it's just one default route out / in.

hth

Joe



>>> Joe Bloggs <[email protected]> 03/13/02 12:37PM >>>
You won't happen to have a simple diagram of your setup for us to have a
look at would you ? easy to visualise ...

Thanks!


>From: Joe Pampel <[email protected]>
>Reply-To: Mailing list for discussion of Firewall-1
><[email protected]>
>To: [email protected]
>Subject: Re: [FW-1] More than One ISP but One Firewall
>Date: Wed, 13 Mar 2002 11:46:06 -0500
>
>I do this. We run edge routers with diverse T1's (different loop providers,
>different POP's and different carriers) and behind the router is a HA
>firewall solution. The good part as others have mentioned is that you need
>only statics on the FW, and failover is very clean. The firewall can just
>focus on doing FW stuff (not dynamic routing!) We've had maybe 7 outages in
>the past year involving at least one of our T's (the worst day we had 5
>down!, the longest outage was 9 days when a genious at an associated ISP
>(not our provider) lost our B8ZS circuit in a shelf full of AMI circuits..
>"gee, what's that doing here? and dumped it. By the time the fingerpointing
>was over, it had been nearly a week!!! Diversity rules and BGP WILL pay for
>itself IMHO. Something like this need only happen once, you know?)  Anyhow,
>not a single user ever noticed. BGP converges for most local stuff in
>around a minute or 2. I sleep much better than I used to. ;-)  It's worth
>mentioning that we don't r!
>un a site to site VPN, and BGP would not save your VPN session.. but for
>any "normal" traffic - http, smtp, etc it's great and you could
>re-establish your VPN after a couple minutes anyhow. Not the end of the
>world in most cases I'd guess.
>We're moving to a setup with redundant edge routers which will complete the
>project. If I can make it another month or so, it will have been a full
>year without so much as a second of outage. (oops! now I'm gonna get it..)
>
>- Joe
>
> >>> Russell Washington <[email protected]> 03/12/02 11:17AM
> >>>
>The traditional topology for this is to have a router terminate both ISP
>connections, and then have your firewall sitting behind the router.  This
>topology assumes that your entire point in having 2 ISP connections is to
>have a failover option, and while routers generally have the ability to
>failover via BGP, your firewall almost certainly won't.
>
>I don't quite understand 'protect them with single ISP.'  The ISP doesn't
>protect a thing, the firewall does.  Maybe you could clarify.
>
>-----Original Message-----
>From: harsh bhasin [mailto:[email protected]]
>Sent: Monday, March 11, 2002 9:59 PM
>To: [email protected]
>Subject: [FW-1] More than One ISP but One Firewall
>
>
>Hi
>
>Is that possible that i have two internet links freom
>two different ISP's and protect them with single ISP
>
>If yes then what issues are involved if no then why.
>
>
>Regards
>Harsh Bhasin
>
>__________________________________________________
>Do You Yahoo!?
>Try FREE Yahoo! Mail - the world's greatest free email!
>http://mail.yahoo.com/
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
>=================================================
>To set vacation, Out Of Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] secureclient documentation
Next by Date: [FW-1] Proxy ARP with Windows 2000 and NG FP1
Previous by thread: Re: [FW-1] More than One ISP but One Firewall
Next by thread: [FW-1] H. Hein 1700/RZ/REH/DE/REHAU ist außer Haus.
Index(es):
- Date
- Thread