| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] Nokia & ISP Load Balance
- To: [email protected]
- Subject: Re: [FW-1] Nokia & ISP Load Balance
- From: Steve McNutt <[email protected]>
- Date: Thu, 2 May 2002 10:19:59 -0400
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcHxzc7COVaFN6AKQV2REkbr/hhfxgAEg8+A
- Thread-topic: [FW-1] Nokia & ISP Load Balance
1. Load balancing inbound traffic from the Internet from two different
ISPs is tough. You could have an address block advertised to the
Internet by both of your ISPs (getting this kind of address space is
pretty tough these days), but other networks will forward traffic to the
ISP the has the lowest BGP metric. Some traffic will flow in on one
link, some on the other, but you will not really be able to get it
'balanced', other than to ask the ISP that is feeding you the most
traffic to keep prepending to your AS path until more traffic appears on
the other link.
2. Load balancing traffic with nokia boxes using the VRRP solution is
fairly crude, and VRRP is an active/passive solution as opposed to an
active/active one. Basically you use two IP's and make each box primary
for one and backup for the other.
3. With the diagram you have given, if you have common address space
known to and advertised by both ISPs HA will work just fine. If
however you have to use different addressing for each ISP, failover will
not work at all.
4. I recommend that you define exactly what it is you want to do, and
build a solution from there. Introducing multi-homing to your network
takes you into deep waters. Do you really need to be connected to two
ISPs that badly? If so, you should be using routers and not firewalls
at your edge.
5. When I look at what you are trying to do, I'm thinking load balanced
links to a single ISP. If you can get the circuits on separate physical
paths, to different routers at a hardened, multihomed POP, you would be
in pretty good shape, without the multihoming craziness.
HTH,
Steven McNutt, CCIE #6495, CCSE, MCSE
President
LightningCloud Technologies
bus:cel:[email protected]
-----Original Message-----
From: McCracken Peter [mailto:[email protected]]
Sent: Thursday, May 02, 2002 6:49 AM
To: [email protected]
Subject: [FW-1] Nokia & ISP Load Balance
Hi All,
I have a moderate amount of experience with firewalls and have worked
with a number of HA solutions including Nokia setups and Sun coupled
with Stonebeat...
The majority of these solutions use the traditional ISP connection,
router, dual firewall setup.
I want to develop a solution using dual 2mb ISP connections that are
load balanced. From the information I have been able to pull off the net
and also reading through the archives of mailing lists, the normal way
to do this is using two Cisco routers configured with iBGP and eBGP and
dual firewalls. Fair enough.
But I have been looking at the Nokia solutions recently, and I like the
idea of being able to clunk my Firewall directly into the X21 connection
from my leased line modem thus removing the need for the standard
internet router...
What I am wondering is, if it is possible to setup two Nokia 650's each
connected directly to a different 2mb link and provide load balancing
and HA between them for inbound and outbound traffic...
What I need to know is
(a) Is this possible.
(b) Is it a good idea.
(c) Anywhere I might find sample diagrams / configs / information about
doing this....
My attemp at a diagram below will hopefully illustrate what I am talking
about.
2Mb Conneciton 1 2mb Connection 2
! !
! !
! !
****************** ****************
* Nokia 650 * * Nokia 650 *
****************** ****************
! !
! !
! !
====================================
Corporate LAN
====================================
I would be grateful for any pointers or suggestions about how I could
achieve load balancing across the two links.
Best Regards, Peter.
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
