[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] How to connecto to 2 ISP's?
Title: RE: [FW-1] How to connecto to 2 ISP's?
Radware, a nice solution by the way, and BGP4 both get the job done in vastly different ways. Radware act as the authoritative DNS server for your domain and will manipulate the DNS responses to place traffic on the link that it determines to be most appropriate.
BGP4 is a routing protocol that allows two provider networks to work together. From a very high level, some items to remember would be:
BGP4 :
*ASN (Autonomous System Number)required.
*Router(s) will need to be beefy enough to handle the extend routes. (Lots of memory)
BGP will route traffic based on the most efficient route when both links are in use, thus they require more than simply a static route the providers network peer router. "Full Routs" may be selected, but more likely "Filtered routs" would be appropriate. Remember for a tier 1 provider, full routs could be a huge number. Any way you cut it, memory and cpu along with the ability to run BGP on you access router(s) will be required.
*ISP's should both be of the same tier.
As stated above, in the absence of a failure, routs determine the path. There are some tweaks, but for the most part, if one ISP is a tire one, and the other is a tier two, then the tier one link will likely get very high utilization while the tier two will go under utilized.
*Consider convergence time.
The ISP have to agree to run BGP with you and one another. After all of that, if there is a failure, the remote peers that would be served by the routes from the dead link will be subject to a period of convergence when they may not be able to get to you. These are typically very short, but may be minutes, not seconds.
RADWARE :
* DNS is the key
Everything in this model turn on DNS. Both ISP provide pane Jane access and network numbers. The Radware boxes exist on both networks. All DNS requests point to the RADWARE boxes and may be primary and secondary or round robin, but they are known by addresses that come out of the two network spaces. When a request comes in for a DNS translation, the RADWARE boxes answer with an IP address associated with the link that it wants to place the traffic on.
*Single point of failure
Radware should always be deployed in pairs as it represents a single point of failure.
*Wont work for Static IP assignments
If you have remote hosts or applications that bypass DNS and attempt to connect to native IP addresses, RADWARE will not affect those connections. You would need to endow those hosts/remote apps with the additional addresses on your own. Think about VPN concentrators etc.
BGP is transport related, the RADWARE is more application layer centric. Depends on your application I suppose. BGP4 takes some expertise, RADWARE is a bit more strait forward. Lost more decision points on both, but these are quick thoughts.
-WAM
-----Original Message-----
From: Kim Longenbaugh [mailto:[email protected]]
Sent: Monday, June 03, 2002 10:49 AM
To: [email protected]
Subject: Re: [FW-1] How to connecto to 2 ISP's?
There's at least two ways to use two different ISP's.
One method is to use BGP to handle routing issues. Hopefully some BGP experts can jump in and advise you on the ins and outs of that solution.
Another method is to use a device like Radware's LinkProof (www.radware.com). You connect the lan side of the routers from your two ISPs to the 'incoming" side of the LinkProof. The 'outgoing' side of the LinkProof connects to the external interface of your FireWall-1. All the NAT and DNS issues are handled by the LinkProof. Turn NAT off on FW-1 and use private addressing on the external interface. The net effect of having two ISP's coming in to the LinkProof is that you get load balancing and redundancy.
There are other similar products to RadWare's LinkProof. Fatpipe has something like this.
>>> [email protected] 06/03/02 08:54AM >>>
Howdy,
for a moment we taught our ISP went bankrupt last week. Fortunately this
turned out not to be the case, however this kind of woke up upper management :-).
So I'm now investigating how to use 2 ISP's for our Internet connection.
Anybody any experience with this? Any links to usefull info?
Is this something that should be solved on the firewall level or will some
router magic do the trick?
Thanks in advance,
Nico
---------------------------------------------------------
"It has been said that there are only two businesses that
refer to customers as users: illegal drug trade and
the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [email protected]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
