|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] How to connecto to 2 ISP's?
We solved that problem here with BGP. It's not as hard as it seems. You do need to get IP space allocated to you (/24 minimum) that the various (2 or more) ISP's will agree to announce. Your existing IP space may be routable/announceable or not.. or if you are NATing, you may not have anything like a /24 in which case you should consider the Radware Linkproof (which is kind of a NAT failover- you use a set of IP's until that carrier goes down and then it switches you over via DHCP to the backup). there are some other devices that give similar functionality and also a new software solution from Rainfinity called Rainconnect. BGP requires a beefy router, a 3640 minimum if you want to take full routing tables. This means 128MB of RAM. The actual config is not that bad for a basic one. BGP like most things has a lot of subtlety to it. You can get into MED's, Communities, Confederations etc etc but to run it all you really need is what I have posted below. This is an offline response I wrote once for someone.. Don't assume it's all 100% or the only way or whatever. :-) It's just my own experience and what I've gotten from it. I hope it helps! - Joe ps - search the archives of the ISP-routing list and the ISP-BGP lists! Great info.. ------------------------------------------------------------------------ How BGP solves the problem: Nutshell: your border (edge) router takes in the 2 ISP connections and chooses the best routing paths. You only need ONE firewall in this case and no fancy setups behind it. Use the 2nd FW to cluster this main FW if you want (reccomended!!) Your servers in question will be reachable via 1 IP address from either ISP. That's the beauty of it. If one circuit goes down, BGP recalculates the routing table and within 1-5 minutes it is fully normalized again. Over the past year I have never had a user notice an outage at any of our offices. (we've had 9, one which lasted a week!) Our BGP tables converge well enough within the first minute that local reachability is continuous - or at least appears so. This is a good thing. Detail: (I don't know what you already know so forgive me if I hit some basics here) Border Gateway Protocol v4 (BGP to us) is a dynamic routing protocol. It looks at routing as hops - much like RIP which I believe is where it came from. A given network is viewed as an "autonomous system" - each network is assigned a system number - called an ASN. Each ASN is a hop in BGP. In North America ASN assignment is handled by ARIN, RIPE in the EU. You apply for an ASN after you: 1: have multiple ISP connections 2: have routable IP space that both ISP's agree to announce You make your case to ARIN about why you need this (umm, resiliancy?) and if they approve you you pay $500 and you're nearly done. The fundamental definition for an ASN is a network with a unique routing policy - one that varies enough from what it's connected to that it needs to be recognized as a unique entity. There are only 65,535 ASN's, so they don't give them for no reason. Your router will need to run a BGP session with each of the 2 ISP's in this case. I will assume you're not a transit network here.. What happens at the most basic level could be this: You take a routing table from ISP A and another from ISP B - their "views" of the internet. Your router calculates a new table based on ASN hops - finding the "shortest" distance to get anywhere on the net (using ASN hops only.. it does not look at BW unfortunately!) This is the view from where YOU are. In turn, you "announce" your internal IP space - you tell the world how to get to your net. Every router on the net gets reachability/routing into from every other router, and they all update each on an ongoing basis. Kinda like DNS that way as BGP can be thought of as a distributed database in a way (although it is really just a flat file..). Your announcements propogate to your peer routers at your ISP's and in turn to their peers etc etc. You need at least a /24 to announce. If you have smaller IP space, you can use devices like a Radware Linkproof which handle the NAT changeover to go from one ISP to the other. BGP is nicer if you can do it bc you get to use both circuits all the time. (you pay for them all the time so...) There is also some new software from Rainfinity which is supposed to handle this sort of thing too complete with load balancing (which is not straightforward in BGP..) A really basic config is simple. Here's mine (simplified and sanitized) router bgp 9876 no synchronization bgp log-neighbor-changes network X.Y.10.0 netmask 255.255.254.0 neighbor A.B.C.D remote-as 1234 neighbor A.B.C.D description T1 #12345678 neighbor A.B.C.D version 4 neighbor A.B.C.D filter-list 1 out neighbor D.E.F.G remote-as 5678 neighbor D.E.F.G description T1 # 987654321 neighbor D.E.F.G version 4 neighbor D.E.F.G filter-list 1 out The top part is us, ASN 9876. No syncronization refers to not waiting for other protocols to update BGP (in case we run OSPF, iBGP, etc etc) I just announce my /23 network in my part of the config. Next up is our first peer. I force BGP version 4 and use filter list 1 to control what routes will come and go during this BGP session. Next is our 2nd peer with ASN # 5678. Same thing again. In reality there is more to the config, as the two carriers run BGP differently.. maybe carrier one uses 2 PVC's running off the loopback, carrier 2 userse communities, etc etc. and we use an ACL to make sure that we only accept BGP packets from the proper hosts etc. (do a google on "secure IOS and Secure BGP" and you'll see Rob Thomas's excellent site!) but they will always provide you with the config you need to connect to them. They have to bc there is no way for you to know what they need otherwise.. so don't sweat it. What you have above is enough to work with though. This will work fine to get you started. Your part of the BGP clause is up to you, as is the the filter list if you choose to use one. ! Filter list 1 looks lke this: ip as-path access-list 1 permit ^$ ip as-path access-list 1 deny .* This says simply "take in everything I'm sent. Send out only what is local". Do a google on "Avi Freidman" to see where I pinched this! This kind of list is usually referred to as an "Avi style" list. You'll see why. This keeps you from sending the whole routing table back to your ISP as well as only "advertising" or announcing what you have reachability for - your own nets. In my case I take what's called a "full table" - every route on the net (a bit over 100,000 routes, or ~70MB worth at the moment) You can take just defaults, or just carrier routes, or other partial tables. talk to your providers about what they have available. This will, in turn, ease up on your memory useage. Your routing table needs this as well (called nailing the routes) ip route A.B.C.D 255.255.254.0 T.U.V.W ip route A.B.C.D 255.255.254.0 Null0 254 This is not essential for it to work, but this is good practice and being a good netizen. A.B.C.D is your /23 net. T.U.V.W is the gateway in this case. The 2nd route is where you add a "backup route" to this net so that even if the interface goes down, you don't withdraw the route to your net (null interface is logical and can't go down...) This is to avoid needless BGP table updates propogating across the net. ----------------------------------------------------------------------------------- hth Joe >>> Nico De Ranter <[email protected]> 06/03/02 09:54AM >>> Howdy, for a moment we taught our ISP went bankrupt last week. Fortunately this turned out not to be the case, however this kind of woke up upper management :-). So I'm now investigating how to use 2 ISP's for our Internet connection. Anybody any experience with this? Any links to usefull info? Is this something that should be solved on the firewall level or will some router magic do the trick? Thanks in advance, Nico --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/VPE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: [email protected] ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
