Great Circle Associates Firewalls
(March 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Redundant Internet Connections
From: Paul Ferguson <pferguso @ cisco . com>
Date: Sat, 23 Mar 1996 16:41:35 -0500
To: Karl Janice <KJanice_+a_NYPP_+lKarl_Janice+r%NYPP @ mcimail . com>
Cc: Firewalls <firewalls @ GreatCircle . COM> 
At 12:56 PM 3/21/96 EST, Karl Janice wrote:

>
>     Is it possible to have one domain name, and relate it to multiple
>     internet service providers. Our company would like to have dual
>     internet connections, we're very paranoid. The goal would be to allow
>     web access to come from one ISP, or the other, with the ability to
>     reroute traffic should there be a loss of carrier.
>

Certainly. I would highly recommend that you familiarize yourself with
BGP(4).  :-)



>     Ideally this would be done without the end user having to make any
>     changes in addressing.
>

This depends on how your current address allocation and your upstream
providers policies on routing certain prefixes.


>     Could this be done with address translation, or are we dreaming?
>
>

Not sure how address translation would fit into the equation; this sounds
like a fairly straightforward multihoming issue.

However, please don't confuse the difference in redundancy and load-balancing.
If redundancy is what you're after, then its pretty much a no-brainer. At least
in comparison to 'load-balancing'.

The complexity of 'load-balancing' traffic across dual or multipaths
greatly depends on whether the dual pipes are homed to different ASs
or the same AS. Also, since BGP picks a 'best' route based upon most
specific prefix and shortest AS_PATH, it becomes an exercise for the
reader to figure out how to manually direct specific portions of
internal traffic [prefixes] in a distributed fashion across multiple
external gateways.

However, in both cases [redundancy & multihoming to different AS's],
there is this pesky issue of announcing a more specific component
over an aggregate. It can be a sticky wicket if your addresses were
allocated by one upstream peer, who may be announcing a larger,
aggregated supernet via one path, and another provider who is now
announcing a more specific prefix path. In all instances, the more
specific prefix is a more prefferred path over the aggregate, so your
providers will have to play some games with the routing.

Firewalls could, of course, be placed at each demarcation point, and
function as would a singularly homed network.

- paul

--
Paul Ferguson                                           ||        ||
Consulting Engineering                                  ||        ||
Reston, Virginia   USA                                 ||||      ||||
tel: +1.703.716.9538                               ..:||||||:..:||||||:..
e-mail: pferguso @
 cisco .
 com                         c i s c o S y s t e m s
Indexed By Date Previous: Re: Application proxies for NT
From: "Mark E. Brandon" <mark @ toukan . com>
Next: Re: Firewall organizational opinions?
From: seeger @ cis . ufl . edu (F. L. Charles Seeger III)
Indexed By Thread Previous: Re: Redundant Internet Connections
From: nkeenan @ gsionline . com (Mr. Nick Keenan)
Next: Re: Redundant Internet Connections
From: Dave Crocker <dcrocker @ brandenburg . com>
Google
 
Search Internet Search www.greatcircle.com