Re: [fw-wiz] dual ISP connections



I had BGP links at my last job (and will again soon!). Load balancing is
fine for outgoing conections but if you have incoming connections for
services you are hosting, this would be tricker. Mind you my experience is
from being an ISP/Hosting provider.

James,

How does the DNS handle link failure? Do you run an offsite DNS system that
returns resolutions based on monitoring results? Does every host in your
environment need 2 IP addresses (1 for each link). How does this cope with
TTL expiry to cut over between failed links. I am not questiong that it can
be done I am just curious how you would do it.

Brian,

If you are just hosting the odd service for yourself, I believe that the
solution that James mentioned will probably do quite well and with far less
hassle than ASN's and /24's. If you need to run a large hosting environment,
then it may be the path of pain.....

My AU$0.02...

M@

-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of James
Paterson
Sent: Wednesday, June 28, 2006 12:12 AM
To: Firewall Wizards Security Mailing List; Firewall Wizards Security
Mailing List
Subject: Re: [fw-wiz] dual ISP connections

We went through this same thing several years back, BGP is a large
hassle that is really not necessary these days, you can get devices made
by several vendors that handle this type of high availability / load
balancing. Radware's LinkProof, F5's Big IP are a couple, and there are
many more. No need for ASN's no need for a full /24 network, it all
works via DNS.

Cheers
James


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Mathew Want
Sent: Sunday, June 25, 2006 9:34 PM
To: 'Firewall Wizards Security Mailing List'
Subject: Re: [fw-wiz] dual ISP connections

Brian,

If the connections are through 2 separate ISP's then you need to run BGP
for routing. As for IP addresses, you need to apply for an AS number and
a /24
(minimum) from the more helpful of your ISP's or directly from the
designated IP allocator for your geographic region (ARIN. APNIC etc).

You must have /24 as the internet routing tables do not support routes
smaller than this anymore.

M@


-----Original Message-----
From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of
Brian Loe
Sent: Friday, June 23, 2006 10:59 AM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] dual ISP connections

What is the standard, these days, for configuring dual ISP connections,
so far as routing and IPs go, when your company doesn't own a public IP
range?

I'll go into the details of how they're doing it here right now, but I'd
rather wait to show my ignorance...
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] dual ISP connections
    ... If the connections are through 2 separate ISP's then you need to run BGP for ... You must have /24 as the internet routing tables do not support routes ... connections, so far as routing and IPs go, when your company doesn't ...
    (Firewall-Wizards)
  • RE: Source-sensitive Routing ...
    ... Another alternative is to run BGP with both of them. ... Subject: Source-sensitive Routing ... ... The question I have is are the two links going to two separate ISPs? ... BGP does not have inherent load balancing, but if you are connect to two ...
    (Security-Basics)
  • Re: BGP and load balancing two routers
    ... With a four to one bandwidth ratio, load balancing with BGP ... the performance hit when your Sprint link fails and all your traffic ... should either bump up the Qwest link to 45 Mbps or configure your ...
    (comp.dcom.sys.cisco)
  • Re: [fw-wiz] router with 2 redundant inferfaces
    ... You can keep the state of the connections with some black magic ... machines so if one router goes down all statefull connections/protocols break ... Both machines were doing load balancing, ... my company is having 2 leased lines internet connections and they were ...
    (Firewall-Wizards)
  • Re: [fw-wiz] BGP TCP RST Attacks (was:CIsco PIX vulnerable to TCP RST DOS attacks)
    ... You are right that the ability to exploit this vulnerability ... Randomizing the source port allocated by the system helps a great deal, ... exploitability under most circumstances, but persistent connections are ... For the case of BGP peering, ...
    (Firewall-Wizards)