> -----Original Message-----
> From: Alvin Oga [mailto:[EMAIL PROTECTED]]
> Sent: Monday, July 09, 2001 6:06 PM
> To: Ben Nagy
> Cc: 'Alvin Oga'; '[EMAIL PROTECTED]'
> Subject: RE: Multi-homed Internet connection
>
>
>
> hi ben...
>
> its a simplified drawing...
Maybe you should have used the complex one. ;)
> am just saying that if someone wants www.foo.com ( 1.2.3.4 ) to
> be routed via isp#1.....
> they can not also have www.foo.com routed by isp#2
Not if it's the same IP address, no. There's a large chunk of DNS tricks and
products that exist to provide an answer to the multihoming problem for
inbound traffic. They can be as simple as RR DNS records and they can get
extremely complex (Distributed Director, for example).
> if they want incoming traffic for www.foo.com to arrive from
> either isp#1 or isp#2... they'd need to be using "autonomous"(?)
> ip# that is routable by BOTH isp
They need a fully fledged AS, yes. The inbound traffic will only ever enter
their AS through one path at a time, though. That's just how BGP works. It
doesn't ever load balance, it installs the best route and sticks to it.
> for outgoing traffic...thats locally handled by ifconfig and metric
> for the route
Not unless you're running some unusually impressive routing on your firewall
it's not. Static routes will not do this - a box with equal metric statics
will normally pick one path and send everything out of it - so load
balancing is probably out of the question. Normally it's quite difficult to
have standby or "floating" backup routes using statics only, as well. Your
behaviour on losing one route will be fairly implementation dependant. I
suspect that in most cases the firewall will never use the higher metric
route - and only ever when layer two goes down on the ethernet (so you'd
need a crossover cable).
The "correct" way to solve this problem, as several other people mentioned,
is to do the multihoming on a router, not the firewall. Interestingly, I
believe that IN THEORY, you can do this Cute Hack:
Get a Cisco router. Turn on netflow. Have two external ISPs, and NAT your
internal space into two pools using route-maps. Load balance the external
routes using EIGRP or OSPF. Netflow's caching mechanism should then send all
packets for a given TCP session via the same path (which solves a problem
that should be obvious if you're even thinking about trying this). YMMV with
non-TCP traffic.
I haven't tried this, though, sorry. [1]
> i combined the "gateway" into the firewall...
> - one box that converts local internal LAN as a gateway
> to either isp...
>
> nothing fancy in this config...
I noticed. That's why I pointed out that it wouldn't work.
> other than the same routable ip#
> by two different ISPs to get to the same www.foo.com
> - the two isp can figure out amongst them self who
> can delivery that traffic at that instant ... i dont know
> what protocol they use ...
They use BGP. They can't just "work it out" though - your firewall would
need to run BGP and have two eBGP peers, the way you've drawn your diagram.
Part of having a real AS is the responsibility to run BGP.
> have fun
> alvin
Cheers,
[1] This scheme courtesy of my friend AndrewR.
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
