[115080] in North American Network Operators' Group
RE: Multi site BGP Routing design
daemon@ATHENA.MIT.EDU (John.Herbert@ins.com)
Fri Jun 5 20:44:49 2009
From: <John.Herbert@ins.com>
To: <steve@ibctech.ca>
Date: Fri, 5 Jun 2009 19:43:59 -0500
In-Reply-To: <4A29BAE3.2050006@ibctech.ca>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Steve,
Agreed. I'm not suggesting that a tunnel is the ultimate best solution, but=
rather just pointing out that if you go with a tunnel, it's worth remember=
ing that it's going unencrypted over a public network rather than site to s=
ite over a private link.
j.
________________________________
From: Steve Bertrand [steve@ibctech.ca]
Sent: Friday, June 05, 2009 20:40
To: Herbert, John
Cc: cmadams@hiwaay.net; nanog@nanog.org
Subject: Re: Multi site BGP Routing design
John.Herbert@ins.com wrote:
> Depending on your security policies you may want to encrypt said tunnel a=
lso.
>
> Other than that, it all depends on it all depends. For example - if you r=
eceive / or have a default route pointing to the ISP, then the fact you hav=
e the same AS and won't receive the other site's routes in BGP doesn't matt=
er at all - you'll follow a default from site 1 to the ISP, and the ISP wil=
l have a route to site 2 and can pass the traffic in the right direction. I=
f you don't mind your traffic being passed unencrypted over the Internet, t=
hat is. You'll obviously need to adapt your firewall policies to allow for =
that flow as well.
Personally, I don't really like the tunnel idea... I've had to deal with
them for v6 connectivity, and they seem so 'ugly'.
My first thoughts were about de-aggregation, but since he's already
advertising different space out of each site, that became irrelevant.
I was just thinking that two AS numbers would be the cleanest, easiest
to maintain method for him to take.
Certainly tunnelling did go through my mind though to ensure
site-to-site peering over the Internet.
Steve
