[119131] in North American Network Operators' Group
Re: Failover how much complexity will it add?
daemon@ATHENA.MIT.EDU (adel@baklawasecrets.com)
Sun Nov 8 12:34:48 2009
To: <nanog@nanog.org>
Date: Sun, 08 Nov 2009 17:34:08 +0000
From: adel@baklawasecrets.com
Reply-To: adel@baklawasecrets.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Thanks for all your comments guys. With regards to bgp I did
think about placing two bgp routers in front of the ssg's. However
my limited understanding makes me think that if I had two bgp
connections from different providers I would still have issues. So
I guess that if my primary Internet goes down I lose connectivity
to all the publicly addressed devices on that connection. Like
dmz hosts and so on. I would be interested to hear how this=20
can be avoided if at all or do I have to use the same provider.
I should add that we currently have provisioned two ssg in ha
mode. Also is terminating bgp on the ssg also an option? I really
like the flexibility of route based VPN with addresable tun interfaces.
Thanks
adel
On Sun 3:47 PM , "Joe Maimon" jmaimon@ttec.com sent:
>=20
>=20
> adel@
> baklawasecrets.com wrote:> HI,
> >
> >
> > Now I couldn't get any good answers as to why
> Internet connections 1 and 2 need to be separate. I think the idea was t=
o
> make sure that there was enough bandwidth for the third party support VPN=
.=20
> I feel that I can consolidate this into one connection and just use rate
> limiting to reserve some portion of the bandwidth on the connection and
> this should be fine. Now if I was to do this then I can make a case for
> just having one backup Internet connection. However I'm still concerned
> about failover and reliability issues. So my questions regarding this
> are:>
>=20
> I wouldnt jump to any conclusions that everything will work properly if
> you are terminating multiple connections directly on the SSG, what with
> egress likely being different than the ingress, even if you are using=20
> the same IP range (BGP) on all the links.
>=20
> You could really be asking for trouble if you are planning on using a=20
> different ISP provided IP range on each connection for each purpose.
>=20
> Front it all with routers that can policy route, whether or not you also
> use BGP.
>=20
>=20
> Joe
>=20
>=20
>=20
>=20
>=20
