[119140] in North American Network Operators' Group
Re: Failover how much complexity will it add?
daemon@ATHENA.MIT.EDU (adel@baklawasecrets.com)
Sun Nov 8 16:40:12 2009
To: <nanog@nanog.org>
Date: Sun, 08 Nov 2009 21:39:33 +0000
From: adel@baklawasecrets.com
Reply-To: adel@baklawasecrets.com
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
Ok thanks for clearing that up. I'm getting some good feedback on applying=
for PI and ASN through Ripe LIRs over on the UKNOF so I think I have a han=
dle on this.
With regards to BGP and using separate BGP routers. I am announcing my PI =
space to my upstreams, but I don't need to carry a full Internet routing ta=
ble, correct?
So I can get away with some "lightweight" BGP routers not being an ISP if t=
hat makes sense?
Adel
On Sun 9:26 PM , Ken Gilmour <ken.gilmour@gmail.com> wrote:
> Hey,
>=20
> Yes you apply to RIPE for your allocation. You should ask them for a
> /20 since it's the same price for that as a /24 if you can justify it
> (at least with LACNIC where i now get my allocations)...
>=20
> You will also need to apply for an ASN
>=20
> Correct- the block belongs to you and as long as you contact the
> transit provider from the address listed in WHOIS then you should be
> able to set up a new agreement easily.
>=20
> Yes the block is PI space (provider independent)
>=20
> It can take up to 1 month to get your assignments.
>=20
> I would recommend getting some different routers for this. I use
> OpenBSD in some of my locations which is extremely easy to work with.
> I also have some old NS-208 devices running ScreenOS for internal BGP
> in one other location. I would not recommend using any router with
> less than 1GB of RAM for BGP. in HA Mode you can connect the two
> tails, one to each SSG (if they are in active active mode) and
> announce it that way (check out anycast), we also do this :).
>=20
> The way BGP works is that both connections are active at the same
> time, there is no primary and backup, if one goes down you just have
> one less to receive traffic over and more traffic on the other, but
> unless you stop announcing from one connection traffic will go over
> both.
>=20
> Regards,
>=20
> Ken
>=20
> 2009/11/8 :
> > Don't think I sent the below to the list, so resending:
> >
> > Thanks Seth and James,
> >
> > =C2=A0Things are getting a lot clearer. =C2=A0The BGP multihoming solut=
ion
> sounds like exactly what I want. =C2=A0I have more questions :-)
> >
> > Now I suppose I would get my allocation from RIPE as I am UK based?
> >
> > Do I also need to apply for an AS =C2=A0number?
> >
> > As the IP block is "mine", it is ISP =C2=A0independent. =C2=A0i.e. I ca=
n take
> it with me when I decide to use two
> > completely different ISPs?
> >
> > =C2=A0Is the obtaining of this IP block, what is referred to as PI spac=
e?
> >
> > Of course internally I split the /24 up however =C2=A0I want - /28 for
> untrust range and maybe a routed DMZ block
> > =C2=A0etc.?
> >
> > Assuming I apply for IP block and AS number, whats involved and how
> long does it take to get these babies?>
> >
> > I know the SSG550's have BGP capabilites. =C2=A0As I have two of these =
in
> HA mode, does it make sense to do the BGP
> > =C2=A0on these, or should I get dedicated BGP routers?
> >
> > =C2=A0Fixing the internal routing policy so traffic is =C2=A0directed a=
t the
> active BGP connection. =C2=A0Whats involved here,
> > =C2=A0preferring one BGP link over the other?
> >
> > =C2=A0Thanks again, I obviously need to do some =C2=A0reading of my own=
, but
> all the suggestions so far have been very valuable
> > =C2=A0and definitely seem to be pointing in some fruitful directions.
> >
> > =C2=A0Adel
> >
> >
> >
> >
> > On Sun =C2=A0 6:31 PM , James Hess wrote:
> >
> >> On Sun, Nov 8, 2009 at 11:34 AM, =C2=A0wrote:
> >> [..]
> >> > connections from different providers I would still have issues. =C2=
=A0So
> >> > I guess that if my primary Internet goes down I lose connectivity
> >> > to all the publicly addressed devices on that connection. Like
> >> > dmz hosts and so on. =C2=A0I would be interested to hear how this
> >> > can be avoided if at all or do I have to use the same provider.
> >>
> >> You assign multi-homed IP address space to your publicly addressed
> >> devices,
> >> which are not specific to either ISP. You announce to both ISPs, and
> >> you accept some routes from both ISPs.
> >>
> >> You get multi-homed IPs, either by having an existing ARIN allocation,
> >> or getting a /22 from ARIN (special allocation available for
> >> multi-homing), or ask for a /24 from ISP A or ISP B for
> >> multihoming.
> >>
> >> If Link A fails, the BGP session eventually times out and dies: ISP
> >> A's BGP routers withdraw the routes, the IP addresses are then
> >> associated only with provider B.
> >>
> >> And you design your internal routing policy to direct traffic
> >> within your network to the router with an active BGP session.
> >>
> >> Link A's failure is _not_ a total non-event, but a 3-5 minute partial
> >> disruption, while the BGP session times out and updates occur in other
> >> people's routers, is minimal compared to a 3 day outage, if serious
> >> repairs to upstream fiber are required.
> >>
> >> --
> >> -J
> >>
> >>
> >>
> >
> >
>=20
>=20
>=20
