[176290] in North American Network Operators' Group
Re: Multi-homing with multiple ASNs
daemon@ATHENA.MIT.EDU (Jason Bothe)
Sun Nov 23 23:04:33 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <CAP-guGXU2iGB-4RzR0hF7tTxPYV4tX+19kxjHZwUcgpHAL_0TA@mail.gmail.com>
From: Jason Bothe <jason@rice.edu>
Date: Sun, 23 Nov 2014 18:11:20 -0600
To: William Herrin <bill@herrin.us>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Agreed. You could still recieve their routes and no/export your as but I wo=
uldn't go beyond the firewall. =20
Jason Bothe, Manager of Networking
Rice University
o +1 713 348 5500
m +1 713 703 3552
jason@rice.edu =20=
> On Nov 23, 2014, at 17:57, William Herrin <bill@herrin.us> wrote:
>=20
> On Fri, Nov 21, 2014 at 9:49 AM, Curtis L. Parish <Curtis.Parish@mtsu.edu>=
> wrote:
>> We advertise our ASN into the state network with more specific routes
>> that we advertise via ISP2 via our ASN. This is done because the
>> state (vendor managed) network runs stateful firewalls and we have
>> to force other multi-home entities on the state network to use our
>> state connection instead of ISP2. Our network has been removed
>> from the state firewall due to previous problems with asymmetric
>> routing with our I2 circuit.
>=20
> Hi Curtis,
>=20
> As you've already noted, the presence of a stateful firewall beyond your
> BGP border is inimical to BGP multihoming. Traffic between two multihomed
> networks must never cross a stateful firewall that is outside both
> networks' borders. Practically speaking, there will asymmetry, path
> flapping, per-packet load balancing and other quirks at locations outside
> your control. The Internet DFZ is a chaotic system. Over time you won't be=
> able to make the packets reliably transit the firewall.
>=20
> It sounds like this is a learning experience for both you and the folks at=
> the state network. If you have a friendly relationship with them, now woul=
d
> be a good time to visit and talk about what are likely to be significant
> changes to their network architecture to make multihomed users feasible.
> Preferably with a the help of a local consultant who has BGP expertise.
>=20
> If that doesn't sound like it would be a productive conversation then I
> suggest you consider three different options:
>=20
> 1. Return to the state network alone,
>=20
> 2. Replace your state network connection with another commercial ISP,
>=20
> 3. Add an additional commercial ISP for the sake of your Internet access
> needs, drop the BGP advertisements with the state network and then
> implement resources which should only transit the state network using IP
> addresses assigned by the state network rather than your BGP addresses.
>=20
>=20
>=20
>> Here is a question. I know that having one network advertised by
> multiple ASNs
>> is unconventional and thus it will probably be harder to get help
> troubleshooting
>> routing problems when they arise. Do you see a situation where our
> network
>> might be caught in a loop or black hole due to asymmetric routing and
> conflicting advertisements?
>=20
> Yes. And frequently. You have this thing balanced on the head of a pin.
>=20
> Regards,
> Bill Herrin
>=20
>=20
>=20
>=20
> --
> William Herrin ................ herrin@dirtside.com bill@herrin.us
> Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
> May I solve your unusual networking challenges?
>=20
