Secure multi-homing Internet Access
Martin Picard
mpicard at sinc.ca
Wed Mar 21 02:24:29 UTC 2001
Hi all,
Due to may different factors, including different filtering policies,
mutli-homing
to different providers might not provide the same Internet view, or even
reachability.
Default-routing to the upstream ISPs therefore seems not to be the way to
go. Instead
full BGP tables can be kept on the enterprise border routers and default
routes
can be originated on these border routers and injected in the enterprise
IGP.
iBGP is used between the enterprise border routers. From any router in the
enterprise network, the IGP metric is used to get to the nearest border
router,
and then, the best BGP route is selected, which could very well be on one
of its iBGP peers. Therefore traffic can flow from any router to Border1,
then
Border2, then the upstream ISP router. (Assuming there is a direct path
between
Border1 and Border2 (tunnels, MPLS-LSP, etc)).
Everything's fine (at least I think so) until we throw in some Firewalls
!!! They either
ought to be on the eBGP path or on the iBGP path. That is between the
enterprise
border router and the upstream ISP router or between the enterprise border
router and the enterprise network. Putting the firewall on the iBGP path
can lead
to routing loops since the firewall will only have a default route to the
local border
router. When putting the firewall on the eBGP path, it defaults to its
outside
interface toward the upstream ISP router and has the enterprise address
block
on its inside interface. So far so good, but that means that the upstream
ISP
media type has to be supported by the firewall: oc3, oc12 !!!! ;-(
And in any case the firewall has to provide proper throughput !!! ;-(
How are large enterprise implementing secure multi-home internet access ?
And to what type of bandwidth does this scale ?
tx
martin
More information about the NANOG
mailing list