Failover how much complexity will it add?

Joe Maimon jmaimon at
Sun Nov 8 15:47:35 UTC 2009

adel at wrote:
> HI,
> Now I couldn't get any good answers as to why Internet connections 1 and 2 need to be separate.  I think the idea was to make sure that there was enough bandwidth for the third party support VPN.  I feel that I can consolidate this into one connection and just use rate limiting to reserve some portion of the bandwidth on the connection and this should be fine.  Now if I was to do this then I can make a case for just having one backup Internet connection.  However I'm still concerned about failover and reliability issues.  So my questions regarding this are:

I wouldnt jump to any conclusions that everything will work properly if 
you are terminating multiple connections directly on the SSG, what with 
egress likely being different than the ingress, even if you are using 
the same IP range (BGP) on all the links.

You could really be asking for trouble if you are planning on using a 
different ISP provided IP range on each connection for each purpose.

Front it all with routers that can policy route, whether or not you also 
use BGP.


More information about the NANOG mailing list