Multi-homing with multiple ASNs

• Previous message (by thread): Multi-homing with multiple ASNs
• Next message (by thread): Multi-homing with multiple ASNs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Nov 21, 2014 at 9:49 AM, Curtis L. Parish <Curtis.Parish at mtsu.edu>
wrote:
> We advertise our ASN into the state network with more specific routes
> that we advertise via ISP2 via our ASN.    This is done because the
> state (vendor managed) network runs stateful firewalls and we have
> to force other multi-home entities on the state network to use our
> state connection instead of ISP2.   Our network has been removed
> from the state firewall due to previous problems with asymmetric
> routing with our I2 circuit.

Hi Curtis,

As you've already noted, the presence of a stateful firewall beyond your
BGP border is inimical to BGP multihoming. Traffic between two multihomed
networks must never cross a stateful firewall that is outside both
networks' borders. Practically speaking, there will asymmetry, path
flapping, per-packet load balancing and other quirks at locations outside
your control. The Internet DFZ is a chaotic system. Over time you won't be
able to make the packets reliably transit the firewall.

It sounds like this is a learning experience for both you and the folks at
the state network. If you have a friendly relationship with them, now would
be a good time to visit and talk about what are likely to be significant
changes to their network architecture to make multihomed users feasible.
Preferably with a the help of a local consultant who has BGP expertise.

If that doesn't sound like it would be a productive conversation then I
suggest you consider three different options:

1. Return to the state network alone,

2. Replace your state network connection with another commercial ISP,

3. Add an additional commercial ISP for the sake of your Internet access
needs, drop the BGP advertisements with the state network and then
implement resources which should only transit the state network using IP
addresses assigned by the state network rather than your BGP addresses.



> Here is a question.   I know that having one network advertised by
multiple ASNs
> is unconventional and thus it will probably be harder to get help
troubleshooting
> routing problems when they arise.    Do you see a situation where our
network
> might be caught in a loop or black hole due to asymmetric routing and
conflicting advertisements?

Yes. And frequently. You have this thing balanced on the head of a pin.

Regards,
Bill Herrin




--
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
May I solve your unusual networking challenges?

• Previous message (by thread): Multi-homing with multiple ASNs
• Next message (by thread): Multi-homing with multiple ASNs
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]