Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Secure multi-homing Internet Access

  • From: Martin Picard
  • Date: Tue Mar 20 22:25:20 2001

Hi all,

  Due to may different factors, including different filtering policies,
mutli-homing
  to different providers might not provide the same Internet view, or even
reachability.
  Default-routing to the upstream ISPs therefore seems not to be the way to
go. Instead
  full BGP tables can be kept on the enterprise border routers and default
routes
  can be originated on these border routers and injected in the enterprise
IGP.
  iBGP is used between the enterprise border routers. From any router in the
  enterprise network, the IGP metric is used to get to the nearest border
router,
  and then, the best BGP route is selected, which could very well be on one
  of its iBGP peers. Therefore traffic can flow from any router to Border1,
then
  Border2, then the upstream ISP router. (Assuming there is a direct path
between
  Border1 and Border2 (tunnels, MPLS-LSP, etc)).

  Everything's fine (at least I think so) until we throw in some Firewalls
!!! They either
  ought to be on the eBGP path or on the iBGP path. That is between the
enterprise
  border router and the upstream ISP router or between the enterprise border
  router and the enterprise network. Putting the firewall on the iBGP path
can lead
  to routing loops since the firewall will only have a default route to the
local border
  router. When putting the firewall on the eBGP path, it defaults to its
outside
  interface toward the upstream ISP router and has the enterprise address
block
  on its inside interface. So far so good, but that means that the upstream
ISP
  media type has to be supported by the firewall: oc3, oc12 !!!! ;-(
  And in any case the firewall has to provide proper throughput !!! ;-(

  How are large enterprise implementing secure multi-home internet access ?
  And to what type of bandwidth does this scale ?

  tx
  martin







Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.