Agreed. You could still recieve their routes and no/export your as but I wouldn't go beyond the firewall. Jason Bothe, Manager of Networking Rice University o +1 713 348 5500 m +1 713 703 3552 jason@rice.edu
On Nov 23, 2014, at 17:57, William Herrin <bill@herrin.us> wrote:
On Fri, Nov 21, 2014 at 9:49 AM, Curtis L. Parish <Curtis.Parish@mtsu.edu> wrote:
We advertise our ASN into the state network with more specific routes that we advertise via ISP2 via our ASN. This is done because the state (vendor managed) network runs stateful firewalls and we have to force other multi-home entities on the state network to use our state connection instead of ISP2. Our network has been removed from the state firewall due to previous problems with asymmetric routing with our I2 circuit.
Hi Curtis,
As you've already noted, the presence of a stateful firewall beyond your BGP border is inimical to BGP multihoming. Traffic between two multihomed networks must never cross a stateful firewall that is outside both networks' borders. Practically speaking, there will asymmetry, path flapping, per-packet load balancing and other quirks at locations outside your control. The Internet DFZ is a chaotic system. Over time you won't be able to make the packets reliably transit the firewall.
It sounds like this is a learning experience for both you and the folks at the state network. If you have a friendly relationship with them, now would be a good time to visit and talk about what are likely to be significant changes to their network architecture to make multihomed users feasible. Preferably with a the help of a local consultant who has BGP expertise.
If that doesn't sound like it would be a productive conversation then I suggest you consider three different options:
1. Return to the state network alone,
2. Replace your state network connection with another commercial ISP,
3. Add an additional commercial ISP for the sake of your Internet access needs, drop the BGP advertisements with the state network and then implement resources which should only transit the state network using IP addresses assigned by the state network rather than your BGP addresses.
Here is a question. I know that having one network advertised by multiple ASNs is unconventional and thus it will probably be harder to get help troubleshooting routing problems when they arise. Do you see a situation where our network might be caught in a loop or black hole due to asymmetric routing and conflicting advertisements?
Yes. And frequently. You have this thing balanced on the head of a pin.
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/> May I solve your unusual networking challenges?