Steve, Agreed. I'm not suggesting that a tunnel is the ultimate best solution, but rather just pointing out that if you go with a tunnel, it's worth remembering that it's going unencrypted over a public network rather than site to site over a private link. j. ________________________________ From: Steve Bertrand [steve@ibctech.ca] Sent: Friday, June 05, 2009 20:40 To: Herbert, John Cc: cmadams@hiwaay.net; nanog@nanog.org Subject: Re: Multi site BGP Routing design John.Herbert@ins.com wrote:
Depending on your security policies you may want to encrypt said tunnel also.
Other than that, it all depends on it all depends. For example - if you receive / or have a default route pointing to the ISP, then the fact you have the same AS and won't receive the other site's routes in BGP doesn't matter at all - you'll follow a default from site 1 to the ISP, and the ISP will have a route to site 2 and can pass the traffic in the right direction. If you don't mind your traffic being passed unencrypted over the Internet, that is. You'll obviously need to adapt your firewall policies to allow for that flow as well.
Personally, I don't really like the tunnel idea... I've had to deal with them for v6 connectivity, and they seem so 'ugly'. My first thoughts were about de-aggregation, but since he's already advertising different space out of each site, that became irrelevant. I was just thinking that two AS numbers would be the cleanest, easiest to maintain method for him to take. Certainly tunnelling did go through my mind though to ensure site-to-site peering over the Internet. Steve