Hi all, Due to may different factors, including different filtering policies, mutli-homing to different providers might not provide the same Internet view, or even reachability. Default-routing to the upstream ISPs therefore seems not to be the way to go. Instead full BGP tables can be kept on the enterprise border routers and default routes can be originated on these border routers and injected in the enterprise IGP. iBGP is used between the enterprise border routers. From any router in the enterprise network, the IGP metric is used to get to the nearest border router, and then, the best BGP route is selected, which could very well be on one of its iBGP peers. Therefore traffic can flow from any router to Border1, then Border2, then the upstream ISP router. (Assuming there is a direct path between Border1 and Border2 (tunnels, MPLS-LSP, etc)). Everything's fine (at least I think so) until we throw in some Firewalls !!! They either ought to be on the eBGP path or on the iBGP path. That is between the enterprise border router and the upstream ISP router or between the enterprise border router and the enterprise network. Putting the firewall on the iBGP path can lead to routing loops since the firewall will only have a default route to the local border router. When putting the firewall on the eBGP path, it defaults to its outside interface toward the upstream ISP router and has the enterprise address block on its inside interface. So far so good, but that means that the upstream ISP media type has to be supported by the firewall: oc3, oc12 !!!! ;-( And in any case the firewall has to provide proper throughput !!! ;-( How are large enterprise implementing secure multi-home internet access ? And to what type of bandwidth does this scale ? tx martin
participants (1)
-
Martin Picard