Re: Failover how much complexity will it add?
Thanks Seth and James, Things are getting a lot clearer. The BGP multihoming solution sounds like exactly what I want. I have more questions :-) Now I suppose I would get my allocation from RIPE as I am UK based? Do I also need to apply for an AS number? As the IP block is "mine", it is ISP independent. i.e. I can take it with me when I decide to use two completely different ISPs? Is the obtaining of this IP block, what is referred to as PI space? Of course internally I split the /24 up however I want - /28 for untrust range and maybe a routed DMZ block etc.? Assuming I apply for IP block and AS number, whats involved and how long does it take to get these babies? I know the SSG550's have BGP capabilites. As I have two of these in HA mode, does it make sense to do the BGP on these, or should I get dedicated BGP routers? Fixing the internal routing policy so traffic is directed at the active BGP connection. Whats involved here, preferring one BGP link over the other? Thanks again, I obviously need to do some reading of my own, but all the suggestions so far have been very valuable and definitely seem to be pointing in some fruitful directions. Adel On Sun 6:31 PM , "James Hess" mysidia@gmail.com sent:
On Sun, Nov 8, 2009 at 11:34 AM, <adel@ baklawasecrets.com> wrote:[..]
connections from different providers I would still have issues. So> I guess that if my primary Internet goes down I lose connectivity> to all the publicly addressed devices on that connection. Like> dmz hosts and so on. I would be interested to hear how this> can be avoided if at all or do I have to use the same provider. You assign multi-homed IP address space to your publicly addressed devices,which are not specific to either ISP. You announce to both ISPs, and you accept some routes from both ISPs.
You get multi-homed IPs, either by having an existing ARIN allocation, or getting a /22 from ARIN (special allocation available for multi-homing), or ask for a /24 from ISP A or ISP B for multihoming.
If Link A fails, the BGP session eventually times out and dies: ISP A's BGP routers withdraw the routes, the IP addresses are then associated only with provider B.
And you design your internal routing policy to direct traffic within your network to the router with an active BGP session.
Link A's failure is _not_ a total non-event, but a 3-5 minute partial disruption, while the BGP session times out and updates occur in other people's routers, is minimal compared to a 3 day outage, if serious repairs to upstream fiber are required.
-- -J
Hi Adel There are companies like packet exchange (www.packetexchange.net) (whom i have personally used) who will do all of the legwork for you, such as applying for the ASN, address space, transit agreements, and get the tail connections directly to your building. You just need to pay them and buy the equipment (which they can also provide). Probably easier in the long run. NOTE: I am not an employee, or paid affiliate of packet exchange... I have used them for services and am promoting them due to my own good experiences with their services. Regards, Ken 2009/11/8 <adel@baklawasecrets.com>:
Thanks Seth and James,
Things are getting a lot clearer. The BGP multihoming solution sounds like exactly what I want. I have more questions :-)
Now I suppose I would get my allocation from RIPE as I am UK based?
Do I also need to apply for an AS number?
As the IP block is "mine", it is ISP independent. i.e. I can take it with me when I decide to use two completely different ISPs?
Is the obtaining of this IP block, what is referred to as PI space?
Of course internally I split the /24 up however I want - /28 for untrust range and maybe a routed DMZ block etc.?
Assuming I apply for IP block and AS number, whats involved and how long does it take to get these babies?
I know the SSG550's have BGP capabilites. As I have two of these in HA mode, does it make sense to do the BGP on these, or should I get dedicated BGP routers?
Fixing the internal routing policy so traffic is directed at the active BGP connection. Whats involved here, preferring one BGP link over the other?
Thanks again, I obviously need to do some reading of my own, but all the suggestions so far have been very valuable and definitely seem to be pointing in some fruitful directions.
Adel
On Sun 6:31 PM , "James Hess" mysidia@gmail.com sent:
On Sun, Nov 8, 2009 at 11:34 AM, <adel@ baklawasecrets.com> wrote:[..]
connections from different providers I would still have issues. So> I guess that if my primary Internet goes down I lose connectivity> to all the publicly addressed devices on that connection. Like> dmz hosts and so on. I would be interested to hear how this> can be avoided if at all or do I have to use the same provider. You assign multi-homed IP address space to your publicly addressed devices,which are not specific to either ISP. You announce to both ISPs, and you accept some routes from both ISPs.
You get multi-homed IPs, either by having an existing ARIN allocation, or getting a /22 from ARIN (special allocation available for multi-homing), or ask for a /24 from ISP A or ISP B for multihoming.
If Link A fails, the BGP session eventually times out and dies: ISP A's BGP routers withdraw the routes, the IP addresses are then associated only with provider B.
And you design your internal routing policy to direct traffic within your network to the router with an active BGP session.
Link A's failure is _not_ a total non-event, but a 3-5 minute partial disruption, while the BGP session times out and updates occur in other people's routers, is minimal compared to a 3 day outage, if serious repairs to upstream fiber are required.
-- -J
Ken Gilmour wrote:
Hi Adel
There are companies like packet exchange (www.packetexchange.net) (whom i have personally used) who will do all of the legwork for you, such as applying for the ASN, address space, transit agreements, and get the tail connections directly to your building. You just need to pay them and buy the equipment (which they can also provide). Probably easier in the long run.
Sure, if you want to hand over your entire profit margin to a 3rd party. Do you really want to give away the keys to your business, and rely entirely upon a third party organisation? Better to acquire the skills which are vital to your organisation yourself.
NOTE: I am not an employee, or paid affiliate of packet exchange... I have used them for services and am promoting them due to my own good experiences with their services.
I used to work for them. Then as now, I honestly can see little purpose in their productset. adam.
2009/11/8 <adel@baklawasecrets.com>:
Thanks Seth and James,
Things are getting a lot clearer. The BGP multihoming solution sounds like exactly what I want. I have more questions :-)
Now I suppose I would get my allocation from RIPE as I am UK based?
Do I also need to apply for an AS number?
As the IP block is "mine", it is ISP independent. i.e. I can take it with me when I decide to use two completely different ISPs?
Is the obtaining of this IP block, what is referred to as PI space?
Of course internally I split the /24 up however I want - /28 for untrust range and maybe a routed DMZ block etc.?
Assuming I apply for IP block and AS number, whats involved and how long does it take to get these babies?
I know the SSG550's have BGP capabilites. As I have two of these in HA mode, does it make sense to do the BGP on these, or should I get dedicated BGP routers?
Fixing the internal routing policy so traffic is directed at the active BGP connection. Whats involved here, preferring one BGP link over the other?
Thanks again, I obviously need to do some reading of my own, but all the suggestions so far have been very valuable and definitely seem to be pointing in some fruitful directions.
Adel
On Sun 6:31 PM , "James Hess" mysidia@gmail.com sent:
On Sun, Nov 8, 2009 at 11:34 AM, <adel@ baklawasecrets.com> wrote:[..]
connections from different providers I would
still have issues. So> I guess that if my primary Internet goes down I lose connectivity> to all the publicly addressed devices on that connection. Like> dmz hosts and so on. I would be interested to hear how this> can be avoided if at all or do I have to use the same provider. You assign multi-homed IP address space to your publicly addressed devices,which are not specific to either ISP. You announce to both ISPs, and you accept some routes from both ISPs.
You get multi-homed IPs, either by having an existing ARIN allocation, or getting a /22 from ARIN (special allocation available for multi-homing), or ask for a /24 from ISP A or ISP B for multihoming.
If Link A fails, the BGP session eventually times out and dies: ISP A's BGP routers withdraw the routes, the IP addresses are then associated only with provider B.
And you design your internal routing policy to direct traffic within your network to the router with an active BGP session.
Link A's failure is _not_ a total non-event, but a 3-5 minute partial disruption, while the BGP session times out and updates occur in other people's routers, is minimal compared to a 3 day outage, if serious repairs to upstream fiber are required.
-- -J
On Mon, 09 Nov 2009 13:39:34 GMT, Adam Armstrong said:
Sure, if you want to hand over your entire profit margin to a 3rd party. Do you really want to give away the keys to your business, and rely entirely upon a third party organisation? Better to acquire the skills which are vital to your organisation yourself.
Umm.. You did that *anyhow* the instant you paid somebody else to run the cables to your location rather than dig your own ditches. Similarly for electricity and everything else you don't create yourself.
NOTE: I am not an employee, or paid affiliate of packet exchange... I have used them for services and am promoting them due to my own good experiences with their services.
I used to work for them. Then as now, I honestly can see little purpose in their productset.
There's little purpose if you're an ISP that's supposed to be good at BGP yourself. If however, your business is running a /24 worth of webservers that sells your company's product, and Best Practices says you should be multi-homed but the in-house skill set runs more to Apache than BGP, a well-designed BGP appliance can be a ghodsend. (I admit I missed the OP's statement of what business line they were in).
participants (4)
-
Adam Armstrong
-
adel@baklawasecrets.com
-
Ken Gilmour
-
Valdis.Kletnieks@vt.edu