Bob, do you have your own AS#, and ARIN assigned IP space? If not, do you announce a prefix to the 2 providers that you received from one of them? If not, then you are correct that all your inbound takes one T1 because you have a prefix assigned to you by one of the providers which cannot be announced by the other provider. If that is the case, there are a few things you can do. One would be to get at least a class C address space from one of the providers that you can announce using an AS# that you get from ARIN. You can then manipulate your announcements so that you load share across the T1's inbound, although there are limitations to that also. You could also get another firewall and place that on the network with an IP assigned by the other provider, give half your workstations one firewall as their gateway and half the other. If you host mail on your network, you would do a mapping on each firewall to the IP of the mail server, and in your dns file specify one as primary and one as secondary. That way if you lose one of the providers and the IP from them is not available, you have a backup. Unfortunately you cannot do the backup scheme with a web site. Hope this helps.
-----Original Message----- From: Bob Timmons [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 23, 2002 2:26 PM To: [EMAIL PROTECTED] Subject: Splitting up outbound traffic for BGP [7:32983] Hey all, got a question, but first, the situation... We've got 2 T1's in our NYC location that go to 2 different ISPs. We've moved these Ts off of their respective Cisco 2500's and onto a single Cisco 7206vxr. This is now our 'outside internet' router. The ethernet interface goes to the Checkpoint unix box and the other side of the unix box goes to the internal network. The internal network is using a 10.x.x.x/22 range (2000 addresses). We'd like to perform some load-sharing using BGP. We've obtained an AS number and are getting full routes from both providers. Outbound BGP seems to work fine. Depending on site, it takes differnet paths. Inbound, however, is dominated by one T only. We're using PAT at the firewall to perform address translation. The firewall only has 1 valid 'Internet' IP address. It's my understanding that this is why all inbound traffic is using only 1 provider, as opposed to both. I'd like to either have 2 valid internet IP addresses at the firewall (which I'm not sure is even possible) or perform the PAT at the router and maybe use access-lists to split up the traffic. I guess the question is, what is the best practice when doing this? I'm sure that we're not the only company that wants to do something like this. Do either of my solutions sound feasible? thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32987&t=32983 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
