We solved that problem here with BGP. It's not as hard as it seems. You do
need to get IP space allocated to you (/24 minimum) that the various (2 or more) ISP's
will agree to announce. Your existing IP space may be routable/announceable or not.. or
if you are NATing, you may not have anything like a /24 in which case you should
consider
the Radware Linkproof (which is kind of a NAT failover- you use a set of IP's until
that carrier
goes down and then it switches you over via DHCP to the backup). there are some other
devices that give similar functionality and also a new software solution from
Rainfinity called
Rainconnect.
BGP requires a beefy router, a 3640 minimum if you want to take full routing tables.
This means
128MB of RAM. The actual config is not that bad for a basic one. BGP like most things
has a lot
of subtlety to it. You can get into MED's, Communities, Confederations etc etc but to
run it all you
really need is what I have posted below.
This is an offline response I wrote once for someone..
Don't assume it's all 100% or the only way or whatever. :-) It's just my own
experience and what
I've gotten from it.
I hope it helps!
- Joe
ps - search the archives of the ISP-routing list and the ISP-BGP lists! Great info..
------------------------------------------------------------------------
How BGP solves the problem:
Nutshell: your border (edge) router takes in the 2 ISP connections and chooses the
best routing
paths. You only need ONE firewall in this case and no fancy setups behind it. Use the
2nd FW
to cluster this main FW if you want (reccomended!!) Your servers in question will be
reachable
via 1 IP address from either ISP. That's the beauty of it. If one circuit goes down,
BGP recalculates
the routing table and within 1-5 minutes it is fully normalized again. Over the past
year I have never had a user notice
an outage at any of our offices. (we've had 9, one which lasted a week!)
Our BGP tables converge well enough within the first minute
that local reachability is continuous - or at least appears so. This is a good thing.
Detail:
(I don't know what you already know so forgive me if I hit some basics here)
Border Gateway Protocol v4 (BGP to us) is a dynamic routing protocol. It
looks at routing as hops - much like RIP which I believe is where it came from.
A given network is viewed as an "autonomous system" - each network is assigned
a system number - called an ASN. Each ASN is a hop in BGP.
In North America ASN assignment is handled by ARIN, RIPE in the EU.
You apply for an ASN after you:
1: have multiple ISP connections
2: have routable IP space that both ISP's agree to announce
You make your case to ARIN about why you need this (umm, resiliancy?) and if they
approve you you pay $500 and you're nearly done.
The fundamental definition for an ASN is a network with a unique routing policy - one
that
varies enough from what it's connected to that it needs to be recognized as a unique
entity.
There are only 65,535 ASN's, so they don't give them for no reason.
Your router will need to run a BGP session with each of the 2 ISP's in this case. I
will
assume you're not a transit network here.. What happens at the most basic level could
be this:
You take a routing table from ISP A and another from ISP B - their "views" of the
internet. Your router
calculates a new table based on ASN hops - finding the "shortest" distance to get
anywhere on the net (using ASN
hops only.. it does not look at BW unfortunately!) This is the view from where YOU
are. In turn, you "announce"
your internal IP space - you tell the world how to get to your net. Every router on
the net gets reachability/routing
into from every other router, and they all update each on an ongoing basis. Kinda like
DNS that way as BGP can
be thought of as a distributed database in a way (although it is really just a flat
file..). Your announcements propogate to
your peer routers at your ISP's and in turn to their peers etc etc. You need at least
a /24 to announce.
If you have smaller IP space, you can use devices like a Radware Linkproof which
handle the NAT
changeover to go from one ISP to the other. BGP is nicer if you can do it bc you get
to use both circuits
all the time. (you pay for them all the time so...) There is also some new software
from Rainfinity which is
supposed to handle this sort of thing too complete with load balancing (which is not
straightforward in BGP..)
A really basic config is simple. Here's mine (simplified and sanitized)
router bgp 9876
no synchronization
bgp log-neighbor-changes
network X.Y.10.0 netmask 255.255.254.0
neighbor A.B.C.D remote-as 1234
neighbor A.B.C.D description T1 #12345678
neighbor A.B.C.D version 4
neighbor A.B.C.D filter-list 1 out
neighbor D.E.F.G remote-as 5678
neighbor D.E.F.G description T1 # 987654321
neighbor D.E.F.G version 4
neighbor D.E.F.G filter-list 1 out
The top part is us, ASN 9876.
No syncronization refers to not waiting for other protocols to update BGP (in case we
run OSPF, iBGP, etc etc)
I just announce my /23 network in my part of the config.
Next up is our first peer. I force BGP version 4 and use filter list 1 to control what
routes
will come and go during this BGP session.
Next is our 2nd peer with ASN # 5678. Same thing again.
In reality there is more to the config, as the two carriers run BGP differently..
maybe carrier one uses 2 PVC's running off the loopback, carrier 2 userse communities,
etc etc. and we use an ACL to make sure that we only accept
BGP packets from the proper hosts etc. (do a google on "secure IOS and Secure BGP" and
you'll see Rob Thomas's excellent site!)
but they will always provide you with the config you need to connect to them. They
have to bc there is no way for you to know
what they need otherwise.. so don't sweat it. What you have above is enough to work
with though. This will work fine to get you started.
Your part of the BGP clause is up to you, as is the the filter list if you choose to
use one.
! Filter list 1 looks lke this:
ip as-path access-list 1 permit ^$
ip as-path access-list 1 deny .*
This says simply "take in everything I'm sent. Send out only what is local". Do a
google on "Avi Freidman" to see where I pinched this! This kind of list is usually
referred to as an "Avi style" list. You'll see why. This keeps you from sending the
whole routing table back to your ISP as well as only "advertising" or announcing what
you have reachability for - your own nets. In my case I take what's called a "full
table" - every route on the net (a bit over 100,000 routes, or ~70MB worth at the
moment) You can take just defaults, or just carrier routes, or other partial tables.
talk to your providers about what they have available. This will, in turn, ease up on
your memory useage.
Your routing table needs this as well (called nailing the routes)
ip route A.B.C.D 255.255.254.0 T.U.V.W
ip route A.B.C.D 255.255.254.0 Null0 254
This is not essential for it to work, but this is good practice and being a good
netizen.
A.B.C.D is your /23 net. T.U.V.W is the gateway in this case. The 2nd route is where
you add a "backup route" to this net so that even if the interface goes down, you
don't withdraw the route to your net (null interface is logical and can't go down...)
This is to avoid needless BGP table updates propogating across the net.
-----------------------------------------------------------------------------------
hth
Joe
>>> Nico De Ranter <[EMAIL PROTECTED]> 06/03/02 09:54AM >>>
Howdy,
for a moment we taught our ISP went bankrupt last week. Fortunately this
turned out not to be the case, however this kind of woke up upper management :-).
So I'm now investigating how to use 2 ISP's for our Internet connection.
Anybody any experience with this? Any links to usefull info?
Is this something that should be solved on the firewall level or will some
router magic do the trick?
Thanks in advance,
Nico
---------------------------------------------------------
"It has been said that there are only two businesses that
refer to customers as users: illegal drug trade and
the computer industry."
---------------------------------------------------------
Nico De Ranter
Sony Service Center (SDCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: [EMAIL PROTECTED]
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
