]>We use non-stateful packet filtering at our border routers because ]>stateful filters won't work there - in & outbound packets might go ]>through different links. I suspect anyone with multiple border routers ]>will have to consider this condition. ] ]Circular routing is always a tough issue to deal with, especially when BGP ]peering with multiple Internet providers. That's why it is best to either ]have all of you Internet circuits connected to the same router (keeping the ]second router as a hot spare) and running "inspection" on that router. As
We use multiple border routers with links through multiple providers in order to mantain a "no single point of failure" policy. Where needed and where it is less critical we also put firewalls in place between this outer shell and some subnets - and we hide critical stuff altogether and/or put it on private networks. Someday, it would be nice to have some workable protocols for extending inspection across multiple routers - but I can see that's a tough nut to crack. Some day when I have more time I'll see about tackling that one, right after I get done with curing the common cold. %^b _M Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Please visit the Knowledge Base for answers to frequently asked questions: http://www.ipswitch.com/support/IMail/
