Steve, Agreed. I'm not suggesting that a tunnel is the ultimate best solution, but rather just pointing out that if you go with a tunnel, it's worth remembering that it's going unencrypted over a public network rather than site to site over a private link.
j. ________________________________ From: Steve Bertrand [st...@ibctech.ca] Sent: Friday, June 05, 2009 20:40 To: Herbert, John Cc: cmad...@hiwaay.net; nanog@nanog.org Subject: Re: Multi site BGP Routing design john.herb...@ins.com wrote: > Depending on your security policies you may want to encrypt said tunnel also. > > Other than that, it all depends on it all depends. For example - if you > receive / or have a default route pointing to the ISP, then the fact you have > the same AS and won't receive the other site's routes in BGP doesn't matter > at all - you'll follow a default from site 1 to the ISP, and the ISP will > have a route to site 2 and can pass the traffic in the right direction. If > you don't mind your traffic being passed unencrypted over the Internet, that > is. You'll obviously need to adapt your firewall policies to allow for that > flow as well. Personally, I don't really like the tunnel idea... I've had to deal with them for v6 connectivity, and they seem so 'ugly'. My first thoughts were about de-aggregation, but since he's already advertising different space out of each site, that became irrelevant. I was just thinking that two AS numbers would be the cleanest, easiest to maintain method for him to take. Certainly tunnelling did go through my mind though to ensure site-to-site peering over the Internet. Steve
