Question

Transition from single home to multihomed solution

Asked by: nabeel92

Hi there,
I've attached my network diagram where I've tried to give the big picture of a 'Dual-homed Single ISP' solution since their traceroute meets at the same device on the very next hop. How can i make the transition of this network to a multihomed network. I've thought that I can use a Router (keeping things simple for now) and have it connected to the internet using another ISP. Connect the inside interface of that router to my DMZ and LAN switches separately ? Would that be correct solution ?

Now, secondly (and this is a potential flaw i see ) all the major services are hosted on the DMZ; the DMZ has a public subnet. Our ISP (Telstra) is responsible for routing traffic to this DMZ subnet statically (not BGP) . Say when I connect the router that i've proposed in the diagram attached to another ISP and connect its inside interface to DMZ, how is that ISP going to find out on how to route to this DMZ subnet; this is obviously assuming a case of failure occuring at first ISP and we need to use this second ISP. I can route traffic from inside--> to internet fine; but how about traffic coming from outside the internet to this DMZ ? How is this second provider going to know about it about this public DMZ subnet. Which things are in our control and which things are not in our control in such scenarios is also another query ?

Any further info. I can provide, let me know. Your help will be appreciated -:)

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-22 at 17:55:31ID24836708
Tags

Transition from single home to multihomed solution

Topics

Network Routers

,

Network Design & Methodology

,

Disaster Recovery

Participating Experts
1
Points
500
Comments
8

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. BGP
    Here is a nice large question for routing experts out there (I specifically have jlevie in mind). Basically, I neeed someone to explain, with examples and perhaps weblinks, the BGP routing protocol. Information that would be useful would be : (0) What is BGP and how does it...
  2. traceroute - hops
    Hello Experts, I need your assistance how can i find one host using traceroute which is as many hops away I've seen the manual for traceroute but sill cant understand what do i have to type on the terminal for that :S If anyone can be some sort of help it'd be grateful ! ...
  3. BGP Multihome with PI and PA addresses
    I want to install multihome BGP. I have 2 networks 1 Provider Independent and 1 Provider Assigned. My connection with both providers I am connected with gigabit optical fiber interface. I would like to know how to announce my PI addresses on both ISP's and how to announce the...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: harbor235Posted on 2009-10-23 at 06:16:33ID: 25644030


Dual homing utilizing two seperate edge devices is the correct way to go, this design eliminates
single points of failure. Keep in mind you must configure iBGP between the edge devices and potetially you should use an IGP like OSPF if you are not already.

I assume your BGP advertisements to your ISPs include the DMZ subnet, it should be part of a supernet? Is it ? So either ISP receives your advertisement via the supernet, they route traffic to your edge, once at your edge traffic will be routed to the DMZ based upon a more specific route found in your routing table via BGP or IGP.

example:

BGP advertisement to ISP may be 10.10.0.0/16 -

however, the dmz subnet may be 10.10.10.0/24 - and thsi more specific route is in your IGP or BGP tables, understand?

harbor235 ;}

 

by: nabeel92Posted on 2009-10-23 at 08:06:22ID: 25645102

Ok, I see what you mean. You're saying that we could use BGP attributes like MED, Local_Pref to adjust the priorities from the 2 ISP's to our DMZ subnet, right ?  But I can't use BGP coz at the edge of my network are 2 ASA firewalls that are configured in active/active failover mode. Now, Active/active failover strips the ASA from capabilities of dynamic routing protocol and VPN, so cant use BGP.
The ISP at the moment has static routes to our DMZ. First priority is via Link 2 and second priority is via Link 1, there is no BGP.
I mean I understand that this is a perfect scenario of BGP when we're multihoming and we can use BGP attributes  but we are using PIX firewall in active/active failover mode that sort of becomes a major barrier in this case ( I mean it doesn't even let you implement BGP in active/active failover mode) ..

 

by: harbor235Posted on 2009-10-23 at 09:38:05ID: 25646054




Not really, you advertisements are what is entered in your ISPs routing tables, they tell them how to get to your network(s), this is typically done by a supernet or the exact network match that you want advertised. Once the traffic arrives at your edge then your edge routers will have routes in the routing table for that network, this can be accomplished in several ways, IGP, static routes, or redistributing the routes into BGP.  Your advertisemnets tell the ISP how to route traffic to your edge, once at the edge route with the DMZ as a destination will exist with more precise info.

Example: Sending Mail

To route mail to a friend in Baltimore, Maryland your psot office only worries about the zip code, this gets teh traffic to the correct city (or edge device) one at the city port office a mail carrier looks at the street address (more specific) and delivers the mail. You post office does not care about where your street address is just the city destination, same thing here, you advertise via BGP how traffic gets to the edge, once their there is a more specific route to the ultimate destination.

 You can still use BGP through the firewall, not a problem,

BGP gives you much better control of your traffic, static solutions are not as robust and have several failure potentials.

harbor235 ;}

 

by: nabeel92Posted on 2009-10-23 at 17:01:44ID: 25649963

Thanks for the post harbour235 -:)
But as mentioned, the outside firewall that sits at the edge is configured in multiple contexts. When firewalls are configured in multiple contexts, it strips away the capabiliy of running routing protocols whether that be any IGP or BGP.
Ref: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#unsupport

At the moment, we are not advertising our DMZ to the ISP. ISP has just static routes to our DMZ and that's it. we don't advertise anything. so i think they redistribute these static routes into their BGP and then its known by the rest of the world ?

 

by: harbor235Posted on 2009-10-23 at 20:22:13ID: 25650591


I agree, but I am talking about doing BGP through the firewall, one peer is the router on the inside of your firewall and the other peer is the ISP router, the firewall does not participate in BGP at all,

harbor235 ;}

 

by: nabeel92Posted on 2009-10-25 at 15:52:29ID: 25658865

Any traffic coming from ISP to the DMZ, it will ofcourse be sent to the PIX firewall (as DMZ is directly connected to it) and not the router.

   ISP
     |
Switch
     |
PIX -- DMZ
     |
Router (Co-location routers)

Shouldn't the ISP directly send the traffic to PIX since its directly connected. I can't understand how BGP will influence the routing to DMZ in this case since a Firewall sits in between that has a better directly connected route to DMZ, why would ISP even want to come down to router and from there route to DMZ. Wouldn't it go straight to firewall and then route to its DMZ thru directly connected interface.

Sorry but am just a bit confused on this one ...  -:)

 

by: nabeel92Posted on 2009-10-25 at 15:55:04ID: 25658877

Shouldn't the ISP directly send the traffic to PIX since its directly connected >> Let me rephrase this to eliminate confusion ...

Shouldn't the ISP send the traffic destined for DMZ to Firewall since DMZ is directly connected to the Firewall . Won't even need to go to the router.

Thanks

 

by: nabeel92Posted on 2009-10-29 at 19:14:36ID: 25699786

I'll speak to the ISP about it, thanks for your help mate !

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...