Help Setting up BGP with two ISP providers and 1 Checkpoint Firewall VPN-1 UTM running SPLAT
Posted on 2008-06-24
We have a Checkpoint NGX R65 VPN-1 UTM Firewall running SPLAT. It has 3 interfaces. 1 public interface (to our T1 Router), 1 DMZ interface, 1 Internal Lan Interface.
We are wanting to have another ISP for Internet Redundancy and wanted to implement BGP. However, I've read conflicting information regarding the physical & Logical implementation. Here is my understanding of how we can implement BGP with our current configuration. WE DO NOT have the option of running another firewall.
First some questions to get out of the way:
1. We don't need to do anything with the Firewall correct? BGP is done at the router level and then it just hands the packets to the firewall? So need to change anything on the Checkpoint Firewall?
2. BGP does not load balance, but I can pre-determine what provider to use as the primary correct?
3. Packets never flow from both routers at the same time in a BGP setup right? Its either going to be one ISP's router talking at a time, not both?
Regarding the physical implementation:
Assuming I pick up another provider say XO communication for our 2nd provider and they supply us with a BGP capable router.... Can I then just unplug the cat5 connection from our primary router (verizon) from the Public interface on the firewall... introduce a shared hub... then plug in both Verizon and XO routers into the shared hub, then plug the public interface of the firewall to the shared hub so that all 3 devices can see each other... then let BGP do its thing.
Regarding the logical routing:
I assume that I can have 1 provider be the primary ISP and be used all the time unless it is unavailable. In this situation, I'd like the XO provider to take inbound traffic to the IP's that were originally assigned by our verizon provider. We'd also like to have all outbound traffic always use XO as it is likely going to be a fatter pipe.
I'm to understand that in a nut shell:
1. apply for an ASN.
2. setup BGP with each router.
3. hookup each router to the firewall
Please advise to the above and any things worth noting that maybe an issue from my limited description.