Link to home
Start Free TrialLog in
Avatar of nabeel92
nabeel92

asked on

Transition from single home to multihomed solution

Hi there,
I've attached my network diagram where I've tried to give the big picture of a 'Dual-homed Single ISP' solution since their traceroute meets at the same device on the very next hop. How can i make the transition of this network to a multihomed network. I've thought that I can use a Router (keeping things simple for now) and have it connected to the internet using another ISP. Connect the inside interface of that router to my DMZ and LAN switches separately ? Would that be correct solution ?

Now, secondly (and this is a potential flaw i see ) all the major services are hosted on the DMZ; the DMZ has a public subnet. Our ISP (Telstra) is responsible for routing traffic to this DMZ subnet statically (not BGP) . Say when I connect the router that i've proposed in the diagram attached to another ISP and connect its inside interface to DMZ, how is that ISP going to find out on how to route to this DMZ subnet; this is obviously assuming a case of failure occuring at first ISP and we need to use this second ISP. I can route traffic from inside--> to internet fine; but how about traffic coming from outside the internet to this DMZ ? How is this second provider going to know about it about this public DMZ subnet. Which things are in our control and which things are not in our control in such scenarios is also another query ?

Any further info. I can provide, let me know. Your help will be appreciated -:)
multihome.jpg
ASKER CERTIFIED SOLUTION
Avatar of harbor235
harbor235
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nabeel92
nabeel92

ASKER

Ok, I see what you mean. You're saying that we could use BGP attributes like MED, Local_Pref to adjust the priorities from the 2 ISP's to our DMZ subnet, right ?  But I can't use BGP coz at the edge of my network are 2 ASA firewalls that are configured in active/active failover mode. Now, Active/active failover strips the ASA from capabilities of dynamic routing protocol and VPN, so cant use BGP.
The ISP at the moment has static routes to our DMZ. First priority is via Link 2 and second priority is via Link 1, there is no BGP.
I mean I understand that this is a perfect scenario of BGP when we're multihoming and we can use BGP attributes  but we are using PIX firewall in active/active failover mode that sort of becomes a major barrier in this case ( I mean it doesn't even let you implement BGP in active/active failover mode) ..



Not really, you advertisements are what is entered in your ISPs routing tables, they tell them how to get to your network(s), this is typically done by a supernet or the exact network match that you want advertised. Once the traffic arrives at your edge then your edge routers will have routes in the routing table for that network, this can be accomplished in several ways, IGP, static routes, or redistributing the routes into BGP.  Your advertisemnets tell the ISP how to route traffic to your edge, once at the edge route with the DMZ as a destination will exist with more precise info.

Example: Sending Mail

To route mail to a friend in Baltimore, Maryland your psot office only worries about the zip code, this gets teh traffic to the correct city (or edge device) one at the city port office a mail carrier looks at the street address (more specific) and delivers the mail. You post office does not care about where your street address is just the city destination, same thing here, you advertise via BGP how traffic gets to the edge, once their there is a more specific route to the ultimate destination.

 You can still use BGP through the firewall, not a problem,

BGP gives you much better control of your traffic, static solutions are not as robust and have several failure potentials.

harbor235 ;}
Thanks for the post harbour235 -:)
But as mentioned, the outside firewall that sits at the edge is configured in multiple contexts. When firewalls are configured in multiple contexts, it strips away the capabiliy of running routing protocols whether that be any IGP or BGP.
Ref: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml#unsupport

At the moment, we are not advertising our DMZ to the ISP. ISP has just static routes to our DMZ and that's it. we don't advertise anything. so i think they redistribute these static routes into their BGP and then its known by the rest of the world ?

I agree, but I am talking about doing BGP through the firewall, one peer is the router on the inside of your firewall and the other peer is the ISP router, the firewall does not participate in BGP at all,

harbor235 ;}
Any traffic coming from ISP to the DMZ, it will ofcourse be sent to the PIX firewall (as DMZ is directly connected to it) and not the router.

   ISP
     |
Switch
     |
PIX -- DMZ
     |
Router (Co-location routers)

Shouldn't the ISP directly send the traffic to PIX since its directly connected. I can't understand how BGP will influence the routing to DMZ in this case since a Firewall sits in between that has a better directly connected route to DMZ, why would ISP even want to come down to router and from there route to DMZ. Wouldn't it go straight to firewall and then route to its DMZ thru directly connected interface.

Sorry but am just a bit confused on this one ...  -:)
Shouldn't the ISP directly send the traffic to PIX since its directly connected >> Let me rephrase this to eliminate confusion ...

Shouldn't the ISP send the traffic destined for DMZ to Firewall since DMZ is directly connected to the Firewall . Won't even need to go to the router.

Thanks
I'll speak to the ISP about it, thanks for your help mate !