Solved

Questions about Multi-Link Multi-Homing, across multiple locations

Posted on 2010-11-08
4
588 Views
Last Modified: 2012-05-10
Just in case the subject does not say what I think it says (I'm not very familiar with this particular topic).  Attached is the theoretical physical network topology.

I want to have 3 separate internet connections, one in each of my 3 facilities, all "rolled up" to provide a unified method of accessing web servers on my DMZ(s).

Each facility has a site to site link.

So, to simplify things lets assume I have 3 sites and 3 public IPs:
1.1.1.1 on site 1,
2.2.2.2 on site 2,
3.3.3.3 on site 3.

Lets assume that I have a web server NATed on 1.1.1.1, which I want to be equally available from all 3 sites (obviously preferring the router at 1.1.1.1, which I suspect it will do automagically?).

To avoid the pitfalls of Round-Robin DNS, I have a single A record pointing www.company.com to 1.1.1.1

Now, I suspect that the following methods can be used:
1) BGP
Would likely be the best method in a perfect world, but I haven't got a /24 subnet at my disposal.

2) Static Routes + Metrics on routers
Since the links are very likely all going to be from the same ISP (lack of available alternatives) I could, in theory, just pay them money and ask them to set static routes and metrics to each of my 3 public IPs, such that the alternates (#2 and #3) would be used in the event of saturation or link-down situations.  Guessing this would be incredibly messy?

In short, how can I have a single A record reachable from three public IPs, without using BGP?
confused.png
0
Comment
Question by:lunanat
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 34095699
Yes, you can have a single A record with 3 different IP addresses.  However it will NOT accomplish what you want.


1) The DNS server will hand out the IP addresses in round robin fashion.  First query will get 1.1.1.1, second query will get 2.2.2.2, third query will get 3.3.3.3, fouth query will get 1.1.1.1.

2) Desktops on the Internet very seldom actually query your DNS server.  They use either internal resolvers or their ISP's resolvers.  Which means if you have 30 customers that all use the same ISP, the ISP's resolver will do a single query to your DNS server, cache the results and then use that IP address for all queries until the TTL for the host expires.

3) DNS round robin does not detect link status.  If the link to site 1 goes down, the DNS server will still hand out the IP address 1.1.1.1 one out of every three queries.  Anybody that has 1.1.1.1 cached will still try to connect to 1.1.1.1 and fail.

If all 3 links are from the same ISP, you would need to see if they can route 1.1.1.1 through all 3 sites.
0
 
LVL 1

Author Comment

by:lunanat
ID: 34095727
Not quite what I was referring to - I'm specifically looking for ways around Round-Robin dns.. not a way to implement it without its pitfalls.

The single A record would be a single IP address.

That being said, at the end of your post you mention routing 1.1.1.1 through all three sites - I had suspected this would be the main method, but I'm not very sure of the topic as I've never actually implemented any routing beyond some vlans on layer 3 switches where the routing basically just took care of itself.

It's doable, if the ISP is willing, to simply tell "the internet" (which really in this case I expect would be the ISP's routers) that there are higher-cost paths available to reach 1.1.1.1 should the lowest cost path be either saturated or down?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
ID: 34096100
Ops read through you post a bit quick and answered with things you already knew about.

Now you could have some problems attempting to do what you want.

Your 1.1.1.1 address would need to be on each of your 3 firewalls.

Your ISP will have to configure their network to send traffic to 1.1.1.1 via their their routers at their site.

Your firewalls will need to send 1.1.1.1 to the appropriate internal IP address and will more than likely need to NAT the users external address to an internal address.  

The reason for NAT'ing the users outside address to an internal address is so that your site 2 layer 3 router routes the response back through the link the request came in on.  So all traffic coming from site 1 firewall will have a source address of say 1.1.10.1, all traffic coming from site 2 firewall will have a 1.1.20.1, and all traffic from site 3's firewall will have 1.1.30.1.

If you don't do this, then the site 2 L3 router is going to send the response out via its default route which means you may have request come in from site1's link and try to go back out via site 2's.  The problem is that site 2's firewall did not see the inbound request and may think something is wrong and drop the response.
0
 
LVL 1

Author Comment

by:lunanat
ID: 34096466
Thanks, that's exactly what I was looking to read.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now