Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Nokia & ISP Load Balance

To: [email protected]
Subject: Re: [FW-1] Nokia & ISP Load Balance
From: Don <[email protected]>
Date: Thu, 2 May 2002 13:09:32 -0400
In-reply-to: <B10E901D8D1B6347A43851B704852DD35E94@ES01LCTJAX.corp.lightningcloud.net>
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> 4.  I recommend that you define exactly what it is you want to do, and
> build a solution from there.  Introducing multi-homing to your network
> takes you into deep waters.  Do you really need to be connected to two
> ISPs that badly?  If so, you should be using routers and not firewalls
> at your edge.
Multi-homing with fail-over is not that bad, but multi-homing with load
sharing is nearly impossible. It is hard from a techinical persepctive,
even harder from a "Getting the ISP to understand what you want"
perspective, and finally nearly impossible when it comes to getting the
ISP's to cooperate.

> 5.  When I look at what you are trying to do, I'm thinking load balanced
> links to a single ISP.  If you can get the circuits on separate physical
> paths, to different routers at a hardened, multihomed POP, you would be
> in pretty good shape, without the multihoming craziness.
I would agree here. Load balanced links to a single multihomed and
reliable ISP are a LOT easier to implement, troubleshoot, and require less
powerful hardware.

If you definitely want diverse connectivity, you may also want to consider
something like UUNet's diverse T1 solution. They will run lines to two
different CO's and two different POP's and configure the BGP routing. You
will get two lines that are both active at the same time.

I am sure other ISP's can do similar configurations, I just have not had
much luck finding them :)

You definitely do not want to get the firewalls involved with this
however. Besides the potential security problems with a dynamic routing
protocol, the load that something like BGP can add to your firewall can be
pretty high. Not something you want where performance is a consideration.

The Radware boxes and FatPipe devices do not allow seemless inbound
traffic so they are less valuable as a solution here.

-Don

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

References:
- Re: [FW-1] Nokia & ISP Load Balance
  - From: Steve McNutt <[email protected]>

Prev by Date: Re: [FW-1] Changing HTTP client authentication port
Next by Date: Re: [FW-1] DNS Question
Previous by thread: Re: [FW-1] Nokia & ISP Load Balance
Next by thread: Re: [FW-1] Nokia & ISP Load Balance
Index(es):
- Date
- Thread