[c-nsp] Dual-homing without BGP

Elmar K. Bins elmi at 4ever.de
Thu Feb 16 10:16:01 EST 2006

vincent at dekeyzer.net (Vincent De Keyzer) wrote:

> can you please review the following suggestion ?

[Customer has own network block but doesn't want to play full BGP,
 do it via different server IP addresses and outgoing policy based
 (source) routing]

This may work with short DNS TTLs, multiple IP addresses for a
service and/or IP address change in case of trouble.

Have you considered using something like a stateful packet filter?
My setup would most likely be something along these lines:

- Use a Juniper Netscreen (appropriate size) with BGP enabled as
  the exterior router.

- Advertise the service network (/23) to both transit providers.

- Use one IP address per service (we're playing BGP failover here).

- Give the Netscreen two default routes, one to each transit ISP.

BGP will handle balancing the incoming traffic, and - this is the
best part of it - the Netscreen will push the response packets to
exactly the interface where the request came in. The packet filter
saves the ingress interface in its session table and consults that
table when the response has to be routed outwards.

Btw, this also works (I tested it, and I was quite surprised) if
you omit the default routes, but I'd rather put them there anyway.


More information about the cisco-nsp mailing list