[c-nsp] two ISPs, two routers, one firewall - bgp question

Ivan Pepelnjak ip at ioshints.info
Mon Apr 6 13:05:55 EDT 2009


Outbound traffic traverses the DMZ segment twice (FW -> R2 -> R1).
Inbound traffic traverses the DMZ segment once (R2 -> FW).

The difference is that FW has no idea where to send the traffic (follows
default route), whereas R2 knows the internal network is reachable through
the FW.

Hope this helps
Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: Rossella Mariotti-Jones [mailto:rossella at chemeketa.edu] 
> Sent: Monday, April 06, 2009 6:22 PM
> To: cisco-nsp at puck.nether.net
> Cc: cisco-nsp at puck.nether.net
> Subject: [c-nsp] two ISPs, two routers, one firewall - bgp question
> 
> Hello all, I have a question regarding this scenario:
> http://www.cisco.com/en/US/tech/tk365/technologies_configurati
> on_example
> 09186a00800945bf.shtml#conf5
> 
> My R2 link to ISP is 100M
> R1 link to ISP is a DS3
> 
> If my firewall has a default route of 192.168.21.2 and  I 
> have a 10M download going with AS300, my firewall is going to 
> send out my traffic through its default gateway which is 
> 192.168.21.2, R2 knows through iBGP that R1 is the best path 
> to AS300, so it sends the traffic to R1, traffic coming back 
> goes through R1, R2, firewall to get to the client, so 
> basically in this case the link between my firewall and R2 is 
> taken up twice. Am I understanding this correctly? Thanks 
> everyone in advance.
> 
> rossella
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
> Sent: Monday, April 06, 2009 8:12 AM
> To: Rick Ernst
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Getting ready to pull the trigger: RSP720/SUP720
> 
> On Mon, 6 Apr 2009, Rick Ernst wrote:
> 
> > I'm planning on collapsing the border/core into a pair of 
> > 7600/Sup720-3BXLs, and it looks like they will be almost idle with
> this
> > amount of load.
> 
> That really depends on the features you enable.  Try doing 
> full netflow on a sup720 doing a few hundred mbit's of 
> traffic, and they're suddenly not
> 
> so mighty.
> 
> > The problem I am running into is spec'ing the aggregation layer.
> Almost
> > all of our traffic is ethernet now, and all the interfaces need 
> > bi-drectional rate-limiting/traffic-shaping/policing.  We have a
> variable
> > bandwidth model and need to cap traffic at 1Mbs 
> granularity. 1,5, and 
> > 10Mbs connections are common, and 20,50,100Mbs connections 
> exist with
> a
> > 200Mbs pipe in process.
> 
> We've been using 3550's for years for this, as they have the 
> ability to police in both directions, per port, at whatever 
> granularity you like. 
> The 3560, which was supposed to be an improvement/replacement 
> for the 3550 lost this ability, which really shocked me when 
> I configured my first one.
> It can do per-port output shaping, but the granularity kind of blows. 
> You're limited to 1/N * port rate, where N is an integer from 
> 0 to 65535. 
> This gives plenty (actually a huge waste of range) of 
> granularity at the
> 
> low end of bandwidth, but at the high end, you're limited to 
> full rate, 50%, 33%, 25%, 20%, etc.  If I'm wrong here, I'd 
> love to hear it and be told how to limit a 100mbit port to 
> say 40mbit/s.
> 
> ----------------------------------------------------------------------
>   Jon Lewis                   |  I route
>   Senior Network Engineer     |  therefore you are
>   Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public 
> key_________ _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 



More information about the cisco-nsp mailing list