So I'm doing some design work for our updated enterprise... we're going to get a dual-homed (single ISP) setup, where we'll get two circuits, and terminate them to two routers.
I've set something similar to this up at a different job before. It was really simple. We did iBGP between our two edge routers, and on the "primary circuit" we set any route learned from the ISP as a higher local preference, and on the "backup circuit" we set any route we advertised to the ISP to be prepended 4 times.
This led to the primary circuit being the path all ingress and egress traffic took into and out of our network. It also led to the backup circuit being more or less completely unused, but it would kick in and be the best path both into and out of our network if the primary circuit died.
Then LAN side we just did VRRP between the edge routers and had the firewalls point a static route to the VIP.
That was simple, easy to understand, and I could set it up easily today.
There's one small problem. We are kinda wanting to use the two different circuits for two different things.
That would require certain traffic to always go out and come in on "Path B," while the rest of the traffic always goes out and comes in on "Path A."
I'm trying to figure out in this case: do I even do iBGP between the edge routers? After all if I do iBGP between them, and the ISP only advertises a default route, my entire autonomous system will pick only ONE path out of my network. Right? So that throws out the whole "use the two circuits for two different things."
So if I split the edge routers up so they aren't iBGP anymore, then I can do "different things" on both circuits, but then I kinda lose redudancy right? i.e. if path B fails, how do I make sure that traffic fails over to Path A without anyone having to touch anything? They still very much want this stuff to be able to fail over.
I'm starting to realize this configuration is actually going to be a little more complex than I originally thought it would be. I'm not sure how it will look on the firewalls either.
Anyone got any advice? By all means I'm not asking to hold my hand and configure the whole design for me, maybe just some hints or pointers. Making things a little more difficult is our ISP that kinda has very cookie cutter approach to peering and doesn't set anything up as they would deem "custom" for us.
No comments:
Post a Comment