Thanks to:
Owen Connolly <ojc@dataway.com>
Marco Greene <mgreene@sympatico.ca>
Stefan Jon Silverman <sjs@sjsinc.com>
eric <eric@catastrophe.net>
Jochen Bern <bern@penthesilea.uni-trier.de>
Dan Brown <brown@obscure.org>
Al Hopper <al@logical-approach.com>
Daniel Polombo <daniel.polombo@detexis.thomson-csf.com>
Larry Chin <larry@sprint.ca>
My problem was trying to figure out how to route the following so that
the machines at the ISPs talk to each other via HQ and don't have to
weave through the Internet to talk to each other, unless the lines to HQ
are down for some reason in which case the Internet should be the backup:
__________________INTERNET____________________
/ \
AT&T Qwest
| |
Firewall (Sun Solaris/Checkpoint FW1) Firewall (same)
| |
IntelSwitch-----cisco2500-------HQ----cisco2500--IntelSwitch
/ \ / \
serv1 serv2 serv3 serv4
The most difficult but probably the best solution is to use BGP or another
routing protocol that would allow dynamic routing based on distance and
load and such.
The problem with using two default routes seems to be that the machine will
either ignore one or will randomly pick one, which isn't what we want.
There's also the possibility that the machine will try both, which is slow
and redundant.
Of course I'd rather have all our servers centrally located with us, but
there are redundancy issues involved here as well as the fact that we do
not have a proper data center at our HQ location (poor environmental
control, no redundant power, no redundant net connections, etc). Plus, we
get T3's direct at our ISP's for much less than it would cost to have them
run to our HQ.
Another suggestion was that going from AT&T to Qwest and vice versa might
be faster than going via a T1 because of peering and such. We'll have to
explore that possibility, but there are security concerns there as well.
Also, we could have two default routes, but have the metric on one set
higher, which would be the less-preferred-route. This might make sense for
failover, in case the T1 goes down the machine can then use the Internet as
backup.
Still another suggestion was to go with the default route through the
Internet and add a specific route to the HQ from the machines at the ISPs,
or to set the firewalls to do ICMP redirects to send packets from servers
to HQ over to the Cisco routers. We will probably do one of these,
assuming that if the static route fails, it'll default to the default. If
it won't do that, we'll have to do something more complex.
Thanks again for all the replies, and I am continuing to clarify some
advice with specific responders to my initial question.
-Adam
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:31 CDT