Firewall Wizards mailing list archives

Re: dual ISP connections

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Wed, 5 Jul 2006 15:18:51 +0200

Hello!

The outgoing is not so hard with BGP. The incomming traffic is the
interesting thing.


True.

You can pre-pend some AS info to one of your ISPs,
but sometimes the balancing is complete unbalanced. Also you can split
your IP space to try to balance some traffic.


Splitting your IP space into smaller pieces is strongly discouraged.
You are cluttering the default free zone with multiple prefixes
where one would be sufficient and your announcements may even be
filtered and blocked. E.g. in the RIPE area the smallest PA allocation
is a /20. There are ISPs who assume that any longer prefix
out of the RIPE address range is a bogus announcement.

Reasonable upstreams provide community attributes to prepend when
announcing to certain big players. E.g. one of our upstreams:

$ whois -r AS12306
...
remarks:        C o m m u n i t y    D e f i n i t i o n s
remarks:
remarks:        12306:1000   do not announce at the DE-CIX
remarks:        12306:1011   single prepend when announcing at the DE-CIX
remarks:        12306:1012   double prepend when announcing at the DE-CIX
remarks:        12306:1013   triple prepend when announcing at the DE-CIX
remarks:        12306:1014   quad prepend when announcing at the DE-CIX
remarks:
remarks:        12306:3000   do not announce to DTAG AS3320
remarks:        12306:3011   single prepend when announcing to DTAG AS3320
remarks:        12306:3012   double prepend when announcing to DTAG AS3320
remarks:        12306:3013   triple prepend when announcing to DTAG AS3320
remarks:        12306:3014   quad prepend when announcing to DTAG AS3320
remarks:
remarks:        12306:4000   do not announce at the INXS
remarks:        12306:4011   single prepend when announcing at the INXS
remarks:        12306:4012   double prepend when announcing at the INXS
remarks:        12306:4013   triple prepend when announcing at the INXS
remarks:        12306:4014   quad prepend when announcing at the INXS
remarks:
remarks:        12306:9100   do not announce to CW
remarks:        12306:9111   single prepend when announcing to CW
remarks:        12306:9112   double prepend when announcing to CW
remarks:        12306:9113   triple prepend when announcing to CW
remarks:        12306:9114   quad prepend when announcing to CW
remarks:
remarks:        12306:9200   do not announce to ABOVENET AS6461
remarks:        12306:9211   single prepend when announcing to ABOVENET
remarks:        12306:9212   double prepend when announcing to ABOVENET
remarks:        12306:9213   triple prepend when announcing to ABOVENET
remarks:        12306:9214   quad prepend when announcing to ABOVENET
remarks:
...


Regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: dual ISP connections Eagle Fire (Jul 05)
- Re: dual ISP connections Patrick M. Hausen (Jul 05)
  - Re: dual ISP connections Eagle Fire (Jul 09)
  - SNMP RW ASA 7.2.1 Pablo Perez (Jul 19)
    - Re: SNMP RW ASA 7.2.1 Victor Williams (Jul 19)
    - Re: SNMP RW ASA 7.2.1 Brian Loe (Jul 19)
    - Re: SNMP RW ASA 7.2.1 Victor Williams (Jul 20)
    - Re: SNMP RW ASA 7.2.1 Pete Capelli (Jul 21)
    - Re: SNMP RW ASA 7.2.1 Pablo Pérez (Jul 21)
    - Re: SNMP RW ASA 7.2.1 R. DuFresne (Jul 21)
    - Re: SNMP RW ASA 7.2.1 R. DuFresne (Jul 21)