Dual ISP - Load sharing/balancing

Unanswered Question
Feb 29th, 2008

My organisation is implementing a secondary ISP link (4Mb) to coexist with our primary ISP link (10Mb).

The powers above would like to make use of the 4Mb link rather than have it sit there purely for redundancy.

We are undergoing the process of requesting our own class C public address space and ASN in order to run BGP between both ISP's.

Our problem lies in the fact that BGP can not load balance between differing AS's as per:


Having out own AS and address range will sort our the issues of incoming traffic for some of the services which we present to the outside world (Citrix, OWA etc).

I am aware that the path taken by BGP can be influenced, as to how effective this would be for us is another issue.

The topology we would be looking at is as follows:

image coming....

Circa 220 users inside

NAT is currently performed by the firewalls, ideally we would like to keep it this way for the sake of logs/ids etc.

They are dual checkpoints in a HA cluster. The checkpoints do have dual ISP capabilities how ever this requires us to run our own external DNS from what we have been advised.

At the end of the day we may have to settle for manually managed load sharing, or a device such as an F5. I how ever thought I would throw up the issue on here to see if anyone else has experience a similar issue.. is there a way of achieving a degree of automated load sharing between the two with failover (not effecting connection based traffic such as SSL which we use for offsite backup transfers).

*3825's have yet to be purchased, they have been chosen to allow for the throughput of the 10Mb link with headroom.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Joseph W. Doherty Fri, 02/29/2008 - 05:42

Without going into all the "how to's", there are various methods of allocating outbound path selection if you have full Internet tables to work with. Usually, route preferences are dynamically modified for outbound destinations. (There's even a "free" Cisco technology within 12.4, OER, and 12.4T, PfR.)

Inbound is a problem if you're working with different ISPs and each has a different public AS. If you have multiple public address spaces, or one large enough to split, you can advertise differently to your providers.

If you work with just one provider with multiple links, they can usually load balance your inbound traffic.


This Discussion