Hi there. I'm trying to figure out how to setup a situation where we have two different internet providers, that provide two different SLA's for availability, uptime, etc. We want to provide access via the primary internet link to our premium customers, and have the standard customers access us via the second internet connection. The problem that I"m running into is that since both sets of customers are coming in from the internet, how do we setup return routing so that the traffic goes back over the link it came in on? It's my understanding that the PIX/ASA does not do Policy Based Routing, which I think is soomething that would help us out in this case. Does anyone have any ideas on how I could set this up? I'm using 4506 switches, PIX 535 firewalls, and CSS 11501 load-balancers.
Traffic coming in will be based on many different things. But you want to specify traffic outbound based on some set of rules?
I am not clear on what you are wanting to accomplish.
Customer A - Premier customer has access to Permier Path
Customer B - Standard customer has access to Standard Path
How do these customers connect to you?
How do you know what Path they take to get to you?
I just need to understand your topology and requirement a little more.
Thanks for your response. You have it pretty correct -- We basically have 2 types of customers -- Premier and Standard. They will both be accessing us from the internet, although they will access different addresses that the providers are assigning to us. How do we know what path they will take to get to us? Well, that's definitely one of the issues. Our main provider connects directly to the outside interface of our firewall. We want to bring the other provider in on our DMZ space. We'd really like all traffic to go through the main (premium) internet connection by default, but if someone comes in via the standard internet they should be routed back the same way.
Thanks again for your help
"How do we know what path they will take to get to us?"
One of the ways you can do this is with BGP.
You specify what route they will take by your announcement.
Rotuer A w/ 2 T-1's
Premier T-1 announces 22.214.171.124/24
Standard T-1 announces 126.96.36.199/24
In these announcements you tell the internet where to find their connection.
You can have failover set-up by having the other announcement advertised with a higher metric and in the event of a line failure or flap your announcement will be more preferred by the internet and injected in the table as the best path. Once the connection comes back up or the issue is resolved the lower weighted route will be injected in the table as the best route. You can do this with AS prepending or weights/metrics.
I'll apologize in advance because my BGP experience was just enough to pass the test -- I've never used it in production. I don't see how BGP would work for us because the last device on our network is the firewall. We connect directly to our provider's internet (not ATT or Verizon or anybody like that). Essentially, we are connecting into their LAN.
I've attached a diagram of how it looks right now: One thing I forgot to add is that the premium internet is coming in on the outside firewall interface, the standard is coming in on the DMZ interface that also connects out to other clients who have direct connectivity to us.
Thanks again for your help on this.
Ok, from your picture your firewall sits right on the internet?
What is between your firewall and the internet?
Where is your provider in all of this?
We receive our premium internet from the facility we colocate with, so we aren't sitting directly on the internet, but we connect into their network before hitting the internet. The same with the other provider although we connect to them through a single DS3. Sorry the picture was not very good.
Same thing applies. They are just providing Ethernet instead of a T-1.
I would recommend putting in a router, asking for 2 links and asking them to run BGP with you. That way you control traffic and ask them to just make sure they pass your advertisement upstream.
I had a connection, much like what you have, at a data center.
We had a 10Mb Ethernet link to their Core, our ISP if you will.
Now this is one pipe. If we wanted to separate by type of connections you may need 2 pipes to specify your routes, for billing purposes or SLA purposes. You will need to have a router in between to control the routing between you and your provider, even at Ethernet level. You should always want to control it, unless it is a managed service. Otherwise you can ask your provider to run this for you.
That's where we are at -- a hosted datacenter. So yes, our "internet" connection is a certain amount of bandwidth provisioned to us from their network. We have a second internet provider who brought in an extension of their network (a single DS3) into the datacenter and we connect into their network much the same way as our datacenter internet. So for this to work with BGP we'd have to have a router on the outside of the firewall to direct traffic one way or the other, is that correct?
What about NAT'ing the incoming traffic from the standard internet provider? I don't think it's an elegant solution, but would that work?
Yes, but you will have no way of shaping your traffic. The only way to do this is via routing. Either you do it or your "ISP"
Since you have two different Providers you would need your own ASN, and I would then recommend your own IP space so you will not have vendor routing issues. I have seen vendors block announcements that belong to another vendor that is not swiped to you.