Having out own AS and address range will sort our the issues of incoming traffic for some of the services which we present to the outside world (Citrix, OWA etc).
I am aware that the path taken by BGP can be influenced, as to how effective this would be for us is another issue.
The topology we would be looking at is as follows:
Circa 220 users inside
NAT is currently performed by the firewalls, ideally we would like to keep it this way for the sake of logs/ids etc.
They are dual checkpoints in a HA cluster. The checkpoints do have dual ISP capabilities how ever this requires us to run our own external DNS from what we have been advised.
At the end of the day we may have to settle for manually managed load sharing, or a device such as an F5. I how ever thought I would throw up the issue on here to see if anyone else has experience a similar issue.. is there a way of achieving a degree of automated load sharing between the two with failover (not effecting connection based traffic such as SSL which we use for offsite backup transfers).
*3825's have yet to be purchased, they have been chosen to allow for the throughput of the 10Mb link with headroom.
Without going into all the "how to's", there are various methods of allocating outbound path selection if you have full Internet tables to work with. Usually, route preferences are dynamically modified for outbound destinations. (There's even a "free" Cisco technology within 12.4, OER, and 12.4T, PfR.)
Inbound is a problem if you're working with different ISPs and each has a different public AS. If you have multiple public address spaces, or one large enough to split, you can advertise differently to your providers.
If you work with just one provider with multiple links, they can usually load balance your inbound traffic.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...