Agreed. You could still recieve their routes and no/export your as but I wouldn't go beyond the firewall.
Jason Bothe, Manager of Networking Rice University o +1 713 348 5500 m +1 713 703 3552 ja...@rice.edu > On Nov 23, 2014, at 17:57, William Herrin <b...@herrin.us> wrote: > > On Fri, Nov 21, 2014 at 9:49 AM, Curtis L. Parish <curtis.par...@mtsu.edu> > wrote: >> We advertise our ASN into the state network with more specific routes >> that we advertise via ISP2 via our ASN. This is done because the >> state (vendor managed) network runs stateful firewalls and we have >> to force other multi-home entities on the state network to use our >> state connection instead of ISP2. Our network has been removed >> from the state firewall due to previous problems with asymmetric >> routing with our I2 circuit. > > Hi Curtis, > > As you've already noted, the presence of a stateful firewall beyond your > BGP border is inimical to BGP multihoming. Traffic between two multihomed > networks must never cross a stateful firewall that is outside both > networks' borders. Practically speaking, there will asymmetry, path > flapping, per-packet load balancing and other quirks at locations outside > your control. The Internet DFZ is a chaotic system. Over time you won't be > able to make the packets reliably transit the firewall. > > It sounds like this is a learning experience for both you and the folks at > the state network. If you have a friendly relationship with them, now would > be a good time to visit and talk about what are likely to be significant > changes to their network architecture to make multihomed users feasible. > Preferably with a the help of a local consultant who has BGP expertise. > > If that doesn't sound like it would be a productive conversation then I > suggest you consider three different options: > > 1. Return to the state network alone, > > 2. Replace your state network connection with another commercial ISP, > > 3. Add an additional commercial ISP for the sake of your Internet access > needs, drop the BGP advertisements with the state network and then > implement resources which should only transit the state network using IP > addresses assigned by the state network rather than your BGP addresses. > > > >> Here is a question. I know that having one network advertised by > multiple ASNs >> is unconventional and thus it will probably be harder to get help > troubleshooting >> routing problems when they arise. Do you see a situation where our > network >> might be caught in a loop or black hole due to asymmetric routing and > conflicting advertisements? > > Yes. And frequently. You have this thing balanced on the head of a pin. > > Regards, > Bill Herrin > > > > > -- > William Herrin ................ her...@dirtside.com b...@herrin.us > Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/> > May I solve your unusual networking challenges? >
