[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multi-homed,masquerading

To: ksemat at wawa.eahd.or.ug
Subject: Re: multi-homed,masquerading
From: Brian Candler <B.Candler at pobox.com>
Date: Sun, 30 Jul 2000 19:42:51 +0100
Cc: afnog at afnog.org
Content-Type: text/plain; charset=us-ascii
Delivered-To: <afnog at afnog.org>
In-Reply-To: <Pine.LNX.4.21.0007301943050.13469-100000 at wawa.eahd.or.ug>; from ksemat at wawa.eahd.or.ug on Sun, Jul 30, 2000 at 07:45:24PM +0300
References: <20000730101856.B350 at linnet.org> <Pine.LNX.4.21.0007301943050.13469-100000 at wawa.eahd.or.ug>
Sender: owner-afnog at uol.co.ug

On Sun, Jul 30, 2000 at 07:45:24PM +0300, ksemat at wawa.eahd.or.ug wrote:
> > Do you have a separate IP block from each upstream provider? How many
> > machines are on each block?
> I do not have a separate IP block from each just a couple of IPs from
> each.  I have three from one each going to its own machine and one from
> the other for my BSD machine. I can however get maybe two or three more
> from the second one from which I have one.
...
>       Is it possible to say have an AS number and then cooperate with my
> upstream to talk BGP to higher up routers such that if one of them were to
> go down then the remaining route would be through the other ISP.

Only if you want to pay to join RIPE or ARIN and get your own /20
allocation; and even then there would be complications because it looks like
your upstreams are not currently talking BGP to _their_ upstreams, just
static routes. They would both have to get AS numbers and start using BGP -
or you would have to talk multihop BGP directly to their upstreams (who
would probably be unwilling to do this, since you are not their customer)

Now, what you wanted was:

> o-      To implement multi-homing  to ensure stability andavailability.
> o-      share load amongst 4 servers in the most optimal way

With two separate sets of IPs from different upstreams, the solutions
available to you are:

1. You can put some of your servers on both subnets simultaneously - i.e.
the server has two IP addresses, one from each ISP.

                  IP1  +--------+  IP2
     ISP A ------------| server |------------- ISP B
                       +--------+

To load share incoming traffic, you can use round-robin DNS (i.e. put two
'A' records into the DNS; you can even shape traffic, e.g. by putting three
A records, two pointing to one address and one pointing to the other)

The slightly tricky part is arranging your _outgoing_ traffic to take the
"correct" path; that is, packets with source address IP1 to go via ISP A,
and with source address IP2 to go via ISP B. There is a patch available for
BSD to do this; or if the upstream path goes via a router, you can use
'policy routing' to implement the appropriate rules.

Problem: it's not very resilient in the case of ISP A or ISP B failing; 50%
of incoming connections will fail. If you use a short DNS TTL, then you can
_remove_ the offending A record for the period while the link is down (which
is practical if the links fail not very often, but for an extended period of
time)

2. You can make use of the inherent resilience of some Internet services: in
particular DNS and mail.

So if you have two DNS authoritative servers, you can put one on ISP A's
address space, and the other on ISP B's address space. When someone from
outside tries to contact your DNS servers, they will automatically try them
in turn.

In the case of mail, you can have two mail servers (or one mail server with
two IP addresses as above), and use MX records to deliver mail:

		IN	MX 10 mail1.example.com.
		IN	MX 20 mail2.example.com.
mail1		IN	A  <ISP A address>
mail2		IN	A  <ISP B address>

In this case, mail will come through ISP A, but if that link is down, mail
will come via ISP B instead. If you put equal priority MX records, then 50%
of mail will come via each link.

3. If you have machines with private addresses behind a NAT (masquerading)
box, then it should be possible to arrange that it uses one link or the
other - but you may have to do some scripting if you want it to
automatically change over in the event of a link failure, perhaps by pinging
your upstream's upstream occasionally.

4. If you have dialin clients, you can put one NAS on ISP A's block, and
another NAS on ISP B's block. In the event of a problem with ISP A or ISP B,
customers can dial a different number to hit the other NAS - or if you have
one big hunt group across both, you can busy out the lines which you don't
want customers to use.

Notice, of course, that machines on ISP A's addresses can reach machines on
ISP B's addresses, but that will end up going through both ISPs unless you
arrange things appropriately.

My suggestion would be to set yourself up as if you were two ISPs which are
peering with each other:

              ISP A                 ISP B
                ^                     ^
                |                     |
             Router --------------- Router
                |                     |
          ------+--              -----+--
        Machines on block 1     Machines on block 2

(Of course, that assumes that you have a whole subnet from each ISP, not
just a handful of individual IPs. In that case, making it work properly
could be very difficult, involving proxyarp and other hacks)

HTH,

Brian.

-----
This is the afnog mailing list, managed by Majordomo 1.94.4

To send a message to this list, e-mail afnog at afnog.org
To send a requet to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)

This list is mantained by owner-afnog at afnog.org

References:
- Re: multi-homed,masquerading
  - From: Brian Candler <B.Candler at pobox.com>
- Re: multi-homed,masquerading
  - From: ksemat at wawa.eahd.or.ug

Prev by Date: Re: multi-homed,masquerading
Next by Date: Re: multi-homed,masquerading
Prev by thread: Re: multi-homed,masquerading
Next by thread: Re: multi-homed,masquerading
Index(es):
- Date
- Thread