RE: Multi site BGP Routing design

[<John.Herbert () ins com>]

Steve,

Agreed. I'm not suggesting that a tunnel is the ultimate best solution, but rather just pointing out that if you go 
with a tunnel, it's worth remembering that it's going unencrypted over a public network rather than site to site over a 
private link.

j.

________________________________
From: Steve Bertrand [steve () ibctech ca]
Sent: Friday, June 05, 2009 20:40
To: Herbert, John
Cc: cmadams () hiwaay net; nanog () nanog org
Subject: Re: Multi site BGP Routing design


John.Herbert () ins com wrote:
> Depending on your security policies you may want to encrypt said tunnel also.
>
> Other than that, it all depends on it all depends. For example - if you receive / or have a default route pointing to 
> the ISP, then the fact you have the same AS and won't receive the other site's routes in BGP doesn't matter at all - 
> you'll follow a default from site 1 to the ISP, and the ISP will have a route to site 2 and can pass the traffic in 
> the right direction. If you don't mind your traffic being passed unencrypted over the Internet, that is. You'll 
> obviously need to adapt your firewall policies to allow for that flow as well.

Personally, I don't really like the tunnel idea... I've had to deal with
them for v6 connectivity, and they seem so 'ugly'.

My first thoughts were about de-aggregation, but since he's already
advertising different space out of each site, that became irrelevant.

I was just thinking that two AS numbers would be the cleanest, easiest
to maintain method for him to take.

Certainly tunnelling did go through my mind though to ensure
site-to-site peering over the Internet.

Steve