[Dr.WoW] [No.55] Multi-homing Overview Highlighted

Latest reply: Jan 25, 2016 06:17:35 2959 3 0 0

In "What Are Firewalls" I mentioned that firewalls are primarily deployed on network borders to separate intranets from external networks. However, firewalls also assume the role of interconnecting these same intranets and external networks, as the traffic exchanged between these intranets and external networks must all be forwarded through the firewalls. In real-world scenarios, due to bandwidth and reliability requirements, enterprises will lease multiple Internet-link bandwidth resources from multiple ISPs, meaning that their egress position firewall(s) will be connected to the Internet via multiple egress links. Therefore, how to select a suitable egress link for user traffic is a problem that needs to be considered by enterprise network administrators.

I'll thus specially summarize several common methods of multi-homing in multiple egress environments in which firewalls serve as enterprise egress network gateways. Below, I'll give an initial introduction to these multi-homing methods, so that everyone can first gain a basic understanding of them.

1 Shortest Path Routing

Shortest path routing is a multi-homing method completed through a combination of default routing and specific routing. This method is relatively simple, and is also the most commonly used. As shown in Figure 1-1, using default routes can ensure that enterprise user data and traffic is all matched to routes and forwarded, while using specific routes allows user traffic accessing a certain ISP to be forwarded from the link connected to this ISP, avoiding traffic being sent on a circuitous path from another ISP link―this is what is known as shortest path routing. However, with so many services on the Internet, it's impossible to configure specific routes one by one, so is there a simple method to configure specific routes en masse? This is where the ISP routing function comes into play. The ISP routing function collects each ISP's well-known network segments within a firewall, and issues static routes in batches by configuring designated egress interfaces and next hops, greatly reducing the workload involved in configuring specific routes.

Figure 1-1 Shortest path routing

[Dr.WoW] [No.55] Multi-homing Overview-1044041-1 

Configuring the specific routing +default routing method of multi-homing is very simple, convenient and practical, and can be used in standard enterprise networks. However, if enterprises need to conduct differentiated forwarding of traffic for certain special users (such as managers) or for certain special applications (P2P downloads), this routing method cannot be used. Therefore, I'll introduce a second multi-homing method below: policy-based routing.

2 Policy-based Routing

Policy-based routing is exactly what it sounds like―it entails forwarding packets based upon specific policies. Therefore, policy-based routing is a more flexible forwarding mechanism than standard static routing and dynamic routing. When routing devices forward packets, they first filter the packets based upon pre-configured rules, with packets that are successfully matched being forwarded according to a fixed forwarding policy. The rules discussed here can be based in the source IP address, the destination IP address, or can be user-based or based in a certain type of special application.

In Figure 1-2, an enterprise intranet has a high volume of P2P services, and in order to ensure the bandwidth needs of a special user (the managers), policy-based routing can be used to formulate rules allowing traffic from the manager and other special users to be forwarded from the ISP1 link (which has stable link bandwidth), while P2P and other high traffic services are designated to be forwarded from the ISP2 link (which has uplink and downlink bandwidths that are greatly unequal― for example, a situation in which the uplink bandwidth is 50 Mbit/s, and the downlink bandwidth is 500 Mbit/s).

Figure 1-2 Policy-based routing

[Dr.WoW] [No.55] Multi-homing Overview-1044041-2 

Policy-based routing equips enterprise network administrators with a more flexible measure by which to control traffic: so long as they have a prior understanding of the merits of the egress links' bandwidths, administrators can allow important users and key services to be forwarded from links with stable bandwidths. However, policy-based routing requires that humans (administrators) interfere with traffic routing, and is also not able to assign specific bandwidth for links (for example, stipulating that a link's maximum bandwidth is 500 Mbit/s). This is not, however, an issue when using smart routing equipped with "intelligent" deterministic abilities, as smart routing can choose the most optimal egress link for intranet user traffic using system-initiated determination, and can set fixed egress bandwidth based upon the unique properties of a certain link's bandwidth, thereby achieving its goal of forwarding traffic intelligently.

In summary, each of the two types of routing for multi-homing have their own special features, and their use scenarios are also different from one another. Administrators can select an appropriate routing method based upon their network's actual needs. Of course, network conditions in actual networks are complex, and user needs are diverse and multitudinous, so it may be difficult for a single routing method to satisfy all needs. If this is the case, multiple routing methods should be used together in a complementary fashion to complete complex network planning. In the following sections, we'll introduce the mechanisms and application of each multi-homing routing method one by one.

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jan 25, 2016 05:44:16 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

user_1787981
Created Jan 25, 2016 06:16:50 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:

Sherryh
Created Jan 25, 2016 06:17:35 Helpful(0) Helpful(0)

Thank you for sharing.

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login