Thanks for all your comments guys. With regards to bgp I did
think about placing two bgp routers in front of the ssg's. However
my limited understanding makes me think that if I had two bgp
connections from different providers I would still have issues. So
I guess that if my primary Internet goes down I lose connectivity
to all the publicly addressed devices on that connection. Like
dmz hosts and so on. I would be interested to hear how this
can be avoided if at all or do I have to use the same provider.
I should add that we currently have provisioned two ssg in ha
mode. Also is terminating bgp on the ssg also an option? I really
like the flexibility of route based VPN with addresable tun interfaces.
Thanks for all your comments guys. With regards to bgp I did
think about placing two bgp routers in front of the ssg's. However
my limited understanding makes me think that if I had two bgp
connections from different providers I would still have issues. So
I guess that if my primary Internet goes down I lose connectivity
to all the publicly addressed devices on that connection. Like
dmz hosts and so on. I would be interested to hear how this
can be avoided if at all or do I have to use the same provider.
No, you will announce the same IP addresses (minimum of a /24 which you
can easily obtain from one upstream just by saying "I want to multihome"
if you don't already have a /24) over both. That's the whole point of
multihoming. If cost is an issue you can just use one BGP speaking
router. If you multihome there is no "primary" like you're thinking.