BGP Design question.

Ingo Flaschberger if at xip.at
Wed Jun 22 23:07:54 UTC 2011


Hi Bret,

> To keep this scenario simple, I'm multihoming to one carrier.
> I have two Netiron CERs. Each have a eBGP connection to the same peer.
> The CERs have an iBGP connection to each other.
> That works all fine and dandy. Feel free to comment, however if you think there is a better way to do this.
>
> Here comes the tricky part. I have two firewalls in an Active/Passive setup. When one fails the other is configured exactly the same
> and picks up where the other left off. (Yes, all the sessions etc. are actively mirrored between the devices)
>
> I am using OSPFv2 between the CERs and the Firewalls. Failover works 
> just fine, however when I fail an OSPF link that has the active default 
> route, ingress traffic still routes fine and dandy, but egress traffic 
> doesn't. Both Netiron's OSPF are setup to advertise they are the default 
> route.

Linux firewall?
disabled rp-filter?

> What I'm wondering is, if OSPF is the right solution for this. How do others solve this problem?

I do something similar with freebsd; you always make shure the backbone 
area 0.0.0.0 does not break into 2 parts, perhaps use an extra link 
between the 2 firewalls just because of this.

Kind regards,
 	Ingo Flaschberger




More information about the NANOG mailing list