BGP Design question.

-Hammer- bhmccie at gmail.com
Wed Jun 22 23:11:13 UTC 2011


Another option would be to insert switches between your routers and FWs. 
OSPF from the routers to the switches (yes, switches running L3 OSPF) 
and then HSRP/VRRP/etc. to the FWs. This way routing changes don't 
affect the FWs. The FWs simply have a default route to the 
HSRP/VRRP/etc. VIP. Then the primary switch routes to the routers which 
then route out to their EBGP peers. Only caveat is to make sure you are 
only redistributing the 0/0 into OSPF. Not the full route table.

-Hammer-



On 06/22/2011 05:27 PM, Bret Palsson wrote:
> Here is my current setup in ASCII art. (Please view in a fixed width font.) Below the art I'll write out the setup.
>
>
>       +--------+    +--------+
>       | Peer A |    | Peer A |<-Many carriers. Using 1 carrier
>       +---+----+    +----+---+    for this scenario.
>           |eBGP          | eBGP
>           |              |
>       +---+----+iBGP+----+---+
>       | Router +----+ Router |<-Netiron CERs Routers.
>       +-+------+    +------+-+
>         |A   `.P    A.'    |P<-A/P indicates Active/Passive
>         |      `.  .'      |      link.
>         |        ::        |
>       +-+------+'  `+------+-+
>       |Act. FW |    |Pas. FW |<-Firewalls Active/Passive.
>       +--------+    +--------+
>
>
> To keep this scenario simple, I'm multihoming to one carrier.
> I have two Netiron CERs. Each have a eBGP connection to the same peer.
> The CERs have an iBGP connection to each other.
> That works all fine and dandy. Feel free to comment, however if you think there is a better way to do this.
>
> Here comes the tricky part. I have two firewalls in an Active/Passive setup. When one fails the other is configured exactly the same
> and picks up where the other left off. (Yes, all the sessions etc. are actively mirrored between the devices)
>
> I am using OSPFv2 between the CERs and the Firewalls. Failover works just fine, however when I fail an OSPF link that has the active default route, ingress traffic still routes fine and dandy, but egress traffic doesn't. Both Netiron's OSPF are setup to advertise they are the default route.
>
> What I'm wondering is, if OSPF is the right solution for this. How do others solve this problem?
>
>
> Thanks,
>
> Bret
>
>
> Note: Since lately ipv6 has been a hot topic, I'll state that after we get the BGP all figured out and working properly, ipv6 is our next project. :)
>
>
>    



More information about the NANOG mailing list