TFTP over anycast

• Previous message (by thread): TFTP over anycast
• Next message (by thread): TFTP over anycast
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Feb 27, 2024 at 10:02 AM Javier Gutierrez
<GutierrezJ at westmancom.com> wrote:
> My design is very simplistic, I have 2 sets of firewalls that I
> will have advertising a /32 unicast to the network at each
> location and it will have a TFTP server behind each firewall.

Hi Javier,

That sounds straightforward to me with no major failure modes. I would
make the firewall part of my OSPF network and then add the tftp
servers to OSPF using FRR. Then I'd write a script to monitor the
local tftp server and stop frr if it detects any problems with the
tftp server. The local tftp server will always be closer than the
remote one via OSPF link costs, unless it goes offline. I assume you
also have an encrypted channel between the firewalls to handle traffic
that stays "inside" your security boundary, as tftp generally should.

Where you could get into trouble is if you add a third or additional
sites. If there's ever an equal routing cost from any one site to two
others, there's a non-zero risk of the failover process failing... and
you won't know it until you need it.

Regards,
Bill Herrin


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/

• Previous message (by thread): TFTP over anycast
• Next message (by thread): TFTP over anycast
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]