BGP Design question.
bhmccie at gmail.com
Wed Jun 22 23:37:21 UTC 2011
Do people really run routing protocols with their public address space
on their FWs? I'm not saying right or wrong. Just curious. Seems like
the last thing I would want to do would be to have my FW participate in
a routing protocol unless is was absolutely necessary. Better to static
the FW with a default route? I'd love to hear arguments for or against....
On 06/22/2011 06:33 PM, PC wrote:
> Who makes the firewall?
> To make this work and be "hitless", your firewall vendor must support
> stateful replication of routing protocol data (including OSPF). For
> example, Cisco didn't support this in their ASA product until version 8.4 of
> Otherwise, a failover requires OSPF to re-converge -- and quite frankly,
> will likely cause some state of confusion on the upstream OSPF peers, loss
> of adjacency, and a loss of routing until this occurs. It's like someone
> just swapped a router with the same IP to the upstream device -- assuming
> your active/standby vendor's implementation only presents itself as one
> However, once this is succesful your current failover topology should work
> fine -- even if it takes some time to failover.
> In my opinion though, unless the firewall is serving as "transit" to
> downstream routers or other layer 3 elements, and you need to run OSPF to it
> (And through it) as a result, it's often just easier to static default route
> out from the firewall(s) and redistribute a static route on the upstream
> routers for the subnets behind the firewalls. It also helps ensure
> symmetrical traffic flows, which is important for stateful firewalls and can
> become moderatly confusing when your firewalls start having many interfaces.
> On Wed, Jun 22, 2011 at 4:27 PM, Bret Palsson<bret at getjive.com> wrote:
>> Here is my current setup in ASCII art. (Please view in a fixed width font.)
>> Below the art I'll write out the setup.
>> +--------+ +--------+
>> | Peer A | | Peer A |<-Many carriers. Using 1 carrier
>> +---+----+ +----+---+ for this scenario.
>> |eBGP | eBGP
>> | |
>> | Router +----+ Router |<-Netiron CERs Routers.
>> +-+------+ +------+-+
>> |A `.P A.' |P<-A/P indicates Active/Passive
>> | `. .' | link.
>> | :: |
>> +-+------+' `+------+-+
>> |Act. FW | |Pas. FW |<-Firewalls Active/Passive.
>> +--------+ +--------+
>> To keep this scenario simple, I'm multihoming to one carrier.
>> I have two Netiron CERs. Each have a eBGP connection to the same peer.
>> The CERs have an iBGP connection to each other.
>> That works all fine and dandy. Feel free to comment, however if you think
>> there is a better way to do this.
>> Here comes the tricky part. I have two firewalls in an Active/Passive
>> setup. When one fails the other is configured exactly the same
>> and picks up where the other left off. (Yes, all the sessions etc. are
>> actively mirrored between the devices)
>> I am using OSPFv2 between the CERs and the Firewalls. Failover works just
>> fine, however when I fail an OSPF link that has the active default route,
>> ingress traffic still routes fine and dandy, but egress traffic doesn't.
>> Both Netiron's OSPF are setup to advertise they are the default route.
>> What I'm wondering is, if OSPF is the right solution for this. How do
>> others solve this problem?
>> Note: Since lately ipv6 has been a hot topic, I'll state that after we get
>> the BGP all figured out and working properly, ipv6 is our next project. :)
More information about the NANOG