BGP Design question.

-Hammer- bhmccie at gmail.com
Wed Jun 22 18:37:21 CDT 2011


Do people really run routing protocols with their public address space 
on their FWs? I'm not saying right or wrong. Just curious. Seems like 
the last thing I would want to do would be to have my FW participate in 
a routing protocol unless is was absolutely necessary. Better to static 
the FW with a default route? I'd love to hear arguments for or against....

-Hammer-



On 06/22/2011 06:33 PM, PC wrote:
> Who makes the firewall?
>
> To make this work and be "hitless", your firewall vendor must support
> stateful replication of routing protocol data (including OSPF).  For
> example, Cisco didn't support this in their ASA product until version 8.4 of
> code.
>
> Otherwise, a failover requires OSPF to re-converge -- and quite frankly,
> will likely cause some state of confusion on the upstream OSPF peers, loss
> of adjacency, and a loss of routing until this occurs.  It's like someone
> just swapped a router with the same IP  to the upstream device -- assuming
> your active/standby vendor's implementation only presents itself as one
> device.
>
> However, once this is succesful your current failover topology should work
> fine -- even if it takes some time to failover.
>
> In my opinion though, unless the firewall is serving as "transit" to
> downstream routers or other layer 3 elements, and you need to run OSPF to it
> (And through it) as a result, it's often just easier to static default route
> out from the firewall(s) and redistribute a static route on the upstream
> routers for the subnets behind the firewalls.  It also helps ensure
> symmetrical traffic flows, which is important for stateful firewalls and can
> become moderatly confusing when your firewalls start having many interfaces.
>
>
>
>
> On Wed, Jun 22, 2011 at 4:27 PM, Bret Palsson<bret at getjive.com>  wrote:
>
>    
>> Here is my current setup in ASCII art. (Please view in a fixed width font.)
>> Below the art I'll write out the setup.
>>
>>
>>      +--------+    +--------+
>>      | Peer A |    | Peer A |<-Many carriers. Using 1 carrier
>>      +---+----+    +----+---+    for this scenario.
>>          |eBGP          | eBGP
>>          |              |
>>      +---+----+iBGP+----+---+
>>      | Router +----+ Router |<-Netiron CERs Routers.
>>      +-+------+    +------+-+
>>        |A   `.P    A.'    |P<-A/P indicates Active/Passive
>>        |      `.  .'      |      link.
>>        |        ::        |
>>      +-+------+'  `+------+-+
>>      |Act. FW |    |Pas. FW |<-Firewalls Active/Passive.
>>      +--------+    +--------+
>>
>>
>> To keep this scenario simple, I'm multihoming to one carrier.
>> I have two Netiron CERs. Each have a eBGP connection to the same peer.
>> The CERs have an iBGP connection to each other.
>> That works all fine and dandy. Feel free to comment, however if you think
>> there is a better way to do this.
>>
>> Here comes the tricky part. I have two firewalls in an Active/Passive
>> setup. When one fails the other is configured exactly the same
>> and picks up where the other left off. (Yes, all the sessions etc. are
>> actively mirrored between the devices)
>>
>> I am using OSPFv2 between the CERs and the Firewalls. Failover works just
>> fine, however when I fail an OSPF link that has the active default route,
>> ingress traffic still routes fine and dandy, but egress traffic doesn't.
>> Both Netiron's OSPF are setup to advertise they are the default route.
>>
>> What I'm wondering is, if OSPF is the right solution for this. How do
>> others solve this problem?
>>
>>
>> Thanks,
>>
>> Bret
>>
>>
>> Note: Since lately ipv6 has been a hot topic, I'll state that after we get
>> the BGP all figured out and working properly, ipv6 is our next project. :)
>>
>>
>>
>>      



More information about the NANOG mailing list