BGP Design question.

William Herrin bill at
Wed Jun 22 23:42:31 UTC 2011

On Wed, Jun 22, 2011 at 6:27 PM, Bret Palsson <bret at> wrote:
> I am using OSPFv2 between the CERs and the Firewalls.
>Failover works just fine, however when I fail an OSPF link
>that has the active default route, ingress traffic still routes
>fine and dandy, but egress traffic doesn't. Both Netiron's
>OSPF are setup to advertise they are the default route.

Hi Bret,

I have a setup that is almost identical except there is a pair of
simple switches between the routers and firewalls interconnecting all
into a LAN and I'm working with Cisco 2811's instead of Netiron CERs.
Can you expand on the interface addressing and what the firewalls see
via OSPF during your failure scenario?

> What I'm wondering is, if OSPF is the right solution for
>this. How do others solve this problem?

My failover firewall also connects to the switches (inside and out)
and turns down ports which connect to the primary firewall. During a
failure, the primary can't be depended on to completely take itself
out of line. If it was in a working state that could be depended on,
it wouldn't have failed.

Bill Herrin

William D. Herrin ................ herrin at  bill at
3005 Crane Dr. ...................... Web: <>
Falls Church, VA 22042-3004

More information about the NANOG mailing list