BGP Design question.

PC paul4004 at gmail.com
Wed Jun 22 23:04:05 CDT 2011


A quick google search says you should be ok with screenos 6.0 or later for
the routing protocol replication.

I'm looking at your diagram again though.  You will want a switch in the
middle of your Firewalls and routers, as the firewalls are in an
active/standby mode and do not independently run OSPF.  And in this case,
throw them all on one vlan, and let them peer with each other (2x1).  This
could actually be your problem.

None the less, I agree, why involve it in OSPF and make it complex if
there's no real need to?  I think your static route idea is the best way to
do, given the FW supports presenting itself as a "single" entity.

On Wed, Jun 22, 2011 at 7:07 PM, Bret Palsson <bret at getjive.com> wrote:

>
>
> On Wed, Jun 22, 2011 at 5:33 PM, PC <paul4004 at gmail.com> wrote:
>
>> Who makes the firewall?
>>
>>
> Juniper SSG. We use NSRP and replicate all the RTOs. We have hitless on the
> Firewalls, have for years. We're now peering with our own carriers vs. using
> our datacenter's mix.
>
> A static route from the junipers to the VIP (VRRP) is probably the way to
> go. I think.
>
> To make this work and be "hitless", your firewall vendor must support
>> stateful replication of routing protocol data (including OSPF).  For
>> example, Cisco didn't support this in their ASA product until version 8.4 of
>> code.
>>
>> Otherwise, a failover requires OSPF to re-converge -- and quite frankly,
>> will likely cause some state of confusion on the upstream OSPF peers, loss
>> of adjacency, and a loss of routing until this occurs.  It's like someone
>> just swapped a router with the same IP  to the upstream device -- assuming
>> your active/standby vendor's implementation only presents itself as one
>> device.
>>
>> However, once this is succesful your current failover topology should work
>> fine -- even if it takes some time to failover.
>>
>> In my opinion though, unless the firewall is serving as "transit" to
>> downstream routers or other layer 3 elements, and you need to run OSPF to it
>> (And through it) as a result, it's often just easier to static default route
>> out from the firewall(s) and redistribute a static route on the upstream
>> routers for the subnets behind the firewalls.  It also helps ensure
>> symmetrical traffic flows, which is important for stateful firewalls and can
>> become moderatly confusing when your firewalls start having many interfaces.
>>
>>
>>
>>
>> On Wed, Jun 22, 2011 at 4:27 PM, Bret Palsson <bret at getjive.com> wrote:
>>
>>> Here is my current setup in ASCII art. (Please view in a fixed width
>>> font.) Below the art I'll write out the setup.
>>>
>>>
>>>     +--------+    +--------+
>>>     | Peer A |    | Peer A |  <-Many carriers. Using 1 carrier
>>>     +---+----+    +----+---+    for this scenario.
>>>         |eBGP          | eBGP
>>>         |              |
>>>     +---+----+iBGP+----+---+
>>>     | Router +----+ Router |  <-Netiron CERs Routers.
>>>     +-+------+    +------+-+
>>>       |A   `.P    A.'    |P   <-A/P indicates Active/Passive
>>>       |      `.  .'      |      link.
>>>       |        ::        |
>>>     +-+------+'  `+------+-+
>>>     |Act. FW |    |Pas. FW |  <-Firewalls Active/Passive.
>>>     +--------+    +--------+
>>>
>>>
>>> To keep this scenario simple, I'm multihoming to one carrier.
>>> I have two Netiron CERs. Each have a eBGP connection to the same peer.
>>> The CERs have an iBGP connection to each other.
>>> That works all fine and dandy. Feel free to comment, however if you think
>>> there is a better way to do this.
>>>
>>> Here comes the tricky part. I have two firewalls in an Active/Passive
>>> setup. When one fails the other is configured exactly the same
>>> and picks up where the other left off. (Yes, all the sessions etc. are
>>> actively mirrored between the devices)
>>>
>>> I am using OSPFv2 between the CERs and the Firewalls. Failover works just
>>> fine, however when I fail an OSPF link that has the active default route,
>>> ingress traffic still routes fine and dandy, but egress traffic doesn't.
>>> Both Netiron's OSPF are setup to advertise they are the default route.
>>>
>>> What I'm wondering is, if OSPF is the right solution for this. How do
>>> others solve this problem?
>>>
>>>
>>> Thanks,
>>>
>>> Bret
>>>
>>>
>>> Note: Since lately ipv6 has been a hot topic, I'll state that after we
>>> get the BGP all figured out and working properly, ipv6 is our next project.
>>> :)
>>>
>>>
>>>
>>
>



More information about the NANOG mailing list