nanog mailing list archives

Re: BGP Design question.

From: -Hammer- <bhmccie () gmail com>
Date: Wed, 22 Jun 2011 18:11:13 -0500

Another option would be to insert switches between your routers and FWs.OSPF from the routers to the switches (yes, switches running L3 OSPF)and then HSRP/VRRP/etc. to the FWs. This way routing changes don'taffect the FWs. The FWs simply have a default route to theHSRP/VRRP/etc. VIP. Then the primary switch routes to the routers whichthen route out to their EBGP peers. Only caveat is to make sure you areonly redistributing the 0/0 into OSPF. Not the full route table.


-Hammer-



On 06/22/2011 05:27 PM, Bret Palsson wrote:

Here is my current setup in ASCII art. (Please view in a fixed width font.) Below the art I'll write out the setup.


      +--------+    +--------+
      | Peer A |    | Peer A |<-Many carriers. Using 1 carrier
      +---+----+    +----+---+    for this scenario.
          |eBGP          | eBGP
          |              |
      +---+----+iBGP+----+---+
      | Router +----+ Router |<-Netiron CERs Routers.
      +-+------+    +------+-+
        |A   `.P    A.'    |P<-A/P indicates Active/Passive
        |      `.  .'      |      link.
        |        ::        |
      +-+------+'  `+------+-+
      |Act. FW |    |Pas. FW |<-Firewalls Active/Passive.
      +--------+    +--------+


To keep this scenario simple, I'm multihoming to one carrier.
I have two Netiron CERs. Each have a eBGP connection to the same peer.
The CERs have an iBGP connection to each other.
That works all fine and dandy. Feel free to comment, however if you think there is a better way to do this.

Here comes the tricky part. I have two firewalls in an Active/Passive setup. When one fails the other is configured 
exactly the same
and picks up where the other left off. (Yes, all the sessions etc. are actively mirrored between the devices)

I am using OSPFv2 between the CERs and the Firewalls. Failover works just fine, however when I fail an OSPF link that has the 
active default route, ingress traffic still routes fine and dandy, but egress traffic doesn't. Both Netiron's OSPF are 
setup to advertise they are the default route.

What I'm wondering is, if OSPF is the right solution for this. How do others solve this problem?


Thanks,

Bret


Note: Since lately ipv6 has been a hot topic, I'll state that after we get the BGP all figured out and working 
properly, ipv6 is our next project. :)

Current thread:

BGP Design question. Bret Palsson (Jun 22)
- Re: BGP Design question. Brant I. Stevens (Jun 22)
- Re: BGP Design question. Owen DeLong (Jun 22)
- Re: BGP Design question. Randy Bush (Jun 22)
- Re: BGP Design question. Ingo Flaschberger (Jun 22)
- Re: BGP Design question. -Hammer- (Jun 22)
- Re: BGP Design question. William Cooper (Jun 22)
  - Re: BGP Design question. Bret Palsson (Jun 22)
- Re: BGP Design question. PC (Jun 22)
  - Re: BGP Design question. -Hammer- (Jun 22)
  - Re: BGP Design question. Bret Palsson (Jun 22)
    - Re: BGP Design question. Jason Roysdon (Jun 22)
    - Re: BGP Design question. Hank Nussbacher (Jun 22)
    - Re: BGP Design question. Bret Palsson (Jun 22)
    - Re: BGP Design question. -Hammer- (Jun 23)
    - Re: BGP Design question. Valdis . Kletnieks (Jun 23)

(Thread continues...)