Re: BGP Design question.

[Bret Palsson <bret () getjive com>]

On Wed, Jun 22, 2011 at 5:22 PM, William Cooper <wcooper02 () gmail com> wrote:

> Couple of questions for clarification (inline):
>
> On Wed, Jun 22, 2011 at 6:27 PM, Bret Palsson <bret () getjive com> wrote:
> > Here is my current setup in ASCII art. (Please view in a fixed width
> font.) Below the art I'll write out the setup.
> >     +--------+    +--------+
> >     | Peer A |    | Peer A |  <-Many carriers. Using 1 carrier
> >     +---+----+    +----+---+    for this scenario.
> >         |eBGP          | eBGP
> >         |              |
> >     +---+----+iBGP+----+---+
> >     | Router +----+ Router |  <-Netiron CERs Routers.
> >     +-+------+    +------+-+
> >       |A   `.P    A.'    |P   <-A/P indicates Active/Passive
> >       |      `.  .'      |      link.
> >       |        ::        |
> >     +-+------+'  `+------+-+
> >     |Act. FW |    |Pas. FW |  <-Firewalls Active/Passive.
> >     +--------+    +--------+
>
> (Tony) What's behind this point?
We have a few gigs of voice (RTP) traffic at any given time of the day. We
want/need hitless failover. Currently we provide this, but we use our
providers BGP mix. We will be peering with many carriers directly now and
are changing our topology to do so. Before we had a HSRP L3 hand-off to two
switches in the same vlan. On our juniper SSGs we bonded ports and we use
the NSRP for all the RTOs. Which provided hitless fail-over.

> > To keep this scenario simple, I'm multihoming to one carrier.
> > I have two Netiron CERs. Each have a eBGP connection to the same peer.
> > The CERs have an iBGP connection to each other.
> > That works all fine and dandy. Feel free to comment, however if you think
> there is a better way to do this.
> > Here comes the tricky part. I have two firewalls in an Active/Passive
> setup. When one fails the other is configured exactly the same
> > and picks up where the other left off. (Yes, all the sessions etc. are
> actively mirrored between the devices)
> > I am using OSPFv2 between the CERs and the Firewalls. Failover works just
> fine, however when I fail an OSPF link that has the active default route,
> ingress traffic still routes fine and dandy, but egress traffic doesn't.
> Both Netiron's OSPF are setup to advertise they are the default route.
> >
>
> (Tony) (Apologies for the seemingly dumb question) but by egress, do
> you mean from behind the FW towards your carrier?
Yes.

> > What I'm wondering is, if OSPF is the right solution for this. How do
> others solve this problem?
> > Thanks,
> >
> > Bret
> >
> >
> > Note: Since lately ipv6 has been a hot topic, I'll state that after we
> get the BGP all figured out and working properly, ipv6 is our next project.
> :)
> >