nanog mailing list archives
Re: TFTP over anycast
From: William Herrin <bill () herrin us>
Date: Tue, 27 Feb 2024 10:47:23 -0800
On Tue, Feb 27, 2024 at 10:02 AM Javier Gutierrez <GutierrezJ () westmancom com> wrote:
My design is very simplistic, I have 2 sets of firewalls that I will have advertising a /32 unicast to the network at each location and it will have a TFTP server behind each firewall.
Hi Javier, That sounds straightforward to me with no major failure modes. I would make the firewall part of my OSPF network and then add the tftp servers to OSPF using FRR. Then I'd write a script to monitor the local tftp server and stop frr if it detects any problems with the tftp server. The local tftp server will always be closer than the remote one via OSPF link costs, unless it goes offline. I assume you also have an encrypted channel between the firewalls to handle traffic that stays "inside" your security boundary, as tftp generally should. Where you could get into trouble is if you add a third or additional sites. If there's ever an equal routing cost from any one site to two others, there's a non-zero risk of the failover process failing... and you won't know it until you need it. Regards, Bill Herrin -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- TFTP over anycast Javier Gutierrez (Feb 22)
- Re: TFTP over anycast William Herrin (Feb 22)
- Re: TFTP over anycast Thomas Mieslinger (Feb 22)
- Re: TFTP over anycast Ask Bjørn Hansen (Feb 23)
- Re: TFTP over anycast William Herrin (Feb 23)
- Re: TFTP over anycast Ask Bjørn Hansen (Feb 23)
- Re: TFTP over anycast Bill Woodcock (Feb 23)
- Re: TFTP over anycast Javier Gutierrez (Feb 27)
- Re: TFTP over anycast William Herrin (Feb 27)
- Re: TFTP over anycast Dan Sneddon (Feb 29)
- Re: TFTP over anycast Ask Bjørn Hansen (Feb 23)
- <Possible follow-ups>
- Re: TFTP over anycast Dan Sneddon (Feb 26)