nanog mailing list archives

Re: TFTP over anycast

From: William Herrin <bill () herrin us>
Date: Tue, 27 Feb 2024 10:47:23 -0800

On Tue, Feb 27, 2024 at 10:02 AM Javier Gutierrez
<GutierrezJ () westmancom com> wrote:

My design is very simplistic, I have 2 sets of firewalls that I
will have advertising a /32 unicast to the network at each
location and it will have a TFTP server behind each firewall.


Hi Javier,

That sounds straightforward to me with no major failure modes. I would
make the firewall part of my OSPF network and then add the tftp
servers to OSPF using FRR. Then I'd write a script to monitor the
local tftp server and stop frr if it detects any problems with the
tftp server. The local tftp server will always be closer than the
remote one via OSPF link costs, unless it goes offline. I assume you
also have an encrypted channel between the firewalls to handle traffic
that stays "inside" your security boundary, as tftp generally should.

Where you could get into trouble is if you add a third or additional
sites. If there's ever an equal routing cost from any one site to two
others, there's a non-zero risk of the failover process failing... and
you won't know it until you need it.

Regards,
Bill Herrin


-- 
William Herrin
bill () herrin us
https://bill.herrin.us/

Current thread:

TFTP over anycast Javier Gutierrez (Feb 22)
- Re: TFTP over anycast William Herrin (Feb 22)
- Re: TFTP over anycast Thomas Mieslinger (Feb 22)
  - Re: TFTP over anycast Ask Bjørn Hansen (Feb 23)
    - Re: TFTP over anycast William Herrin (Feb 23)
    - Re: TFTP over anycast Ask Bjørn Hansen (Feb 23)
    - Re: TFTP over anycast Bill Woodcock (Feb 23)
    - Re: TFTP over anycast Javier Gutierrez (Feb 27)
    - Re: TFTP over anycast William Herrin (Feb 27)
    - Re: TFTP over anycast Dan Sneddon (Feb 29)
- RE: TFTP over anycast Adam Thompson (Feb 23)
- <Possible follow-ups>
- Re: TFTP over anycast Dan Sneddon (Feb 26)