Re: BGP Design question.

[Matt Hite <lists () beatmixed com>]

Sure. Sometimes it's nice/convenient to let firewalls advertise the
external blocks they use for NAT translations, etc. Otherwise you need
to statically route them to the firewall and redistribute the statics
from said routers into your IGP.

Also, in some cases, people want to do network-based load balancing
(ECMP) to clusters of firewalls. So routing protocols obviously come
in handy with that.

Additionally, some people just want to avoid layer 2 clustering/HA
technologies whenever possible and prefer layer 3 HA solutions.

-M

On Wed, Jun 22, 2011 at 4:37 PM, -Hammer- <bhmccie () gmail com> wrote:
> Do people really run routing protocols with their public address space on
> their FWs? I'm not saying right or wrong. Just curious. Seems like the last
> thing I would want to do would be to have my FW participate in a routing
> protocol unless is was absolutely necessary. Better to static the FW with a
> default route? I'd love to hear arguments for or against....
>
> -Hammer-
>
>
>
> On 06/22/2011 06:33 PM, PC wrote:
> > Who makes the firewall?
> >
> > To make this work and be "hitless", your firewall vendor must support
> > stateful replication of routing protocol data (including OSPF).  For
> > example, Cisco didn't support this in their ASA product until version 8.4
> > of
> > code.
> >
> > Otherwise, a failover requires OSPF to re-converge -- and quite frankly,
> > will likely cause some state of confusion on the upstream OSPF peers, loss
> > of adjacency, and a loss of routing until this occurs.  It's like someone
> > just swapped a router with the same IP  to the upstream device -- assuming
> > your active/standby vendor's implementation only presents itself as one
> > device.
> >
> > However, once this is succesful your current failover topology should work
> > fine -- even if it takes some time to failover.
> >
> > In my opinion though, unless the firewall is serving as "transit" to
> > downstream routers or other layer 3 elements, and you need to run OSPF to
> > it
> > (And through it) as a result, it's often just easier to static default
> > route
> > out from the firewall(s) and redistribute a static route on the upstream
> > routers for the subnets behind the firewalls.  It also helps ensure
> > symmetrical traffic flows, which is important for stateful firewalls and
> > can
> > become moderatly confusing when your firewalls start having many
> > interfaces.
> >
> >
> >
> >
> > On Wed, Jun 22, 2011 at 4:27 PM, Bret Palsson<bret () getjive com>  wrote:
> >
> >
> > > Here is my current setup in ASCII art. (Please view in a fixed width
> > > font.)
> > > Below the art I'll write out the setup.
> > >
> > >
> > >     +--------+    +--------+
> > >     | Peer A |    | Peer A |<-Many carriers. Using 1 carrier
> > >     +---+----+    +----+---+    for this scenario.
> > >         |eBGP          | eBGP
> > >         |              |
> > >     +---+----+iBGP+----+---+
> > >     | Router +----+ Router |<-Netiron CERs Routers.
> > >     +-+------+    +------+-+
> > >       |A   `.P    A.'    |P<-A/P indicates Active/Passive
> > >       |      `.  .'      |      link.
> > >       |        ::        |
> > >     +-+------+'  `+------+-+
> > >     |Act. FW |    |Pas. FW |<-Firewalls Active/Passive.
> > >     +--------+    +--------+
> > >
> > >
> > > To keep this scenario simple, I'm multihoming to one carrier.
> > > I have two Netiron CERs. Each have a eBGP connection to the same peer.
> > > The CERs have an iBGP connection to each other.
> > > That works all fine and dandy. Feel free to comment, however if you think
> > > there is a better way to do this.
> > >
> > > Here comes the tricky part. I have two firewalls in an Active/Passive
> > > setup. When one fails the other is configured exactly the same
> > > and picks up where the other left off. (Yes, all the sessions etc. are
> > > actively mirrored between the devices)
> > >
> > > I am using OSPFv2 between the CERs and the Firewalls. Failover works just
> > > fine, however when I fail an OSPF link that has the active default route,
> > > ingress traffic still routes fine and dandy, but egress traffic doesn't.
> > > Both Netiron's OSPF are setup to advertise they are the default route.
> > >
> > > What I'm wondering is, if OSPF is the right solution for this. How do
> > > others solve this problem?
> > >
> > >
> > > Thanks,
> > >
> > > Bret
> > >
> > >
> > > Note: Since lately ipv6 has been a hot topic, I'll state that after we
> > > get
> > > the BGP all figured out and working properly, ipv6 is our next project.
> > > :)