[142336] in North American Network Operators' Group
BGP Design question.
daemon@ATHENA.MIT.EDU (Bret Palsson)
Wed Jun 22 18:28:18 2011
From: Bret Palsson <bret@getjive.com>
Date: Wed, 22 Jun 2011 16:27:26 -0600
To: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Here is my current setup in ASCII art. (Please view in a fixed width =
font.) Below the art I'll write out the setup.
+--------+ +--------+
| Peer A | | Peer A | <-Many carriers. Using 1 carrier
+---+----+ +----+---+ for this scenario.
|eBGP | eBGP
| |
+---+----+iBGP+----+---+
| Router +----+ Router | <-Netiron CERs Routers.
+-+------+ +------+-+
|A `.P A.' |P <-A/P indicates Active/Passive
| `. .' | link.
| :: |
+-+------+' `+------+-+
|Act. FW | |Pas. FW | <-Firewalls Active/Passive.
+--------+ +--------+
To keep this scenario simple, I'm multihoming to one carrier.
I have two Netiron CERs. Each have a eBGP connection to the same peer.
The CERs have an iBGP connection to each other.
That works all fine and dandy. Feel free to comment, however if you =
think there is a better way to do this.
Here comes the tricky part. I have two firewalls in an Active/Passive =
setup. When one fails the other is configured exactly the same
and picks up where the other left off. (Yes, all the sessions etc. are =
actively mirrored between the devices)
I am using OSPFv2 between the CERs and the Firewalls. Failover works =
just fine, however when I fail an OSPF link that has the active default =
route, ingress traffic still routes fine and dandy, but egress traffic =
doesn't. Both Netiron's OSPF are setup to advertise they are the default =
route.
What I'm wondering is, if OSPF is the right solution for this. How do =
others solve this problem?
Thanks,
Bret
Note: Since lately ipv6 has been a hot topic, I'll state that after we =
get the BGP all figured out and working properly, ipv6 is our next =
project. :)
