[142338] in North American Network Operators' Group
Re: BGP Design question.
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jun 22 18:47:54 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <3A9F8592-5F60-42B9-AC3F-8A6EFDB7E294@getjive.com>
Date: Wed, 22 Jun 2011 15:44:01 -0700
To: Bret Palsson <bret@getjive.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I would suggest running VRRP on the routers towards the firewalls and =
only use OSPF
to advertise the ingress routes. Statically route default to the VRRP =
group.
Implemented as follows:
[RA]------[switch]-----[switch]------[RB]
| |
[AFW] [PFW]
Make sense?
AFW/PFW advertise OSPF for the interior routes so that RA/RB know how to =
reach
them, but, RA/RB don't have to advertise anything and AFW/PFW have =
static
default routes to a VRRP group address shared between RA/RB.
If you want to make OSPF work, then, try making sure you have =
default-information originate always
on both RA and RB.
Owen
On Jun 22, 2011, at 3:27 PM, Bret Palsson wrote:
> Here is my current setup in ASCII art. (Please view in a fixed width =
font.) Below the art I'll write out the setup.
>=20
>=20
> +--------+ +--------+
> | Peer A | | Peer A | <-Many carriers. Using 1 carrier
> +---+----+ +----+---+ for this scenario.
> |eBGP | eBGP
> | |
> +---+----+iBGP+----+---+
> | Router +----+ Router | <-Netiron CERs Routers.
> +-+------+ +------+-+
> |A `.P A.' |P <-A/P indicates Active/Passive
> | `. .' | link.
> | :: |
> +-+------+' `+------+-+
> |Act. FW | |Pas. FW | <-Firewalls Active/Passive.
> +--------+ +--------+
>=20
>=20
> To keep this scenario simple, I'm multihoming to one carrier.
> I have two Netiron CERs. Each have a eBGP connection to the same peer.
> The CERs have an iBGP connection to each other.
> That works all fine and dandy. Feel free to comment, however if you =
think there is a better way to do this.
>=20
> Here comes the tricky part. I have two firewalls in an Active/Passive =
setup. When one fails the other is configured exactly the same
> and picks up where the other left off. (Yes, all the sessions etc. are =
actively mirrored between the devices)
>=20
> I am using OSPFv2 between the CERs and the Firewalls. Failover works =
just fine, however when I fail an OSPF link that has the active default =
route, ingress traffic still routes fine and dandy, but egress traffic =
doesn't. Both Netiron's OSPF are setup to advertise they are the default =
route.
>=20
> What I'm wondering is, if OSPF is the right solution for this. How do =
others solve this problem?
>=20
>=20
> Thanks,
>=20
> Bret
>=20
>=20
> Note: Since lately ipv6 has been a hot topic, I'll state that after we =
get the BGP all figured out and working properly, ipv6 is our next =
project. :)
>=20
