[142343] in North American Network Operators' Group
Re: BGP Design question.
daemon@ATHENA.MIT.EDU (Ingo Flaschberger)
Wed Jun 22 19:12:17 2011
Date: Thu, 23 Jun 2011 01:07:54 +0200 (CEST)
From: Ingo Flaschberger <if@xip.at>
To: Bret Palsson <bret@getjive.com>
In-Reply-To: <3A9F8592-5F60-42B9-AC3F-8A6EFDB7E294@getjive.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Bret,
> To keep this scenario simple, I'm multihoming to one carrier.
> I have two Netiron CERs. Each have a eBGP connection to the same peer.
> The CERs have an iBGP connection to each other.
> That works all fine and dandy. Feel free to comment, however if you think there is a better way to do this.
>
> Here comes the tricky part. I have two firewalls in an Active/Passive setup. When one fails the other is configured exactly the same
> and picks up where the other left off. (Yes, all the sessions etc. are actively mirrored between the devices)
>
> I am using OSPFv2 between the CERs and the Firewalls. Failover works
> just fine, however when I fail an OSPF link that has the active default
> route, ingress traffic still routes fine and dandy, but egress traffic
> doesn't. Both Netiron's OSPF are setup to advertise they are the default
> route.
Linux firewall?
disabled rp-filter?
> What I'm wondering is, if OSPF is the right solution for this. How do others solve this problem?
I do something similar with freebsd; you always make shure the backbone
area 0.0.0.0 does not break into 2 parts, perhaps use an extra link
between the 2 firewalls just because of this.
Kind regards,
Ingo Flaschberger
