[142346] in North American Network Operators' Group
Re: BGP Design question.
daemon@ATHENA.MIT.EDU (William Cooper)
Wed Jun 22 19:22:31 2011
In-Reply-To: <3A9F8592-5F60-42B9-AC3F-8A6EFDB7E294@getjive.com>
Date: Wed, 22 Jun 2011 19:22:23 -0400
From: William Cooper <wcooper02@gmail.com>
To: Bret Palsson <bret@getjive.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Couple of questions for clarification (inline):
On Wed, Jun 22, 2011 at 6:27 PM, Bret Palsson <bret@getjive.com> wrote:
> Here is my current setup in ASCII art. (Please view in a fixed width font=
.) Below the art I'll write out the setup.
>
>
> =A0 =A0 +--------+ =A0 =A0+--------+
> =A0 =A0 | Peer A | =A0 =A0| Peer A | =A0<-Many carriers. Using 1 carrier
> =A0 =A0 +---+----+ =A0 =A0+----+---+ =A0 =A0for this scenario.
> =A0 =A0 =A0 =A0 |eBGP =A0 =A0 =A0 =A0 =A0| eBGP
> =A0 =A0 =A0 =A0 | =A0 =A0 =A0 =A0 =A0 =A0 =A0|
> =A0 =A0 +---+----+iBGP+----+---+
> =A0 =A0 | Router +----+ Router | =A0<-Netiron CERs Routers.
> =A0 =A0 +-+------+ =A0 =A0+------+-+
> =A0 =A0 =A0 |A =A0 `.P =A0 =A0A.' =A0 =A0|P =A0 <-A/P indicates Active/Pa=
ssive
> =A0 =A0 =A0 | =A0 =A0 =A0`. =A0.' =A0 =A0 =A0| =A0 =A0 =A0link.
> =A0 =A0 =A0 | =A0 =A0 =A0 =A0:: =A0 =A0 =A0 =A0|
> =A0 =A0 +-+------+' =A0`+------+-+
> =A0 =A0 |Act. FW | =A0 =A0|Pas. FW | =A0<-Firewalls Active/Passive.
> =A0 =A0 +--------+ =A0 =A0+--------+
(Tony) What's behind this point?
>
>
> To keep this scenario simple, I'm multihoming to one carrier.
> I have two Netiron CERs. Each have a eBGP connection to the same peer.
> The CERs have an iBGP connection to each other.
> That works all fine and dandy. Feel free to comment, however if you think=
there is a better way to do this.
>
> Here comes the tricky part. I have two firewalls in an Active/Passive set=
up. When one fails the other is configured exactly the same
> and picks up where the other left off. (Yes, all the sessions etc. are ac=
tively mirrored between the devices)
>
> I am using OSPFv2 between the CERs and the Firewalls. Failover works just=
fine, however when I fail an OSPF link that has the active default route, =
ingress traffic still routes fine and dandy, but egress traffic doesn't. Bo=
th Netiron's OSPF are setup to advertise they are the default route.
>
(Tony) (Apologies for the seemingly dumb question) but by egress, do
you mean from behind the FW towards your carrier?
> What I'm wondering is, if OSPF is the right solution for this. How do oth=
ers solve this problem?
>
>
> Thanks,
>
> Bret
>
>
> Note: Since lately ipv6 has been a hot topic, I'll state that after we ge=
t the BGP all figured out and working properly, ipv6 is our next project. :=
)
>
>
>
