[177782] in North American Network Operators' Group
Re: Dynamic routing on firewalls.
daemon@ATHENA.MIT.EDU (santiago martinez)
Thu Feb 5 12:52:42 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <CALgc3C6DTzJFwOUtLMfdtS---qzA4bPRYYLrQqktWG8F+dbzzw@mail.gmail.com>
Date: Thu, 5 Feb 2015 15:06:00 +0000
From: santiago martinez <santiago.martinez.uk@gmail.com>
To: Eugeniu Patrascu <eugen@imacandi.net>
Cc: David Jansen <david@nines.nl>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi,
We are running Juniper SRX5000 family with around 40ish routing-instances,
most of them using OSPFv2 without any issues. The RIBs are not too big,
just a couple of them with thousands routes. I know that some guys are
testing a similar environment on Fortigates and I'm not aware of any issues
with routing so far.
We also have SRX's running BGP+BFD (srx240) and again no issues at all.
As Eugeniu mentioned, just be careful with the asymmetric routing, then is
straight forward.
Hope it helps.
Santiago
On Thu, Feb 5, 2015 at 2:42 PM, Eugeniu Patrascu <eugen@imacandi.net> wrote=
:
> On Thu, Feb 5, 2015 at 4:10 PM, David Jansen <david@nines.nl> wrote:
>
> > Hi,
> >
> > We have used dynamic routing on firewall in the old days. We did
> > experience several severe outages due to this setup (OSPF en Cisco). As
> you
> > will understand i=E2=80=99m not eager to go back to this solution but I=
am
> curious
> > about your point of views.
> >
> > Is it advisory to so these days?
> >
> >
> Any specific firewall in mind? As this depends from vendor to vendor.
>
> I've had some issues with OSPF and CheckPoint firewalls when the firewall=
s
> would be overloaded and started dropping packets at the interface level
> causing adjacencies to go down, but I solved this by using BGP instead an=
d
> the routing issues went away.
>
> On Juniper things tend work OK.
>
> Other than this, make sure you don't run into asymmetric routing as
> connections might get dropped because the firewall does not know about th=
em
> or packets arrive out of order and the firewall cannot reassemble all of
> them.
>
