Gert and Lee, your picking up what I'm putting down. two geographically dispersed exit points with multiple internal dispersed sites each with a /48. my over all is a /44. So from a BGP stand point I'm announcing half my sites out one exit site and the other half out the other. with iBGP announcing out the other. since the firewalls are not sync'd in any way, and since I'm only leaking BGP default routes to the firewalls that are leaking them internally, I end up with two default routes internally to my routing protocol. This way if I loss a ISP / Router / Firewall all my internal traffic goes out the one that is still up.
The problem like Lee and Gert points out is you must have the traffic return to the same Firewall (stateful) to get the traffic back into the network Lee, I like the idea for putting a proxy at each exit point, but I'm using a Cloud proxy solution (bound by contract). I was thinking if I leaked all the IPv6 networks internally that would get the traffic going the correct direction, but there is still a possibility of asymmetric routing on the internet. For this reason, NAT sure does help, but I don't want to NAT IPv6 but do need a solution, to provide redundancy. An other ideas? TIA Scott On Tue, Aug 23, 2016 at 5:21 AM, Gert Doering <g...@greenie.muc.de> wrote: > Hi, > > On Mon, Aug 22, 2016 at 10:54:04PM +0100, Tom Hill wrote: > > On 22/08/16 22:34, Gert Doering wrote: > > > Not if you NAT the IPv4 - the NAT part enforces symmetry. > > > > > > Not that I'm a big fan of NAT, but it has its uses :-) > > > > FHRPs aren't just for 'inside' interfaces. You do have to be sure to > > adjust the priorities of 'inside' and 'outside' interfaces together to > > maintain your symmetry, but that's not difficult. FHRP also takes care > > of ARP delays during failover. > > So how do you FHRP one firewall(cluster) in the US with one > firewall(cluster) > in Europe, ensuring symmetric traffic? > > > Assuming there's state synchronisation in all cases, of course. > > Think larger networks :-) > > In the "I have two firewalls that are connected to the same inside and > outside LANs" case, everything is mostly trivial. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > g...@greenie.muc.de > fax: +49-89-35655025 g...@net.informatik.tu- > muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/