* Paolo Supino <[EMAIL PROTECTED]> [2006-02-16 19:54]: > I started working for a company that its production site is running 2 > PIX firewalls with no VRRP (to save cost on licensing, duh). I offered > and they approved to replace them with 2 OpenBSD and CARP. In front of > the FW there is a Cisco 7200 router doing BGP. I offered to remove the > router and use OpenBGP on the OpenBSD firewalls instead, thus achieving > failover on BGP too. But I don't know whether this is a good idea or > should I add 2 more OpenBSD systems specifically for BPG?
in prinicple, usinf bgpd on teh same machines is fine. you should take care that the car master also is the one that announces the best route to you so that you don't get too assymetric traffic flows. otherwise you'll see performance issues and some packet loss, likely. with seperate machines for bgpd and stateless filtering that is not an issue at all. I always wanted to add something so that you can make a prepend-self 1 depending on carp state... maybe i should revive that idea -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)