Hi Henning
Thanx for the reply :-)
How do I make sure that the master is the one that advertises the routes
to avoid asymmetric and packet loss?
Since these FW systems will also act as a ISPEC peers (2 permanent and
some couple of concurrent road warriors) what would you estimate be a
good enough hardware that will keep the load (ball park numbers will do
;-))?
TIA
Paolo
Henning Brauer wrote:
* Paolo Supino <[EMAIL PROTECTED]> [2006-02-16 19:54]:
I started working for a company that its production site is running 2
PIX firewalls with no VRRP (to save cost on licensing, duh). I offered
and they approved to replace them with 2 OpenBSD and CARP. In front of
the FW there is a Cisco 7200 router doing BGP. I offered to remove the
router and use OpenBGP on the OpenBSD firewalls instead, thus achieving
failover on BGP too. But I don't know whether this is a good idea or
should I add 2 more OpenBSD systems specifically for BPG?
in prinicple, usinf bgpd on teh same machines is fine. you should take
care that the car master also is the one that announces the best route
to you so that you don't get too assymetric traffic flows. otherwise
you'll see performance issues and some packet loss, likely.
with seperate machines for bgpd and stateless filtering that is not an
issue at all.
I always wanted to add something so that you can make a prepend-self 1
depending on carp state... maybe i should revive that idea
