Any recommendations on running BGP on redundant firewalls to multiple
providers advertising the same network thru both links, and talking iBGP
with the other firewall? Just asking because I ran into a problem with this
scenario when traffic would enter 1 host, traverse the iBGP crossover link
and then exit the 2nd host, and return traffic would come back in thru the
1st host. There was a mismatch of the states that seemed to cause my
problems. Heres how i was set up.
Problem Scenario:
box-a ---> Provider-A
/ |
carp0 |
\ box-b----->Provider-B
Solution:
Box-A & Box-B are my redundant firewalls running pfsync between the
dedicated link. Box-C & Box-D are just T1 routers running BGP. The routers
route to carp1 on the firewalls and the firewalls route to carp0 on the
routers. Box-C and Box-D run iBGP between there dedicated link to share
routes to external networks. The multiple providers are for both redundancy
and aggregate bandwidth. Running BGP in an active/backup scenarios based on
who has the carp0 interface isnt an option because of the necessity of the
aggregate bandwidth.This solution works fine for us but we really wanted to
run on two boxes. I believe the only problem we have now is with BGP
Convergence. If anyone has any tips on how to minimize this when I reboot
box-c or box-d I that would be great. If anyone has comments,
recommendations, adjustments, tips on our setup please do share.
box-a --------switch------------box-c-----> Provider-A
/ | \ | / |
carp0 | carp1 | carp0 |
\ | / | \ |
box-b ---------switch------------box-d----->Provider-B
