Re: [LARTC] Dead Gateway Detection & BGP
(Before any one questions why I withheld information and went down the road that I did, I'd like to say that I had fully intended to respond with more detail, however other things going on both at work and home prevented me from doing so before now. I also sort of paused because of the discussion that arose out of the road that I did go down.) On 8/26/2007 12:29 PM, Rangi Biddle wrote: +-+ | Uplink Provider | +++ | +-+-+ | | +---+---+ +---+---+ | Cisco Router | | Cisco Router | +---+---+ +---+---+ | | +---+---+ +---+---+ | Firewall # 1 | | Firewall # 2 | +---+ +---+---+ Initially, the first task I was designated was to setup BGP routing on 2 firewalls. Each firewall is connected to its own Cisco router provided by the uplink provider and the uplink provider is only providing a default gateway/router to each of the firewalls. Now, having had minimal experience with BGP (minimal in terms of the broadness of what is possible with BGP) and using the information provided by the uplink provider I have setup BGP. Question: - Are there multiple providers in this situation or one single provider that has chosen to do this type of set up. - If there are multiple providers, are they in any sort of peering relationship between them? - Is there suppose to be any sort of redundancy amongst the two Cisco routers or are they to be two purely independent non redundant connections? - What type of connections are there in to the two Cisco routers? - Are the Cisco routers actually routing, or just bridging between two layer 1 technologies? - Is ethernet being used between the Cisco routers and the Debian firewalls? - What type of (if any) IP address range overlap are we looking at? Answers to each of these questions will most likely beget more questions until finally a much clearer picture of what ultimately is being done emerges. This is also part of why I was wanting to do this off mailing list as some of these answers are not appropriate for a public form that is archived and search able. What I have been recently informed of is that the 2 firewalls must do some sort of failover between them when either of the default gateway’s are no longer responsive. I had initially looked into using heartbeat (which I am still considering) to do the failover or possibly using vrrpd (Virtual Router Redundancy Protocol Daemon). This however isn’t what I am contacting this list about. What I need to do at minimal, is at least for the failover, is to detect when the default gateway of (say) firewall 1 is no longer available and perform failover to firewall 2 and vice versa. As far as I am aware the only DGD support available is still through the patches that Julian Anastasov wrote for the 2.4 kernel series or by writing a script that uses arping to determine the last hop available. Hum. I'm not entirely sure what is suppose to be redundant here, the Cisco routers, the Debian firewalls, a logical router (or routers) that are presented to your systems behind the firewalls, what. Will you please clarify? What other options are there? More than you might initially think. I have done a fair amount of searching the internet only to come back to these 2 possibilities. Surely there must be something else …. Well, in my opinion, what you have proposed is a couple of different solutions to the same piece of the puzzle. Presuming that you are dealing with T-1s from your provider(s), let's start with a modified version of your above network layout. +-+ | Uplink Provider | +++ | +-+-+ | | +---+---+ +---+---+ | Atlas 550 +---+ Atlas 550 | +---+---+---+ +---+---+---+ | | | | |\ /| | \ / | | \ / | | \ / | |\ /| | X | |/ \| | / \ | | / \ | | / \ | |/ \| | | | | +---+---+---+ +---+---+---+ | Cisco Router +---+ Cisco Router | +---+---+---+ +---+---+---+ | | | | |\ /| | \ / | | \ / | | \ / | |\ /| | X | |/ \| | / \ | | / \ | | / \ | |/ \| | | | | +---+---+---+ +---+---+---+ |
Re: [LARTC] Dead Gateway Detection & BGP
On 8/29/2007 8:50 PM, Rangi Biddle wrote: Firstly I can appreciate where Grant is coming from. There are a number of things that aren't so commonly done with Linux that the community currently doesn't provide answers for and obviously there are people out there that know how to do things that the community cannot answer. The issue I have with what Grant wants to provide (re: $1/min rate via email) is that I have no control over the amount of time that is spent writing an email or seeking answers to my questions meaning I could spend $100's if not $1,000's of dollars getting a partial answer (not implying that that would be the case), but is a point of concern. I myself have been an active supporter of OSS and have contributed code and answers to not so common questions or have gone out of my way to assist others. Unfortunately, in this instance, it is I that am seeking help and am now being asked to pay for an answer to my question. Sounds somewhat like visiting a shrink. In some instances, it doesn't quite surprise me that Linux isn't more mainstream and this being a primary example of it. If more of us knew how to do I believe Linux would become more mainstream because there are more of us available to actively support Linux systems which, as most of us are aware of, is the primary concern of most that purchase a Linux solution "Who is going to look after it if you're not here or available?". With regards to the amount of time spent on the email(s), I had indicated that I expected to spend between 30 minutes and 180 minutes total helping. Usually it takes me about 15 minutes or so to draft a detailed email and re-reading / editing it before I send it. Indeed there are a lot of short one liners that take all of 30 seconds to send too. So, I don't think that there is concern with spending any ware near $1,000's of dollars. Even after all was said and done, I would probably negotiate with you to make sure that what I initially proposed to you (or any one else for that matter) was mutually fair, if any thing erroring on the low side to make sure that things were fair. I'm sorry for even remotely making you feel as if you have to pay for an answer to your question(s), I was not trying to imply that at all. At the time that I had wrote that I was dealing with a particularly difficult problem that I had just spent numerous hours of my personal / company time (distinctions are *VERY* gray seeing as how my job is the same thing as my hobby). I would have happily payed what I considered to be a nominal rate to be able to talk with someone about what I was wanting to accomplish rather than working all those hours. Look for a follow up email to your original post with more of an answer to your question shortly. At least it will contain what I would us to achieve what you are wanting to do, in so far as the logical blocks to your problem, not specific configuration instructions, which I leave up to an exercise for an educated person (being any one that can read readme files and think logically about networking and run a compiler). With contrast if I was doing this for a client as I had initially offered I would most likely end up giving much closer to step by step instructions including how to configure what interface and what MAC address to put where rather than leaving it up to said educated individual. Bottom line is this, my boss refuses to pay someone that neither he nor I know. Primarily because this same person wants to provide a solution to us for an indeterminate price and if there is an issue at any point we are left with no way of knowing how to fix the issue and again be left with paying an indeterminate price for further support. What my boss is more happy to do is pay for a commercial solution regardless of price. It is mainly because he is aware of what he must pay before he purchases the solution and also because he knows that it will do what he wants including support if we have an issue. Obviously this would mean scrapping Linux out of the picture even with the amount of high regard I give to it. Ah, I think there is some more ambiguity showing through there. I can completely understand you and your bosses lack of willingness to blindly enter in to a business arrangement. First keep in mind that what was originally discussed / proposed is not a contractual agreement, simply and invitation to discuss things further to see if each party would be interested in doing business. More of a "Hay, here is what I can do, call me if you would like more details." type thing. With regards to the indeterminate amount, to me that is not as much as an issue that some might think at present because I do not know the true nature of what you are trying to accomplish nor have you heard my follow up responses that may provide a much better over all solution. Once we had spoken and discussed such things there would be a muc
RE: [LARTC] Dead Gateway Detection & BGP
Hi Guys, Well here's my two cents worth regarding this whole thing. Firstly I can appreciate where Grant is coming from. There are a number of things that aren't so commonly done with Linux that the community currently doesn't provide answers for and obviously there are people out there that know how to do things that the community cannot answer. The issue I have with what Grant wants to provide (re: $1/min rate via email) is that I have no control over the amount of time that is spent writing an email or seeking answers to my questions meaning I could spend $100's if not $1,000's of dollars getting a partial answer (not implying that that would be the case), but is a point of concern. I myself have been an active supporter of OSS and have contributed code and answers to not so common questions or have gone out of my way to assist others. Unfortunately, in this instance, it is I that am seeking help and am now being asked to pay for an answer to my question. Sounds somewhat like visiting a shrink. In some instances, it doesn't quite surprise me that Linux isn't more mainstream and this being a primary example of it. If more of us knew how to do I believe Linux would become more mainstream because there are more of us available to actively support Linux systems which, as most of us are aware of, is the primary concern of most that purchase a Linux solution "Who is going to look after it if you're not here or available?". Bottom line is this, my boss refuses to pay someone that neither he nor I know. Primarily because this same person wants to provide a solution to us for an indeterminate price and if there is an issue at any point we are left with no way of knowing how to fix the issue and again be left with paying an indeterminate price for further support. What my boss is more happy to do is pay for a commercial solution regardless of price. It is mainly because he is aware of what he must pay before he purchases the solution and also because he knows that it will do what he wants including support if we have an issue. Obviously this would mean scrapping Linux out of the picture even with the amount of high regard I give to it. So Grant, I'll put the ball back in your court. Regards, Rangi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grant Taylor Sent: Wednesday, August 29, 2007 5:40 PM To: Mail List - Linux Advanced Routing and Traffic Control Subject: Re: [LARTC] Dead Gateway Detection & BGP On 8/27/2007 9:49 PM, Mohan Sundaram wrote: > Such a service is a much needed complement to forums to aid adoption > of FOSS. I was doing this for a fairly long while as a knowhow > provider. *nod* > There is a very thin line one needs to walk. Forums being used to > vend services is frowned upon, rightly so. It is the concept of free > sharing that gets violated. Even when I was a consultant, I used to > offer complete advice to forums simply because it gave me > satisfaction. I'd learnt a lot from the forums and this was my way of > returning the coin. Agreed. Normally I do tend to offer up the complete solution, especially if said solution or one very similar can be found elsewhere on the net with a bit of Googleing. However when the solution in question is that of something that was not readily available on the net and one that we spent a lot of time putting the puzzle pieces together we tend to hold on to some of it. > There is a definite need and opportunity. Reasonable is dependent on > a lot of factors and the same service yields different values to > different customers. Indeed. > My philosophy: I think it is definitely possible to differentiate > between personal time and company time. It is like social work. If > you do something on your personal time that does not eat into your > co's biz, I believe it is good to do so free. Even if you did do it > such, so long as you do not charge for it, I believe it is not > unethical. I'm not sure what you are trying to get at there. I think you are saying that if you do it as a personal time, then you probably should find some other sort of personal gratification. If you do it as company time then it is more understandable if it is charged for. Am I any where close? I can see how trolling a forum / news group looking for people asking questions and posting multiple follow up posts only saying "the company that I work for can provide you with a solution for X $s" is not so good. However if you are an active member of a forum / news group and offer advice and pointers in the right direction to the solution of the question and state that "the company I work for can probably help provide a more complete solution contact me if you are interested" is a bit different? I'm not trying to argue any thing here, jus
Re: [LARTC] Dead Gateway Detection & BGP
On 8/27/2007 9:49 PM, Mohan Sundaram wrote: Such a service is a much needed complement to forums to aid adoption of FOSS. I was doing this for a fairly long while as a knowhow provider. *nod* There is a very thin line one needs to walk. Forums being used to vend services is frowned upon, rightly so. It is the concept of free sharing that gets violated. Even when I was a consultant, I used to offer complete advice to forums simply because it gave me satisfaction. I'd learnt a lot from the forums and this was my way of returning the coin. Agreed. Normally I do tend to offer up the complete solution, especially if said solution or one very similar can be found elsewhere on the net with a bit of Googleing. However when the solution in question is that of something that was not readily available on the net and one that we spent a lot of time putting the puzzle pieces together we tend to hold on to some of it. There is a definite need and opportunity. Reasonable is dependent on a lot of factors and the same service yields different values to different customers. Indeed. My philosophy: I think it is definitely possible to differentiate between personal time and company time. It is like social work. If you do something on your personal time that does not eat into your co's biz, I believe it is good to do so free. Even if you did do it such, so long as you do not charge for it, I believe it is not unethical. I'm not sure what you are trying to get at there. I think you are saying that if you do it as a personal time, then you probably should find some other sort of personal gratification. If you do it as company time then it is more understandable if it is charged for. Am I any where close? I can see how trolling a forum / news group looking for people asking questions and posting multiple follow up posts only saying "the company that I work for can provide you with a solution for X $s" is not so good. However if you are an active member of a forum / news group and offer advice and pointers in the right direction to the solution of the question and state that "the company I work for can probably help provide a more complete solution contact me if you are interested" is a bit different? I'm not trying to argue any thing here, just completely understand what you are saying and making sure that you understand what I'm saying (making sure that communications is happening both ways) while discussing this. Thank you for taking time to reply to my post. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Dead Gateway Detection & BGP
On 8/27/2007 12:21 PM, Peter Rabbitson wrote: It is OK to charge for any provided service, good or bad. It is not OK to label this as "giving back as much as was offered". I'm not sure that I completely understand what you are trying to get at, therefore I can not comment correctly. However, I was trying to imply that my company has spent time and money to develop a configuration (what) including the order in which things are configured in (how). With the order of configuration (how) being more of our information that we are not eager to give up. We are more than willing to list out the components (what) that were used and possibly even some of an order, but not all of the order. With that being said, I think offering up the what for free with out the how (below) is fairly good while still protecting our time and money investment. The "what" would consist of the following: - Large over all block diagram. - List of modules used for each block. - List of optional modules used for each block. - Explanation of what each module does to fulfill the block. - Possibly some how or indicate to follow Read-Me(s). The "how" would consist of the following: - How to configure each module to achieve the desired result. The "how" is where our company has spent the most time and money to get things to work and achieve much larger projects. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Dead Gateway Detection & BGP
Grant Taylor wrote: I my self and the company that I work for want to offer as much back to the community as it has offered to us. My company has invested time and money I am curious what the community's reaction is to this and ask for and encourage responses with regards to when is it appropriate for individuals / companies to move from "free to the public" support to "reasonable rate commercial support". I for one can not speak for the community, but the three points highlighted above do not add up. Here is the scoring: Community Your Company Cost of help offered free paid Time/money investment largelarge 2 :1 It is OK to charge for any provided service, good or bad. It is not OK to label this as "giving back as much as was offered". Regards Peter ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Dead Gateway Detection & BGP
After talking with a colleague on the ethics of this message I (/ we) decided that I needed to make the same offer to everyone on this mailing list that I privately made to Rangi Biddle. The company that I work for is in business to do many different things, included in which is helping with specialized configurations like I believe that Rangi Biddle is needing. As such I offered to consult with Rangi Biddle for $1/min on what my company has done in the past to generate complete solutions not just pieces of the puzzle leaving Rangi Biddle to put them together on his own. I my self and the company that I work for want to offer as much back to the community as it has offered to us. As such I / we are willing to help point people in the right direction and show them some of the pieces to the puzzle. However business being what it is I am not allowed to always provide the entire step by step how to guide for many different things. My company has invested time and money in to being able to provide solutions using open source products for such things as load balancing a medium size network across multiple cable modems, redundant fail over routing for globally routable addresses, down to segmenting a multi tenant building so that tenants can not cross infect each other while sharing one single IP subnet. I am curious what the community's reaction is to this and ask for and encourage responses with regards to when is it appropriate for individuals / companies to move from "free to the public" support to "reasonable rate commercial support". I apologize if my actions offended any one. However, please if they did, contact me either on or off list as I would like to know why they did. Thank you and have a nice day, Grant Taylor Systems Administrator Riverview Technologies Inc. 2311 East Walnut Columbia MO 65201 United States of America Phone: +1 (573) 442-7151 Fax: +1 (573) 442-3062 eMail: gtaylor (at) riverviewtech (dot) net ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Re: [LARTC] Dead Gateway Detection & BGP
On 08/26/07 12:29, Rangi Biddle wrote: Greetings to all, To start I’ll firstly lay down the foundation to what I have done so far and if those of you on the list can provide further insight, tips, links etc. This scenario consists of 2 firewalls (both running Debian “etch”), 2 Cisco routers (unsure of model numbers) connected together like so in the diagram below. +-+ | Uplink Provider | +++ | +-+-+ | | +---+---+ +---+---+ | Cisco Router | | Cisco Router | +---+---+ +---+---+ | | +---+---+ +---+---+ | Firewall # 1 | | Firewall # 2 | +---+ +---+---+ Initially, the first task I was designated was to setup BGP routing on 2 firewalls. Each firewall is connected to its own Cisco router provided by the uplink provider and the uplink provider is only providing a default gateway/router to each of the firewalls. Now, having had minimal experience with BGP (minimal in terms of the broadness of what is possible with BGP) and using the information provided by the uplink provider I have setup BGP. What I have been recently informed of is that the 2 firewalls must do some sort of failover between them when either of the default gateway’s are no longer responsive. I had initially looked into using heartbeat (which I am still considering) to do the failover or possibly using vrrpd (Virtual Router Redundancy Protocol Daemon). This however isn’t what I am contacting this list about. What I need to do at minimal, is at least for the failover, is to detect when the default gateway of (say) firewall 1 is no longer available and perform failover to firewall 2 and vice versa. As far as I am aware the only DGD support available is still through the patches that Julian Anastasov wrote for the 2.4 kernel series or by writing a script that uses arping to determine the last hop available. In my experience, Julian's DGD patch(s) are very good but not needed for your scenario. I have achieved a very similar scenario with a stock kernel. The main thing(s) that Julian's patches do is provide Dead Gateway Detection for (this is the key point) "non-default" routes while the kernel its self is capable to providing this for default routes. What other options are there? Add two equal metric default routes in reverse priority. (It is my experience that the route command populates the routing table by pushing new routes on to the top to be read before other existing routes.) I have done a fair amount of searching the internet only to come back to these 2 possibilities. Surely there must be something else …. Well, you are touching on some key points to what needs to be done, but there are still other things to be considered for a truly redundant scenario. Thanks in advance to anyone that replies as I know that this topic seems to be coming up more and more frequently on the lists and must be getting somewhat tedious for most. You are welcome. Grant. . . . ___ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc