Sure. Sometimes it's nice/convenient to let firewalls advertise the
external blocks they use for NAT translations, etc. Otherwise you need
to statically route them to the firewall and redistribute the statics
from said routers into your IGP.
Also, in some cases, people want to do network-based loa
The config I propose is really not complicated beyond BGP and HSRP/VRRP.
It doesn't take a CCIE for this, and the documentation isn't that hard
to set up and maintain. It's just a procedural thing that any config
change automatically requires a document review/update. You should have
as-builds d
On Jun 23, 2011, at 6:59 AM, valdis.kletni...@vt.edu wrote:
> On Thu, 23 Jun 2011 07:44:33 CDT, -Hammer- said:
>> Agreed. At an enterprise level, there is no need to risk extended
>> downtime to save a buck or two. Redundant hardware is always a good way
>> to keep Murphy out of the equation. A
True True. I've seen that before as well. Actually I've seen it more
with various vendors implementations of VRRP than I have with Cisco HSRP
or Juniper NSRP. But it seems to me more or less that most issues we
deal with these days are software related bugs as opposed to hardware
related issues
Except in those (becoming less rare than hardware failure) instances where the
software controlling the failover process is the actual cause of the outage.
Owen
On Jun 23, 2011, at 5:44 AM, -Hammer- wrote:
> Agreed. At an enterprise level, there is no need to risk extended downtime to
> save a
> I am using OSPFv2 between the CERs and the Firewalls. Failover works
> just fine, however when I fail an OSPF link that has the active
default
> route, ingress traffic still routes fine and dandy, but egress traffic
> doesn't. Both Netiron's OSPF are setup to advertise they are the
> default rout
HaHa! I agree with keeping it simple. I keep my routers simple. I keep
my switches simple. Sometimes it's not as easy on a Layer 7 FW or a load
balancer. So plan accordingly. :)
-Hammer-
On 06/23/2011 08:59 AM, valdis.kletni...@vt.edu wrote:
On Thu, 23 Jun 2011 07:44:33 CDT, -Hammer- said
On Thu, 23 Jun 2011 07:44:33 CDT, -Hammer- said:
> Agreed. At an enterprise level, there is no need to risk extended
> downtime to save a buck or two. Redundant hardware is always a good way
> to keep Murphy out of the equation. And as far as hardware failures go,
> it's not that common. Nowaday
Agreed. At an enterprise level, there is no need to risk extended
downtime to save a buck or two. Redundant hardware is always a good way
to keep Murphy out of the equation. And as far as hardware failures go,
it's not that common. Nowadays it's the bugs in overly complicated code
on your gear
That's fine if you are running a website. When it comes to telecommunications,
a 15 minute outage is pretty huge. Especially with certain types of customers:
emergency services for example.
-Bret
On Jun 23, 2011, at 12:02 AM, Hank Nussbacher wrote:
> At 20:42 22/06/2011 -0700, Jason Roysdon wr
At 20:42 22/06/2011 -0700, Jason Roysdon wrote:
Let me be a bit of a heretic here. How often does your router fail? Or
your firewall? In the 25 years I have gone into customers I have found
when they did a cross setup as proposed below by Bret and Jason, only one
person truly knew the compl
A quick google search says you should be ok with screenos 6.0 or later for
the routing protocol replication.
I'm looking at your diagram again though. You will want a switch in the
middle of your Firewalls and routers, as the firewalls are in an
active/standby mode and do not independently run OS
I second the static routes, specially from a simplicity standpoint. Add
in a pair of layer two switches to simplify further:
++++
| Peer A || Peer A | <-Many carriers. Using 1 carrier
+---++++---+for this scenario.
|eBGP |
On Wed, Jun 22, 2011 at 5:33 PM, PC wrote:
> Who makes the firewall?
>
>
Juniper SSG. We use NSRP and replicate all the RTOs. We have hitless on the
Firewalls, have for years. We're now peering with our own carriers vs. using
our datacenter's mix.
A static route from the junipers to the VIP (VRR
On Wed, Jun 22, 2011 at 5:22 PM, William Cooper wrote:
> Couple of questions for clarification (inline):
>
> On Wed, Jun 22, 2011 at 6:27 PM, Bret Palsson wrote:
> > Here is my current setup in ASCII art. (Please view in a fixed width
> font.) Below the art I'll write out the setup.
> >
> >
> >
On Wed, Jun 22, 2011 at 6:27 PM, Bret Palsson wrote:
> I am using OSPFv2 between the CERs and the Firewalls.
>Failover works just fine, however when I fail an OSPF link
>that has the active default route, ingress traffic still routes
>fine and dandy, but egress traffic doesn't. Both Netiron's
>OSP
Do people really run routing protocols with their public address space
on their FWs? I'm not saying right or wrong. Just curious. Seems like
the last thing I would want to do would be to have my FW participate in
a routing protocol unless is was absolutely necessary. Better to static
the FW wit
Who makes the firewall?
To make this work and be "hitless", your firewall vendor must support
stateful replication of routing protocol data (including OSPF). For
example, Cisco didn't support this in their ASA product until version 8.4 of
code.
Otherwise, a failover requires OSPF to re-converge
Couple of questions for clarification (inline):
On Wed, Jun 22, 2011 at 6:27 PM, Bret Palsson wrote:
> Here is my current setup in ASCII art. (Please view in a fixed width font.)
> Below the art I'll write out the setup.
>
>
> ++ ++
> | Peer A | | Peer A | <-Many c
Another option would be to insert switches between your routers and FWs.
OSPF from the routers to the switches (yes, switches running L3 OSPF)
and then HSRP/VRRP/etc. to the FWs. This way routing changes don't
affect the FWs. The FWs simply have a default route to the
HSRP/VRRP/etc. VIP. Then t
Hi Bret,
To keep this scenario simple, I'm multihoming to one carrier.
I have two Netiron CERs. Each have a eBGP connection to the same peer.
The CERs have an iBGP connection to each other.
That works all fine and dandy. Feel free to comment, however if you think there
is a better way to do thi
vrrp?
I would suggest running VRRP on the routers towards the firewalls and only use
OSPF
to advertise the ingress routes. Statically route default to the VRRP group.
Implemented as follows:
[RA]--[switch]-[switch]--[RB]
| |
[AFW] [PFW]
Make s
On 6/22/11 6:27 PM, "Bret Palsson" wrote:
>Here is my current setup in ASCII art. (Please view in a fixed width
>font.) Below the art I'll write out the setup.
>
>
> ++++
> | Peer A || Peer A | <-Many carriers. Using 1 carrier
> +---++++---+f
Here is my current setup in ASCII art. (Please view in a fixed width font.)
Below the art I'll write out the setup.
++++
| Peer A || Peer A | <-Many carriers. Using 1 carrier
+---++++---+for this scenario.
|eBGP | eBGP
We have three main cities wherein eyeballs live. Currently we have San
Jose and San Francisco traffic egressing in SF, and Los Angeles
egressing in LA. There is one private 2x1gig long haul linking SJC to
LA and a 1x 10gig linking SJC to SF. i.e SF <-10gig-> SJC <-2gig-> LA
Each area is a se
26 matches
Mail list logo
