X Y a icrit :
I have two routers, two independent BGP connections, and a block of
provider independent address space. The routers are arranged in a
redundant pair. The public network and some private subnets have
gateway addresses provided with CARP. The two routers use pfsync.
The BGP connections are actually completely independent (I'll be
adding two more in due course for a total of four). They have
different network addresses, cables and route to the rest of the
world. The cables are plugged directly into the routers, and there's
no CARP on those interfaces. Packets will arrive via either of those
routes.
I have got a basic configuration working. This maintains the BGP
sessions, packets go in and out, and the firewalls will fail over as
they should. I use depend on carp0 ... carp3 on the master router
(chosen via advskew) to drop that session if it fails, and demote on
the backup to make sure it doesn't like being master if it doesn't
have a BGP session.
I have been recommended by our ISPs that I should also advertise
routes between the routers, so that if one's BGP session fails, it can
route packets to the other for a cleaner failover. I have not managed
to get this configuration working.
Yes you should, this is called iBGP. All of your BGP routers should have
a iBGP session with all of the others, in a full mesh (unless you are
using a route reflector).
In your design, you will then get the best routes on each of your border
routers.
Some configuration information, with the real details removed to
protect the guilty.
AS: 99999
PI subnet: A.A.A.0/23
PI gateway: A.A.A.1
Master: A.A.A.2
Backup: A.A.A.3
BGP connection 1: X.X.X.4 -> X.X.X.200 on X.X.X.0/24, AS 88888
BGP connection 2: Y.Y.Y.4 -> Y.Y.Y.200 on Y.Y.Y.0/24, AS 88888
(Y.Y.Y != X.X.X)
[...]
neighbor A.A.A.3 {
remote-as 99999
descr "backup"
local-address A.A.A.2
announce all
tcp md5sig password PASSWORD2
set nexthop A.A.A.3 # A.A.A.2 didn't help
set localpref -10
}
You shouldn't need a nexthop here.
In iBGP sessions, you should set the neighbor address to be the loopback
address of your other border router.
Your router-id parameter should also be the IP adress of your local
loopback interface.
Your loopback interfaces should have a /32 IP adress set.
Regards,
--
Ronnie Garcia <r.garcia at ovea dot com>
