henning, you mentioned you are running redundant firewalls running bgp to multiple providers. my question is are you taking incoming traffic on both links or is your bgp configured in an active failover scenario? And do you use iBgp between the firewalls to control outgoing traffic up thru both links? Thanks.
On 5/8/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-05-08 01:24]: > > On 5/5/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > > > > > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-05-03 20:58]: > > > > Any recommendations on running BGP on redundant firewalls to > multiple > > > > providers advertising the same network thru both links, and talking > iBGP > > > > with the other firewall? > > > > > > that is what I am doing here as well as at multiple customer sites. > > > > > > > Just asking because I ran into a problem with this > > > > scenario when traffic would enter 1 host, traverse the iBGP > crossover > > > link > > > > and then exit the 2nd host, and return traffic would come back in > thru > > > the > > > > 1st host. There was a mismatch of the states that seemed to cause my > > > > problems. > > > > > > not seen that. > > > you could suffer from the carp route screwup issue I just committed a > > > fix for in -current. I'll attach it, it'llapply for 4.1 too. > > > in general, "bgpctl sh nexthop" is your friend to debug this. > > > > > > can you elaborate a little more on the "carp route" issue. i had been > > working with the 2 firewall/2 provider/ibgp/pf/pfsync setup about 3 > months > > ago and hit a wall when traffic flowed a certain direction - so i moved > to > > the 2 router + 2 firewall setup that cleared it up, so my memories a > little > > foggy about the exact issue. but I'm willing to try the 2 firewall setup > > again as this will cost us so much less when we clone this configuration > > from our office to our data center. thanks. > > well, carp was playing fast and losing with routes, without messages on > the routing socket. i included the diff, what else whould I say? > > -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
