Tom Bombadil ??????:
Greetings...
We are trying to use a couple routers with carp and uplinks with 2
different providers. One router as master and another one slave. The
slave getting all the routes from the master using IBGP.
The problem is that when I bring to interface of the master down to test
if the failover works, the slave deletes all the routes it got from the
master.
Is there any way of retaining those IBGP routes for sometime after the
tcp connection is severed, or until the slave server (now master) can
connect to the external peers and the get routes from them?
Or... if anybody has any other hint for a more resilient setup, I'd be
glad to hear.
Thanks a bunch,
g.
Several days ago I wrote something on the topic, but not sure if it made
it to the list:
Carl Roberso wrote:
NetOne - Doichin Dokov wrote:
The BGP problem is solved by doing this:
Thank you very much Doichin for pointing this out: all of you was so
helpful!
Best wishes!rt
You're more than welcome!
In fact, we use also a bit more complicated BGP setup. Don't know if it
would be in any help for you, but i'll describe it here just for the
thread to be complete in case anyone starts digging :)
The configuration I described in my previous post (3 IPs per upstream
provider, 2 dedicated, 1 CARP-shared) works flawlessly, BUT traffic goes
only through one of the routers at a time. As we were not just routing,
but also doing a lot of shaping, we wanted to loadbalance things and
make both of the systems do some job when they are both up.
So, the scheme grew from 3 to 4 IPs per upstream provider - 2 dedicated
IPs for each firewall, and 2 CARP-shared IPs. Firewall #1 was default
master for shared IP one, Firewall #2 was default master for shared IP two.
Let's say the IPs are:
Firewall #1
========
172.16.0.1 - static, not in CARP, used for BGP communication with upstream
172.16.0.3 - CARP shared, default master
172.16.0.4 - CARP shared, default slave
Firewall #2
========
172.16.0.2 - static, not in CARP, used for BGP communication with upstream
172.16.0.3 - CARP shared, default slave
172.16.0.4 - CARP shared, default master
Then, we told our provider to set nexthop to 172.16.0.3 for networks we
sent to them with a community COMM1, and having nexthop set to
172.16.0.4 for networks we sent to them with a community COMM2.
Then, in our BGP setup (equal on both firewalls, despite the IP address
/ router ID), all we had to do is mark half of the networks, which we
wanted to go through Firewall #1 by default, with community COMM1, and
the others to go to Firewall #2 by default, with community COMM2.
Of course, you have to have similiar setup (though probably withouth
BGP) on the internal side of the firewalls for things to work properly,
again 2 CARP ifs and traffic originating from the networks routed to
Firewall #1 and Firewall #2 sent to the very same machine, otherwise you
run into state problems, shaping problems (if you do that on the
machines, we do), and maybe something else i could not come up with now :)
By the way, a nice new IP loadbalance option was recently added to CARP,
which might obsolete the setup I describe, but I've not played with that
yet.
Whatever you choose to do, you could always come back for help in case
you need it.
Regards,
Doichin
