I would suggest running VRRP on the routers towards the firewalls and only use
OSPF
to advertise the ingress routes. Statically route default to the VRRP group.
Implemented as follows:
[RA]------[switch]-----[switch]------[RB]
| |
[AFW] [PFW]
Make sense?
AFW/PFW advertise OSPF for the interior routes so that RA/RB know how to reach
them, but, RA/RB don't have to advertise anything and AFW/PFW have static
default routes to a VRRP group address shared between RA/RB.
If you want to make OSPF work, then, try making sure you have
default-information originate always
on both RA and RB.
Owen
On Jun 22, 2011, at 3:27 PM, Bret Palsson wrote:
> Here is my current setup in ASCII art. (Please view in a fixed width font.)
> Below the art I'll write out the setup.
>
>
> +--------+ +--------+
> | Peer A | | Peer A | <-Many carriers. Using 1 carrier
> +---+----+ +----+---+ for this scenario.
> |eBGP | eBGP
> | |
> +---+----+iBGP+----+---+
> | Router +----+ Router | <-Netiron CERs Routers.
> +-+------+ +------+-+
> |A `.P A.' |P <-A/P indicates Active/Passive
> | `. .' | link.
> | :: |
> +-+------+' `+------+-+
> |Act. FW | |Pas. FW | <-Firewalls Active/Passive.
> +--------+ +--------+
>
>
> To keep this scenario simple, I'm multihoming to one carrier.
> I have two Netiron CERs. Each have a eBGP connection to the same peer.
> The CERs have an iBGP connection to each other.
> That works all fine and dandy. Feel free to comment, however if you think
> there is a better way to do this.
>
> Here comes the tricky part. I have two firewalls in an Active/Passive setup.
> When one fails the other is configured exactly the same
> and picks up where the other left off. (Yes, all the sessions etc. are
> actively mirrored between the devices)
>
> I am using OSPFv2 between the CERs and the Firewalls. Failover works just
> fine, however when I fail an OSPF link that has the active default route,
> ingress traffic still routes fine and dandy, but egress traffic doesn't. Both
> Netiron's OSPF are setup to advertise they are the default route.
>
> What I'm wondering is, if OSPF is the right solution for this. How do others
> solve this problem?
>
>
> Thanks,
>
> Bret
>
>
> Note: Since lately ipv6 has been a hot topic, I'll state that after we get
> the BGP all figured out and working properly, ipv6 is our next project. :)
>
