From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Rangi Biddle" Date: Sun, 26 Aug 2007 17:29:28 +0000 Subject: [LARTC] Dead Gateway Detection & BGP Message-Id: <00a101c7e806$adc89500$0959bf00$@net.nz> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============0655632435==" List-Id: To: lartc@vger.kernel.org This is a multipart message in MIME format. --===============0655632435== Content-Type: multipart/alternative; boundary="----=_NextPart_000_00A2_01C7E86B.42FD7500" Content-Language: en-us This is a multipart message in MIME format. ------=_NextPart_000_00A2_01C7E86B.42FD7500 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: quoted-printable Greetings to all, =20 To start I=92ll firstly lay down the foundation to what I have done so = far and if those of you on the list can provide further insight, tips, links = etc. =20 This scenario consists of 2 firewalls (both running Debian =93etch=94), = 2 Cisco routers (unsure of model numbers) connected together like so in the = diagram below. =20 =20 =20 ----------------------- =20 | Uplink Provider | =20 ----------------------- =20 | =20 | =20 ----------------------- =20 | | =20 ------------------- -------------------- | Cisco Router | | Cisco Router | =20 ------------------ -------------------- =20 | | =20 | | =20 ------------------- -------------------- | Firewall 1 | | Firewall 2 | =20 ------------------- -------------------- =20 Initially, the first task I was designated was to setup BGP routing on 2 firewalls. Each firewall is connected to its own Cisco router provided = by the uplink provider and the uplink provider is only providing a default gateway/router to each of the firewalls. Now, having had minimal = experience with BGP (minimal in terms of the broadness of what is possible with = BGP) and using the information provided by the uplink provider I have setup = BGP. =20 What I have been recently informed of is that the 2 firewalls must do = some sort of failover between them when either of the default gateway=92s are = no longer responsive. I had initially looked into using heartbeat (which I = am still considering) to do the failover or possibly using vrrpd (Virtual Router Redundancy Protocol Daemon). This however isn=92t what I am = contacting this list about. What I need to do at minimal, is at least for the failover, is to detect when the default gateway of (say) firewall 1 is = no longer available and perform failover to firewall 2 and vice versa. As = far as I am aware the only DGD support available is still through the = patches that Julian Anastasov wrote for the 2.4 kernel series or by writing a = script that uses arping to determine the last hop available.=20 =20 What other options are there? =20 I have done a fair amount of searching the internet only to come back to these 2 possibilities. Surely there must be something else =85. =20 Thanks in advance to anyone that replies as I know that this topic seems = to be coming up more and more frequently on the lists and must be getting somewhat tedious for most. =20 Regards, =20 Rangi No virus found in this outgoing message. Checked by AVG Free Edition.=20 Version: 7.5.484 / Virus Database: 269.12.8/973 - Release Date: = 8/25/2007 5:00 PM =20 ------=_NextPart_000_00A2_01C7E86B.42FD7500 Content-Type: text/html; charset="windows-1250" Content-Transfer-Encoding: quoted-printable

Greetings to all,

 

To start I’ll firstly lay down the foundation = to what I have done so far and if those of you on the list can provide further = insight, tips, links etc.

 

This scenario consists of 2 firewalls (both running = Debian “etch”), 2 Cisco routers (unsure of model numbers) connected together like so in = the diagram below.

 

 

         &= nbsp;      =             &= nbsp;           &n= bsp;           &nb= sp;           =             &= nbsp;    -----------------------

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;  =             &= nbsp;           &n= bsp;       |  Uplink Provider  |

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;            =           =  -----------------------

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;    |

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;            =             &= nbsp;           &n= bsp;    |

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;            =           =  -----------------------

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;            =           = |            =             &= nbsp;           |

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;       -------------------    --------------------

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;      | Cisco Router  |   |  Cisco Router   = |

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;      =  ------------------      --------------------

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;      =             &= nbsp;   |            =             &= nbsp;           |

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;      =             &= nbsp;   |            =             &= nbsp;           |

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;       -------------------    --------------------

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;      |     Firewall 1     |   | =      Firewall 2     |

         &= nbsp;           &n= bsp;           &nb= sp;           &nbs= p;            = ;      =  -------------------     --------------------

 

Initially, the first task I was designated was to = setup BGP routing on 2 firewalls.  Each firewall is connected to its own = Cisco router provided by the uplink provider and the uplink provider is only = providing a default gateway/router to each of the firewalls.  Now, having had = minimal experience with BGP (minimal in terms of the broadness of what is = possible with BGP) and using the information provided by the uplink provider I have = setup BGP.

 

What I have been recently informed of is that the 2 = firewalls must do some sort of failover between them when either of the default = gateway’s are no longer responsive.  I had initially looked into using = heartbeat (which I am still considering) to do the failover or possibly using = vrrpd (Virtual Router Redundancy Protocol Daemon).  This however = isn’t what I am contacting this list about.  What I need to do at = minimal, is at least for the failover, is to detect when the default gateway of (say) = firewall 1 is no longer available and perform failover to firewall 2 and vice = versa.  As far as  I am aware the only DGD support available is still = through the patches that Julian Anastasov wrote for the 2.4 kernel series or by = writing a script that uses arping to determine the last hop available. =

 

What other options are there?

 

I have done a fair amount of searching the internet = only to come back to these 2 possibilities.  Surely there must be something = else ….

 

Thanks in advance to anyone that replies as I know = that this topic seems to be coming up more and more frequently on the lists and = must be getting somewhat tedious for most.

 

Regards,

 

Rangi


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.484 / Virus Database: 269.12.8/973 - Release Date: = 8/25/2007 5:00 PM

------=_NextPart_000_00A2_01C7E86B.42FD7500-- --===============0655632435== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============0655632435==--