Re: [LARTC] Dead Gateway Detection & BGP

From: Grant Taylor <gtaylor@riverviewtech.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Dead Gateway Detection & BGP
Date: Mon, 27 Aug 2007 14:42:50 +0000	[thread overview]
Message-ID: <46D2E2EA.3010803@riverviewtech.net> (raw)
In-Reply-To: <00a101c7e806$adc89500$0959bf00$@net.nz>

On 08/26/07 12:29, Rangi Biddle wrote:
> Greetings to all,
> 
> To start I’ll firstly lay down the foundation to what I have done so 
> far and if those of you on the list can provide further insight, 
> tips, links etc.
> 
> This scenario consists of 2 firewalls (both running Debian “etch”), 2 
> Cisco routers (unsure of model numbers) connected together like so in 
> the diagram below.
> 
>          +-----------------+
>          | Uplink Provider |
>          +--------+--------+
>                   |
>         +---------+---------+
>         |                   |
> +-------+-------+   +-------+-------+
> | Cisco  Router |   | Cisco  Router |
> +-------+-------+   +-------+-------+
>         |                   |
> +-------+-------+   +-------+-------+
> | Firewall # 1  |   | Firewall # 2  |
> +---------------+   +-------+-------+
> 
> Initially, the first task I was designated was to setup BGP routing 
> on 2 firewalls.  Each firewall is connected to its own Cisco router 
> provided by the uplink provider and the uplink provider is only 
> providing a default gateway/router to each of the firewalls.  Now, 
> having had minimal experience with BGP (minimal in terms of the 
> broadness of what is possible with BGP) and using the information 
> provided by the uplink provider I have setup BGP.
> 
> What I have been recently informed of is that the 2 firewalls must do 
> some sort of failover between them when either of the default 
> gateway’s are no longer responsive.  I had initially looked into 
> using heartbeat (which I am still considering) to do the failover or 
> possibly using vrrpd (Virtual Router Redundancy Protocol Daemon). 
> This however isn’t what I am contacting this list about.  What I need 
> to do at minimal, is at least for the failover, is to detect when the 
> default gateway of (say) firewall 1 is no longer available and 
> perform failover to firewall 2 and vice versa.  As far as  I am aware 
> the only DGD support available is still through the patches that 
> Julian Anastasov wrote for the 2.4 kernel series or by writing a 
> script that uses arping to determine the last hop available.

In my experience, Julian's DGD patch(s) are very good but not needed for 
your scenario.  I have achieved a very similar scenario with a stock 
kernel.  The main thing(s) that Julian's patches do is provide Dead 
Gateway Detection for (this is the key point) "non-default" routes while 
the kernel its self is capable to providing this for default routes.

> What other options are there?

Add two equal metric default routes in reverse priority.  (It is my 
experience that the route command populates the routing table by pushing 
new routes on to the top to be read before other existing routes.)

> I have done a fair amount of searching the internet only to come back 
> to these 2 possibilities.  Surely there must be something else ….

Well, you are touching on some key points to what needs to be done, but 
there are still other things to be considered for a truly redundant 
scenario.

> Thanks in advance to anyone that replies as I know that this topic 
> seems to be coming up more and more frequently on the lists and must 
> be getting somewhat tedious for most.

You are welcome.

Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc