From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grant Taylor Date: Mon, 27 Aug 2007 14:42:50 +0000 Subject: Re: [LARTC] Dead Gateway Detection & BGP Message-Id: <46D2E2EA.3010803@riverviewtech.net> List-Id: References: <00a101c7e806$adc89500$0959bf00$@net.nz> In-Reply-To: <00a101c7e806$adc89500$0959bf00$@net.nz> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org On 08/26/07 12:29, Rangi Biddle wrote: > Greetings to all, >=20 > To start I=92ll firstly lay down the foundation to what I have done so=20 > far and if those of you on the list can provide further insight,=20 > tips, links etc. >=20 > This scenario consists of 2 firewalls (both running Debian =93etch=94), 2= =20 > Cisco routers (unsure of model numbers) connected together like so in=20 > the diagram below. >=20 > +-----------------+ > | Uplink Provider | > +--------+--------+ > | > +---------+---------+ > | | > +-------+-------+ +-------+-------+ > | Cisco Router | | Cisco Router | > +-------+-------+ +-------+-------+ > | | > +-------+-------+ +-------+-------+ > | Firewall # 1 | | Firewall # 2 | > +---------------+ +-------+-------+ >=20 > Initially, the first task I was designated was to setup BGP routing=20 > on 2 firewalls. Each firewall is connected to its own Cisco router=20 > provided by the uplink provider and the uplink provider is only=20 > providing a default gateway/router to each of the firewalls. Now,=20 > having had minimal experience with BGP (minimal in terms of the=20 > broadness of what is possible with BGP) and using the information=20 > provided by the uplink provider I have setup BGP. >=20 > What I have been recently informed of is that the 2 firewalls must do=20 > some sort of failover between them when either of the default=20 > gateway=92s are no longer responsive. I had initially looked into=20 > using heartbeat (which I am still considering) to do the failover or=20 > possibly using vrrpd (Virtual Router Redundancy Protocol Daemon).=20 > This however isn=92t what I am contacting this list about. What I need=20 > to do at minimal, is at least for the failover, is to detect when the=20 > default gateway of (say) firewall 1 is no longer available and=20 > perform failover to firewall 2 and vice versa. As far as I am aware=20 > the only DGD support available is still through the patches that=20 > Julian Anastasov wrote for the 2.4 kernel series or by writing a=20 > script that uses arping to determine the last hop available. In my experience, Julian's DGD patch(s) are very good but not needed for=20 your scenario. I have achieved a very similar scenario with a stock=20 kernel. The main thing(s) that Julian's patches do is provide Dead=20 Gateway Detection for (this is the key point) "non-default" routes while=20 the kernel its self is capable to providing this for default routes. > What other options are there? Add two equal metric default routes in reverse priority. (It is my=20 experience that the route command populates the routing table by pushing=20 new routes on to the top to be read before other existing routes.) > I have done a fair amount of searching the internet only to come back=20 > to these 2 possibilities. Surely there must be something else =85. Well, you are touching on some key points to what needs to be done, but=20 there are still other things to be considered for a truly redundant=20 scenario. > Thanks in advance to anyone that replies as I know that this topic=20 > seems to be coming up more and more frequently on the lists and must=20 > be getting somewhat tedious for most. You are welcome. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc