From mboxrd@z Thu Jan 1 00:00:00 1970 From: Grant Taylor Date: Thu, 30 Aug 2007 03:58:46 +0000 Subject: Re: [LARTC] Dead Gateway Detection & BGP Message-Id: <46D64076.9050807@riverviewtech.net> List-Id: References: <00a101c7e806$adc89500$0959bf00$@net.nz> In-Reply-To: <00a101c7e806$adc89500$0959bf00$@net.nz> MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org (Before any one questions why I withheld information and went down the=20 road that I did, I'd like to say that I had fully intended to respond=20 with more detail, however other things going on both at work and home=20 prevented me from doing so before now. I also sort of paused because of=20 the discussion that arose out of the road that I did go down.) On 8/26/2007 12:29 PM, Rangi Biddle wrote: > +-----------------+ > | Uplink Provider | > +--------+--------+ > | > +---------+---------+ > | | > +-------+-------+ +-------+-------+ > | Cisco Router | | Cisco Router | > +-------+-------+ +-------+-------+ > | | > +-------+-------+ +-------+-------+ > | Firewall # 1 | | Firewall # 2 | > +---------------+ +-------+-------+ >=20 > Initially, the first task I was designated was to setup BGP routing=20 > on 2 firewalls. Each firewall is connected to its own Cisco router=20 > provided by the uplink provider and the uplink provider is only=20 > providing a default gateway/router to each of the firewalls. Now,=20 > having had minimal experience with BGP (minimal in terms of the=20 > broadness of what is possible with BGP) and using the information=20 > provided by the uplink provider I have setup BGP. Question: - Are there multiple providers in this situation or one single=20 provider that has chosen to do this type of set up. - If there are multiple providers, are they in any sort of peering=20 relationship between them? - Is there suppose to be any sort of redundancy amongst the two Cisco=20 routers or are they to be two purely independent non redundant connections? - What type of connections are there in to the two Cisco routers? - Are the Cisco routers actually routing, or just bridging between two=20 layer 1 technologies? - Is ethernet being used between the Cisco routers and the Debian=20 firewalls? - What type of (if any) IP address range overlap are we looking at? Answers to each of these questions will most likely beget more questions=20 until finally a much clearer picture of what ultimately is being done=20 emerges. This is also part of why I was wanting to do this off mailing=20 list as some of these answers are not appropriate for a public form that=20 is archived and search able. > What I have been recently informed of is that the 2 firewalls must do=20 > some sort of failover between them when either of the default=20 > gateway=92s are no longer responsive. I had initially looked into=20 > using heartbeat (which I am still considering) to do the failover or=20 > possibly using vrrpd (Virtual Router Redundancy Protocol Daemon).=20 > This however isn=92t what I am contacting this list about. What I need=20 > to do at minimal, is at least for the failover, is to detect when the=20 > default gateway of (say) firewall 1 is no longer available and=20 > perform failover to firewall 2 and vice versa. As far as I am aware=20 > the only DGD support available is still through the patches that=20 > Julian Anastasov wrote for the 2.4 kernel series or by writing a=20 > script that uses arping to determine the last hop available. Hum. I'm not entirely sure what is suppose to be redundant here, the=20 Cisco routers, the Debian firewalls, a logical router (or routers) that=20 are presented to your systems behind the firewalls, what. Will you=20 please clarify? > What other options are there? More than you might initially think. > I have done a fair amount of searching the internet only to come back=20 > to these 2 possibilities. Surely there must be something else =85. Well, in my opinion, what you have proposed is a couple of different=20 solutions to the same piece of the puzzle. Presuming that you are dealing with T-1s from your provider(s), let's=20 start with a modified version of your above network layout. +-----------------+ | Uplink Provider | +--------+--------+ | +---------+---------+ | | +-------+-------+ +-------+-------+ | Atlas 550 +---+ Atlas 550 | +-------+---+---+ +---+---+-------+ | | | | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | | | | +-------+---+---+ +---+---+-------+ | Cisco Router +---+ Cisco Router | +-------+---+---+ +---+---+-------+ | | | | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | | | | +-------+---+---+ +---+---+-------+ | Switch +---+ Switch | +-------+---+---+ +---+---+-------+ | | | | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | | | | +-------+---+---+ +---+---+-------+ | Firewall # 1 +---+ Firewall # 2 | +-------+---+---+ +---+---+-------+ | | | | | \ / | | \ / | | \ / | | \ / | | \ / | | X | | / \ | | / \ | | / \ | | / \ | | / \ | | | | | +-------+---+---+ +---+---+-------+ | Switch +---+ Switch | +-------+-------+ +-------+-------+ | | ...--+--...--(LAN)--...--+--... Now that the ASCII art is out of the way, let's have some explanation as=20 to what each piece of the puzzle is for. Physical Layer -------------- The "Atlas 550"s are devices to switch / route T-1 on a phone company /=20 circuit level. In other words they can take a T-1 in and give a T-1 out=20 based on different conditions with in the circuit on a given interface.=20 In short the Atlas 550 will allow you to route an inbound T-1 the=20 primary interface if the equipment that the primary interface is=20 connected to is up and handling traffic. If the equipment that the=20 primary interface connected to is not up and handling traffic route the=20 T-1 out the secondary interface. If for some reason the equipment that=20 the secondary interface is connected to is not handling traffic route=20 the T-1 out the tertiary interface to the backup Atlas in hopes that the=20 cabling between the original Atlas and the primary and secondary=20 equipment is down and that the backup Atlas has functioning cable. The Cisco routers are similarly configured with two T-1 WICs each so=20 that each can connect to both Atlas 550s. Also there is a similar setup=20 between the Cisco routers and the ethernet switches and each other. Likewise the switches have a similar set up to connect to the firewall=20 boxen as well as the firewall boxen do to the internal LAN switch(es). Data Layer ---------- Each Atlas 550s can redundantly route their inbound T-1 to two different=20 routers configured redundantly for each other or to the other Atlas 550. Each Cisco router can redundantly route their inbound T-1s to two=20 different switches configured redundantly for each other or to the other=20 router. Each switch can redundantly switch their inbound network segments to two=20 different firewalls configured redundantly for each other or to the=20 other switch. Each firewall can redundantly filter their inbound network segments to=20 two different switches configured redundantly for each other or to the=20 other firewall. Each switch can redundantly switch their inbound network segment to the=20 internal LAN or to the other switch. Network Layer ------------- Each Atlas 550 would be configured to be able to handle the others T-1=20 in the event that the other is unable to reach its desired router. Each Cisco router would be configured to be able to handle the other=20 routers circuit in addition to its own circuit, thus you could have a=20 Cisco router die with out adversely effecting your network. If I could,=20 I would probably use HSRP or VRRP between the Cisco routers so that they=20 could be redundant for each other. Each switch is used for basic network connectivity allowing for more=20 intermediary equipment. If this is the only equipment you are going t=20 have you could take the core switches out of the mix and go from the=20 Cisco routers straight in to the firewalls. However these switches will=20 allow for more future expansion and other options down the road. For=20 example, either of the switches, if managed, would allow you to mirror=20 traffic from one port to another for sniffing. Each firewall would be able to filter traffic for its primary circuit as=20 well as backup filter for the other firewalls backup circuit. I would=20 use VRRP to allow multiple physical firewalls to be redundant for each=20 others IP address. For example, make firewall A be primary for IP 1 and=20 secondary for IP 2 while making firewall B be primary for IP 2 and=20 secondary for IP 1. Thus each firewall is redundant on its WAN facing=20 side. Do something similar for the LAN facing side. If you decide that=20 one connection from your provider is primary and the other is backup,=20 you could route inbound traffic through one firewall while routing=20 outbound traffic through the other firewall for load balancing /=20 distribution reasons. If you have the ethernet switches in place you=20 could even insert a third firewall ans an inactive backup system to be=20 used if either of the primary systems go down. I would recommend that=20 you use ConnTrackd to synchronize the firewall state between the two (or=20 more) firewalls. Each switch is used to allow connectivity between the two (or more)=20 firewalls with the internal LAN. As you can see there really is not a single point of failure between=20 where the provider leaves off and the workstations pick up. > Thanks in advance to anyone that replies as I know that this topic=20 > seems to be coming up more and more frequently on the lists and must=20 > be getting somewhat tedious for most. *nod* > Regards, *nod* Chew on this and let me know what you think. Grant. . . . _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc