On Tue, Feb 27, 2024 at 10:02 AM Javier Gutierrez <GutierrezJ@westmancom.com> wrote:
My design is very simplistic, I have 2 sets of firewalls that I will have advertising a /32 unicast to the network at each location and it will have a TFTP server behind each firewall.
Hi Javier, That sounds straightforward to me with no major failure modes. I would make the firewall part of my OSPF network and then add the tftp servers to OSPF using FRR. Then I'd write a script to monitor the local tftp server and stop frr if it detects any problems with the tftp server. The local tftp server will always be closer than the remote one via OSPF link costs, unless it goes offline. I assume you also have an encrypted channel between the firewalls to handle traffic that stays "inside" your security boundary, as tftp generally should. Where you could get into trouble is if you add a third or additional sites. If there's ever an equal routing cost from any one site to two others, there's a non-zero risk of the failover process failing... and you won't know it until you need it. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/