I would suggest running VRRP on the routers towards the firewalls and only use OSPF to advertise the ingress routes. Statically route default to the VRRP group. Implemented as follows: [RA]------[switch]-----[switch]------[RB] | | [AFW] [PFW] Make sense? AFW/PFW advertise OSPF for the interior routes so that RA/RB know how to reach them, but, RA/RB don't have to advertise anything and AFW/PFW have static default routes to a VRRP group address shared between RA/RB. If you want to make OSPF work, then, try making sure you have default-information originate always on both RA and RB. Owen On Jun 22, 2011, at 3:27 PM, Bret Palsson wrote:
Here is my current setup in ASCII art. (Please view in a fixed width font.) Below the art I'll write out the setup.
+--------+ +--------+ | Peer A | | Peer A | <-Many carriers. Using 1 carrier +---+----+ +----+---+ for this scenario. |eBGP | eBGP | | +---+----+iBGP+----+---+ | Router +----+ Router | <-Netiron CERs Routers. +-+------+ +------+-+ |A `.P A.' |P <-A/P indicates Active/Passive | `. .' | link. | :: | +-+------+' `+------+-+ |Act. FW | |Pas. FW | <-Firewalls Active/Passive. +--------+ +--------+
To keep this scenario simple, I'm multihoming to one carrier. I have two Netiron CERs. Each have a eBGP connection to the same peer. The CERs have an iBGP connection to each other. That works all fine and dandy. Feel free to comment, however if you think there is a better way to do this.
Here comes the tricky part. I have two firewalls in an Active/Passive setup. When one fails the other is configured exactly the same and picks up where the other left off. (Yes, all the sessions etc. are actively mirrored between the devices)
I am using OSPFv2 between the CERs and the Firewalls. Failover works just fine, however when I fail an OSPF link that has the active default route, ingress traffic still routes fine and dandy, but egress traffic doesn't. Both Netiron's OSPF are setup to advertise they are the default route.
What I'm wondering is, if OSPF is the right solution for this. How do others solve this problem?
Thanks,
Bret
Note: Since lately ipv6 has been a hot topic, I'll state that after we get the BGP all figured out and working properly, ipv6 is our next project. :)