08-07-2008 08:44 PM - edited 03-06-2019 12:40 AM
Hi guys
I am trying to figure out if there is any drawbacks to peering (BGP) a 6509 switches with a downstream VRRP address of a firewall cluster . If the vrrp active member failed and the standby became active what would be the BGP convergence issues to be aware of
08-07-2008 11:41 PM
Hi,
This subject came up a while ago also.
Basically, you can create the peering between the bgp host and the vrrp firewall, assuming the firewall supports bgp, but if the vrrp states switch across from one firewall to the other, ie the standby becomes active, then the BGP session will be torn down and will need to be re-established.
Depending on what event caused the active firewall to go do, you could expect up to 180 seconds before the BGP peering is torn down due to missed keepalive using the default 60 hello/180 dead timers for BGP. You would then have a delay of X before the new session was brought up and the tables exchanged.
You may want to look at peering with each firewall using its real address, and also tweaking the timers to suit your environment.
HTH
LR
08-10-2008 03:51 PM
Hi Lee,
Thanks for that , In relation to your suggestion of setting up the Peering relationship to the real address , these firewalls are a Nokia cluster running virtual firewall's. so they don't have real address per say but a virtual ip sitting on top of the cluster.
Which timers would you recommend tweaking to speed up the convergence times.
Thanks
Kevin..
08-10-2008 05:38 PM
What version of IPSO running on the Nokia
firewalls? I also assume that you're running
Checkpoint firewall on Nokia IPSO system as
well?
The answer depends on the version of IPSO.
On newer version of IPSO, when you setup
BGP in IPSO, there is a button that will let
you setup BGP on the cluster VRRP ip address.
Once you do that the other side will not
know anything about the physical ip addresses
of the Nokia, it just knows the cluster IP
address. Regardless which firewall is in
Active, your bgp will not go down because of
VRRP.
To my knowledge, IPSO 3.7.1 or older does
not have this feature. This feature is
available in IPSO 3.9 and higher.
08-11-2008 12:01 AM
Hi cisco 24x7,
Funny talking about a Nokia issue on a Csico site but anyway. So the VRRP will monitor the BGP and when the standby member becomes active the BGP peering does not fail. That would be perfect if that was the case. It will be IPSO version 5 or 6 to my knowledge.
Thanks
Kevin..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide