We have this kind of setup with two firewalls in an active/passive cluster:
FWs are connected to a L2 DC switch so the clustering would work correctly. There are multiple VRFs on the routers.
From routers I can do a static route towards the virtual IP on the firewall, but how about the other direction? I was thinking of doing two BGP sessions to the routers so I could easily take one router down for maintenance and traffic would flow through the other one. Or if some linke went down, BGP would advertise the routes from the second router.
Do you see any problems with this kind of setup? Or should I do VRRP on the routers instead? I'm not big fan of it though... I'm afraid I'll end up in a situation where the link towards the core network is down but VRRP virtual IP still stays on the router and traffic from FW gets blackholed.
Thanks!
No comments:
Post a Comment