Hi - please see the diagram:
We currently have two ISP connections terminating to a single switch which is doing BGP, and which also has connections to both our active and standby firewalls. Whichever firewall is active will communicate with the inside interface of that switch. The ISP advertises a default route on both connections, but applies a higher local preference on connection A. The firewalls have a static default route to the switch inside interface IP, and the switch has static routes for all our public IP ranges pointing to the firewall's WAN interface IP.
Failover between the ISP connections works very well, as the switch has both default routes in its routing table and will immediately start forwarding over connection B if connection A goes down. Both ISP connections are also available to both firewalls.
Obviously if that switch fails we will have no WAN connection at all, and we can't reboot it to update the firmware without an outage, so we would like to improve this and have two separate routers as shown in the 'proposed' diagram.
The intention is that whichever firewall is active will communicate with the VRRP address.
Traffic should always go via connection A if it's available, so if the standby firewall becomes the active, but R1 and Conn A are still up, traffic should flow across the link between R1 and R2 to reach the internet.
The standby firewall should still be able to communicate with the VRRP address when R1 is the VRRP master, as all the interfaces for the connections shown in green will be in the same VLAN.
I'm not sure what the best way to configure the communication between R1 and R2 is.
Option 1 - Just use VRRP to control failover. Each router has a BGP peering with the ISP, but only knows about its own default route. If R1 loses its connection to the ISP it can decrement its VRRP priority via object tracking, and R2 becomes VRRP master. If R1 goes down R2 also becomes master, and traffic flows to connection B.
Option 2 - Run BGP between R1 and R2. Both routers will know about both routes to the internet, but connection A is preferred because of the higher local preference. If R1 loses its connection to the ISP it will have an alternative route in its route table via R2. This has the advantage that we could adjust BGP at a later date to make connection B the preferred route for certain networks and load balance across the two connections. In this scenario R1 can stay as the VRRP master even if it loses its connection to the ISP, so no object tracking needs to be configured.
Option 3 - Something else?
No comments:
Post a Comment