Hello. Last year ago we moved to a multihomed BGP solution for our internet utilizing our own ASN and /24. This was the first time I had implemented a BGP solution and although the solution seems to work well, I feel it can be better and more efficiently designed.
Currently we have two Juniper SRX340 devices in an Active/Passive HA pair. Both ISP’s are plugged into the “single” SRX340 stack. We advertise eBGP to the providers of course and the SRX340 devices connect to two Palo Alto firewalls also configured as an Active/Passive HA pair. The Palo Alto firewall (9.9.9.2) has a static route pointing to the SRX340 (9.9.9.1).
Reading a few deployment guides I’ve seen where they break out the edge routers and have one go to ISP1 and the other going to ISP2. They use iBGP between them and OSPF is used from the edge routers to the firewalls. Is this the better design? It seems like it’s a no brainer, but I wanted to get other opinions. I know separating the edge routers will allow two separate control planes to prevent a single control plane error from taking down the WAN.
For simplicity sake I have the HA pairs showing as a single device on the diagrams since they are Active/Passive. There are two physical links from each ISP going to both devices in the HA pair even though they are not shown. There is a network switch not shown that breaks out the single ISP Ethernet handoff into two so the new design will also eliminate the need for that.
No comments:
Post a Comment