BGP redundant link question

kope · ‎09-19-2007

i have an existing connection to the internet to ISP#1; i am adding another connection to ISP#2 for redundancy. i added a PIX515 firewall on the redundant link and configured that PIX as standby.

I intend to run BGP protocol on the routers.

It appeared that if the inbound traffic is going through ISP#2, it won't be able to reach the inside network since the PIX is on standby.

How does the inbound traffic knows which is the active link? do i need to tell the ISP which link is active? or i am totally missing something on the design here? Please advise.

attached is a diag.

paul.matthews · ‎09-19-2007

This can be a little awkward! but you have a number of options.

The easy solution is probably to have a LAN outside the firewalls that joins the firewall pair to both routers, then is does not really matter which route traffic uses. you probably really need to consider that anyway, as with your current layout, if the link to ISP#1 fails, the BGP routing will be via ISP#2, but the active PIX is ISP#1 meaning no traffic. You should strictly have iBGP running between the routers anyway.

You are at the mercy of the ISPs for return traffic, You can configure AS_PATH prepending to try to influence routing, but they can still do what they want.

It is a little risky, but you could run a routing protocol between your interior routers, and simply advertise a summary to your BGP routers, so that when the PIX is passive, the router does not have the routes to advertise so traffic goes the other way, but that will not do any rerouting in case of link failure.

I *really* think you need to look at putting a LAN between the firewalls and routers.