bgp peering to VRRP

Unanswered Question
Aug 7th, 2008

Hi guys

I am trying to figure out if there is any drawbacks to peering (BGP) a 6509 switches with a downstream VRRP address of a firewall cluster . If the vrrp active member failed and the standby became active what would be the BGP convergence issues to be aware of

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lee.reade Thu, 08/07/2008 - 23:41

Hi,

This subject came up a while ago also.

Basically, you can create the peering between the bgp host and the vrrp firewall, assuming the firewall supports bgp, but if the vrrp states switch across from one firewall to the other, ie the standby becomes active, then the BGP session will be torn down and will need to be re-established.

Depending on what event caused the active firewall to go do, you could expect up to 180 seconds before the BGP peering is torn down due to missed keepalive using the default 60 hello/180 dead timers for BGP. You would then have a delay of X before the new session was brought up and the tables exchanged.

You may want to look at peering with each firewall using its real address, and also tweaking the timers to suit your environment.

HTH

LR

kcornally Sun, 08/10/2008 - 15:51

Hi Lee,

Thanks for that , In relation to your suggestion of setting up the Peering relationship to the real address , these firewalls are a Nokia cluster running virtual firewall's. so they don't have real address per say but a virtual ip sitting on top of the cluster.

Which timers would you recommend tweaking to speed up the convergence times.

Thanks

Kevin..

cisco24x7 Sun, 08/10/2008 - 17:38

What version of IPSO running on the Nokia

firewalls? I also assume that you're running

Checkpoint firewall on Nokia IPSO system as

well?

The answer depends on the version of IPSO.

On newer version of IPSO, when you setup

BGP in IPSO, there is a button that will let

you setup BGP on the cluster VRRP ip address.

Once you do that the other side will not

know anything about the physical ip addresses

of the Nokia, it just knows the cluster IP

address. Regardless which firewall is in

Active, your bgp will not go down because of

VRRP.

To my knowledge, IPSO 3.7.1 or older does

not have this feature. This feature is

available in IPSO 3.9 and higher.

kcornally Mon, 08/11/2008 - 00:01

Hi cisco 24x7,

Funny talking about a Nokia issue on a Csico site but anyway. So the VRRP will monitor the BGP and when the standby member becomes active the BGP peering does not fail. That would be perfect if that was the case. It will be IPSO version 5 or 6 to my knowledge.

Thanks

Kevin..

Actions

This Discussion