bgp peering to VRRP

Unanswered Question
Aug 7th, 2008
User Badges:

Hi guys

I am trying to figure out if there is any drawbacks to peering (BGP) a 6509 switches with a downstream VRRP address of a firewall cluster . If the vrrp active member failed and the standby became active what would be the BGP convergence issues to be aware of

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
lee.reade Thu, 08/07/2008 - 23:41
User Badges:
  • Silver, 250 points or more


This subject came up a while ago also.

Basically, you can create the peering between the bgp host and the vrrp firewall, assuming the firewall supports bgp, but if the vrrp states switch across from one firewall to the other, ie the standby becomes active, then the BGP session will be torn down and will need to be re-established.

Depending on what event caused the active firewall to go do, you could expect up to 180 seconds before the BGP peering is torn down due to missed keepalive using the default 60 hello/180 dead timers for BGP. You would then have a delay of X before the new session was brought up and the tables exchanged.

You may want to look at peering with each firewall using its real address, and also tweaking the timers to suit your environment.



kcornally Sun, 08/10/2008 - 15:51
User Badges:

Hi Lee,

Thanks for that , In relation to your suggestion of setting up the Peering relationship to the real address , these firewalls are a Nokia cluster running virtual firewall's. so they don't have real address per say but a virtual ip sitting on top of the cluster.

Which timers would you recommend tweaking to speed up the convergence times.



cisco24x7 Sun, 08/10/2008 - 17:38
User Badges:
  • Silver, 250 points or more

What version of IPSO running on the Nokia

firewalls? I also assume that you're running

Checkpoint firewall on Nokia IPSO system as


The answer depends on the version of IPSO.

On newer version of IPSO, when you setup

BGP in IPSO, there is a button that will let

you setup BGP on the cluster VRRP ip address.

Once you do that the other side will not

know anything about the physical ip addresses

of the Nokia, it just knows the cluster IP

address. Regardless which firewall is in

Active, your bgp will not go down because of


To my knowledge, IPSO 3.7.1 or older does

not have this feature. This feature is

available in IPSO 3.9 and higher.

kcornally Mon, 08/11/2008 - 00:01
User Badges:

Hi cisco 24x7,

Funny talking about a Nokia issue on a Csico site but anyway. So the VRRP will monitor the BGP and when the standby member becomes active the BGP peering does not fail. That would be perfect if that was the case. It will be IPSO version 5 or 6 to my knowledge.




This Discussion