Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2631
Views
0
Helpful
4
Replies

bgp peering to VRRP

kcornally
Level 1
Level 1

‎08-07-2008 08:44 PM - edited ‎03-06-2019 12:40 AM

Hi guys

I am trying to figure out if there is any drawbacks to peering (BGP) a 6509 switches with a downstream VRRP address of a firewall cluster . If the vrrp active member failed and the standby became active what would be the BGP convergence issues to be aware of

Labels:
0 Helpful
4 Replies 4

lee.reade
Level 4
Level 4

‎08-07-2008 11:41 PM

Hi,

This subject came up a while ago also.

Basically, you can create the peering between the bgp host and the vrrp firewall, assuming the firewall supports bgp, but if the vrrp states switch across from one firewall to the other, ie the standby becomes active, then the BGP session will be torn down and will need to be re-established.

Depending on what event caused the active firewall to go do, you could expect up to 180 seconds before the BGP peering is torn down due to missed keepalive using the default 60 hello/180 dead timers for BGP. You would then have a delay of X before the new session was brought up and the tables exchanged.

You may want to look at peering with each firewall using its real address, and also tweaking the timers to suit your environment.

HTH

LR

0 Helpful

kcornally
Level 1
Level 1
In response to lee.reade

‎08-10-2008 03:51 PM

Hi Lee,

Thanks for that , In relation to your suggestion of setting up the Peering relationship to the real address , these firewalls are a Nokia cluster running virtual firewall's. so they don't have real address per say but a virtual ip sitting on top of the cluster.

Which timers would you recommend tweaking to speed up the convergence times.

Thanks

Kevin..

0 Helpful

cisco24x7
Level 6
Level 6
In response to kcornally

‎08-10-2008 05:38 PM

What version of IPSO running on the Nokia

firewalls? I also assume that you're running

Checkpoint firewall on Nokia IPSO system as

well?

The answer depends on the version of IPSO.

On newer version of IPSO, when you setup

BGP in IPSO, there is a button that will let

you setup BGP on the cluster VRRP ip address.

Once you do that the other side will not

know anything about the physical ip addresses

of the Nokia, it just knows the cluster IP

address. Regardless which firewall is in

Active, your bgp will not go down because of

VRRP.

To my knowledge, IPSO 3.7.1 or older does

not have this feature. This feature is

available in IPSO 3.9 and higher.

0 Helpful

kcornally
Level 1
Level 1
In response to cisco24x7

‎08-11-2008 12:01 AM

Hi cisco 24x7,

Funny talking about a Nokia issue on a Csico site but anyway. So the VRRP will monitor the BGP and when the standby member becomes active the BGP peering does not fail. That would be perfect if that was the case. It will be IPSO version 5 or 6 to my knowledge.

Thanks

Kevin..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card