Hi, attached is a diagram of the topology that I am looking to build. A summary of the peering relationships are
1. eBGP between R1 and R3
2. eBGP between R2 and R4
3. iBGP between R1 and R2
4. iBGP between R3 and R4
The firewalls are acting as active/passive with the left leg of the design being the active leg always (R1-FW-R3 Leg is Active Leg). There's a state sync dedicated link between the firewall that is not shown on the diagram however that is not used from a routing perspective at all for normal traffic forwarding.
There are some issues that I am facing with this design. They are
1. Since its the same L2 hops between the internal and external switch if the Primary firewall fails than the eBGP on the Primary leg establishes via the redundant backup firewall and this leads to somewhat suboptimal routing because in either direction traffic always comes to the primary switch than goes across the l2 Trunk link to the backup switches and than on its way to the other side. Any suggestions on getting around this. A solution was to peer with Loopbacks and point to the physical next hop of the FW however this causes an issue during normal when everything is working operation because now the second leg sees the BGP next hop as the interface of the second leg switches and hence since the next hop for those switches is configured to go to the physical ip of the firewall it never uses the VRRP. Not sure if there is a fix for this issue.
2. iBGP under normal circumstances is not redistributed into an IGP. So if for ex another routing protocol is being used and say if the Primary leg Internal switch (R3) goes down than since the connection to the customer is still via the Primary Leg External Switch 1 the iBGP learnt route from R2 is never sent across to the the customer. The solution used over here was to originate the route on the external switches however am considering whether it would make sense to use cross eBGP peering between external and internal meaning having a eBGP peering between R1 and R4 and R2 and R3. Are there any downsides to that? I cannot think of any except possibly overhead on the devices with the second eBGP peering? What considerations should be taken into account in deciding if this peering relationship is viable?
3. VRF-Lite is being on the External side to isolate each customer. In addition RT's are being to exchange routes from the customer VRFs to the FW vrfs. This is only on the external side. Does anyone see any downsides to this approach. I haven't seen any issues and had posted in the past a similar question however just want to confirm again.