Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

bgp peering to VRRP

Hi guys

I am trying to figure out if there is any drawbacks to peering (BGP) a 6509 switches with a downstream VRRP address of a firewall cluster . If the vrrp active member failed and the standby became active what would be the BGP convergence issues to be aware of

4 REPLIES
Silver

Re: bgp peering to VRRP

Hi,

This subject came up a while ago also.

Basically, you can create the peering between the bgp host and the vrrp firewall, assuming the firewall supports bgp, but if the vrrp states switch across from one firewall to the other, ie the standby becomes active, then the BGP session will be torn down and will need to be re-established.

Depending on what event caused the active firewall to go do, you could expect up to 180 seconds before the BGP peering is torn down due to missed keepalive using the default 60 hello/180 dead timers for BGP. You would then have a delay of X before the new session was brought up and the tables exchanged.

You may want to look at peering with each firewall using its real address, and also tweaking the timers to suit your environment.

HTH

LR

New Member

Re: bgp peering to VRRP

Hi Lee,

Thanks for that , In relation to your suggestion of setting up the Peering relationship to the real address , these firewalls are a Nokia cluster running virtual firewall's. so they don't have real address per say but a virtual ip sitting on top of the cluster.

Which timers would you recommend tweaking to speed up the convergence times.

Thanks

Kevin..

Silver

Re: bgp peering to VRRP

What version of IPSO running on the Nokia

firewalls? I also assume that you're running

Checkpoint firewall on Nokia IPSO system as

well?

The answer depends on the version of IPSO.

On newer version of IPSO, when you setup

BGP in IPSO, there is a button that will let

you setup BGP on the cluster VRRP ip address.

Once you do that the other side will not

know anything about the physical ip addresses

of the Nokia, it just knows the cluster IP

address. Regardless which firewall is in

Active, your bgp will not go down because of

VRRP.

To my knowledge, IPSO 3.7.1 or older does

not have this feature. This feature is

available in IPSO 3.9 and higher.

New Member

Re: bgp peering to VRRP

Hi cisco 24x7,

Funny talking about a Nokia issue on a Csico site but anyway. So the VRRP will monitor the BGP and when the standby member becomes active the BGP peering does not fail. That would be perfect if that was the case. It will be IPSO version 5 or 6 to my knowledge.

Thanks

Kevin..

1580
Views
0
Helpful
4
Replies