09-19-2007 12:00 PM - edited 03-03-2019 06:49 PM
i have an existing connection to the internet to ISP#1; i am adding another connection to ISP#2 for redundancy. i added a PIX515 firewall on the redundant link and configured that PIX as standby.
I intend to run BGP protocol on the routers.
It appeared that if the inbound traffic is going through ISP#2, it won't be able to reach the inside network since the PIX is on standby.
How does the inbound traffic knows which is the active link? do i need to tell the ISP which link is active? or i am totally missing something on the design here? Please advise.
attached is a diag.
09-19-2007 12:26 PM
This can be a little awkward! but you have a number of options.
The easy solution is probably to have a LAN outside the firewalls that joins the firewall pair to both routers, then is does not really matter which route traffic uses. you probably really need to consider that anyway, as with your current layout, if the link to ISP#1 fails, the BGP routing will be via ISP#2, but the active PIX is ISP#1 meaning no traffic. You should strictly have iBGP running between the routers anyway.
You are at the mercy of the ISPs for return traffic, You can configure AS_PATH prepending to try to influence routing, but they can still do what they want.
It is a little risky, but you could run a routing protocol between your interior routers, and simply advertise a summary to your BGP routers, so that when the PIX is passive, the router does not have the routes to advertise so traffic goes the other way, but that will not do any rerouting in case of link failure.
I *really* think you need to look at putting a LAN between the firewalls and routers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide