PS; We are against 'sloppy state' so much because we cannot sanitize
the sessions anywhere else (these firewalls connect to raw Transit).
In the meantime I think we're going to be forced to use ifstated to
shutdown OpenBGPd on the backup :(
Ugly and very slow, but I would rather this than risk insecurity..
Thanks for reading :)
On Fri 08 Nov 2013 11:44:58 GMT, Andy wrote:
Hi,
We have upgraded to 5.4 in production and now have our OSPF routes
being announced from our CARP 'backup' with a max value metric, and
the CARP 'master' announcing with the default/defined metrics. This
works great in testing so far and directs all traffic to the CARP master.
Would it be possible to make a change to BGP (further from another
thread I started here a while ago regarding dual-stack woes), whereby
you can set the local_pref to send if CARP primary (high local_pref)
and the local_pref to send if CARP backup (low local_pref) (controls
the packet flow from our iBGP peers). And set the MED to send if
Primary (low MED), and the MED to send if Backup (High MED) (this can
allow the control of packet flows from our eBGP peers (assuming they
honor MED/no other BGP decision match is found first)).
Are their any other BGP attributes which would also be good for this
and should be added?
It would be great if we could have firewalls which run BGP and also
which have to have CARP interfaces on the outside and inside (for
legacy v4 NAT..), to also work for routed v6 without requiring sloopy
states on the v6 rules and the one of two routed v4 rules (ensure BGP
routed traffic is sent to the CARP 'master')..
This seems sensible to me as it would mean a significant improvement
in security (full state tracking), and an improvement in performance
(state searches not rule traversal)?
Personally I think it would be great if you could define every BGP
attribute which you can already set now with values according to CARP
state.
Cheers, Andy.
