BGP Routing with a DC Edge Firewall
Our desing and planning is based on our current BGP based firewall environment similar to an ipSpace.net article. We are now planning to build a new HA firewall environment that is based on BGP routed connectivity.
We have two optional designs both based on BGP routed connectivity. Firewalls are acting as routers and customer LAN gateways are located in datacenter routers segmented with VRF technology. Option to be implemented depends on the capabilities of the vendor.
Option 1: Both nodes of virtual firewall instance HA-pair work as an independent routers, having their own BGP sessions running simultaneously. Both nodes in HA-pair have BGP neighborhood to one datacenter router. Path of the traffic is controlled by routing metrics configured between firewall nodes and datacenter routers. In case of a failover or traffic switchover from one firewall node to another, there are no need for re-establishment of BGP sessions between firewall nodes and datacenter routers.
Option 2: Only currently active firewall node of a virtual firewall instance has its BGP routing running. Firewall node has BGP peering configured redundantly to two datacenter routers. Path of the traffic is controlled by routing metrics configured between active firewall node and datacenter routers. In case of a failover or traffic switchover from one firewall node to another, BGP sessions between firewall node and datacenter routers are re-established.
We would be interested to receive comments and recommendations for the following questions:
- Implementation of the state/policy sync for the HA-pair
- iBGP or eBGP to be selected for the inside VRF BGP peering
- Best practices for the BGP implementation for Option 2