[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: iptables + zebra (bgp4)

On 01/02/2003 07:18:01 AM Iñaki Martínez wrote:

>>  I have a firewall and i need to implement BGP-4 to add more than one
>> internet provider.
>>  Now i have this:
>>    internet<---->firewall<----switch------servers
>>  I would like to change to this:
>>    provider1<--+
>>                |
>>    provider2<--+->firewall<----switch------servers
>>                |
>>    provider3<--+
>>  Is it possible to join zebra software (iproute2) with iptables ALL in
>> same machine?????

I have done this although not using same protocol and topology.  No problem
running OSPF and iptables on my firewall at home.
Try to use iptables to block external access to your routing protocols (BGP
is TCP 179 and there is no reason for anyone except your upstream's
router's serial port to connect to your machine on that port, although
obviously firewalls should deny all and then only allow certain stuff thru)

I notice you have a SPF (single point of failure) in that design.
Maybe a better idea is to install 3 PC-routers, one on each provider, and
run IBGP between the 3 PC-routers.


provider1 <- PCrouter1 <-+
provider2 <- PCrouter2 <-+--> DMZ switch <--> firewall <-> switch <->
provider3 <- PCrouter3 <-+

Run IBGP between PCrouters 1-3 and the firewall.

Now if the power supply in router 2 blows up, no big deal.
And obviously, when doing software upgrades, upgrade #1 first, wait a few
days, then upgrade #2, etc.
And finally if provider3 screws up and their BGP feed makes zebra crash, so
what, all you lost is 1/3 of bandwidth for a day.

Also, if you're going to spend enough money to get 3 ISPs, you can spend
some pocket change to install dual NIC cards in each machine, and dual enet
switches, etc.

And obviously you can install multiple UPS's, etc.

Minimizing SPFs is an interesting art form.

Reply to: