On Fri, Oct 18, 2013 at 9:58 PM, Adam Thompson <[email protected]> wrote: > > I've got two OpenBSD boxes acting as my border router[s], talking BGP to a > small # (~4) of peers. > At the moment, I've got them using carp(4) on every interface, and bgpd.conf > has for each neighbor{} stanza, a "depend on carpX" line. > This works, more or less, but failover is anything but instantaneous - at > least one upstream loses my advertisements for a couple of minutes in a > failover event.
The best solution I came up with in a similar scenario was to drop carp for the BGP mesh, establish peering sessions from primary/backup routers to providers that supported multiple sessions, and then use OSPF internally to route within the mesh, with each edge router advertising a default route via OSPF. Failover is fast as backup routers already have BGP tables ready to go - otherwise, you're looking at a 30s or so outage with a CARP failover as bgpd pulls down new tables from the peer (for full IPv4, anyway). Any firewalling needs to be stateless inside the mesh. For everything else, set up a CARP firewall cluster with one interface connecting to the BGP/OSPF mesh VLAN and internal interfaces connecting to the rest of your network/DMZ. You can ensure network traffic travels preferentially out the primary router for each BGP peer with appropriate tuning of BGP/OSPF. If a peer doesn't let you have multiple peering sessions, just ensure you have similar connectivity via another backup provider? You seem to get a longer 10-15s outage in this case, but it's better than nothing (and a good idea in general). -Patrick
