BGP Neighbors Through Firewall

Is it a bad practice or uncommon to let two eBGP neighbors on separate subnets neighbor up through the firewall? We can't just let them sit on the inside of our network. BGP would be running on our core switch.

Find more posts tagged with

Comments

shodown

Whats the reason you are doing BGP then I would prob be able to answer your question better.

CodeBlox

We have a need for exchanging routes dynamically for failover to work properly (rerouting through our alternate datacenter). We have an application that is critical to business and certain instances (WAN outage) can cause the application to stop working for everyone. If we exchange the routes dynamically, the branches can use our alternate datacenter while corporate will continue to work with the main connection since the vendor will hear the routes from the alternate site.

RouteMyPacket

You mean you want to use iBGP at your core right? That would be the way to do it

CodeBlox

On our 6509 (thats what I mean by core switch). Why would it be improper to use eBGP? Their router would then hand the traffic off to a private MPLS circuit and onto them.

Dieg0M

iBGP through the firewall is not uncommon. EBGP is usually done with the firewall sitting behind the router doing the peering.

VAHokie56

I don't see why this would be an issue at all just use multi-hop as you are going through the firewall and a static route for the peer address to the firewall....I have seen very similar stuff done...lol codeblox is this job related!?!?!

CodeBlox

haha! It is!! I am the lead on this project and have a firm grasp of everything to be done but I wasn't sure at all on the firewall part (if it was bad practice to have a neighbor in a DMZ with the peer in the private network) lol!

VAHokie56

good luck with it, "don't break anything"