BGP Neighbors Through Firewall

CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
in Off-Topic
Is it a bad practice or uncommon to let two eBGP neighbors on separate subnets neighbor up through the firewall? We can't just let them sit on the inside of our network. BGP would be running on our core switch.
Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
· Share on FacebookShare on Twitter

Comments

  • shodownshodown Member Posts: 2,271
    Whats the reason you are doing BGP then I would prob be able to answer your question better.
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
    · Share on FacebookShare on Twitter
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    We have a need for exchanging routes dynamically for failover to work properly (rerouting through our alternate datacenter). We have an application that is critical to business and certain instances (WAN outage) can cause the application to stop working for everyone. If we exchange the routes dynamically, the branches can use our alternate datacenter while corporate will continue to work with the main connection since the vendor will hear the routes from the alternate site.
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
    · Share on FacebookShare on Twitter
  • RouteMyPacketRouteMyPacket Member Posts: 1,104
    You mean you want to use iBGP at your core right? That would be the way to do it
    Modularity and Design Simplicity:

    Think of the 2:00 a.m. test—if you were awakened in the
    middle of the night because of a network problem and had to figure out the
    traffic flows in your network while you were half asleep, could you do it?
    · Share on FacebookShare on Twitter
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    On our 6509 (thats what I mean by core switch). Why would it be improper to use eBGP? Their router would then hand the traffic off to a private MPLS circuit and onto them.
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
    · Share on FacebookShare on Twitter
  • Dieg0MDieg0M Member Posts: 861
    iBGP through the firewall is not uncommon. EBGP is usually done with the firewall sitting behind the router doing the peering.
    Follow my CCDE journey at www.routingnull0.com
    · Share on FacebookShare on Twitter
  • VAHokie56VAHokie56 Member Posts: 783
    I don't see why this would be an issue at all just use multi-hop as you are going through the firewall and a static route for the peer address to the firewall....I have seen very similar stuff done...lol codeblox is this job related!?!?!
    .ιlι..ιlι.
    CISCO
    "A flute without holes, is not a flute. A donut without a hole, is a Danish" - Ty Webb
    Reading:NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures
    · Share on FacebookShare on Twitter
  • CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    haha! It is!! I am the lead on this project and have a firm grasp of everything to be done but I wasn't sure at all on the firewall part (if it was bad practice to have a neighbor in a DMZ with the peer in the private network) lol!
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
    · Share on FacebookShare on Twitter
  • VAHokie56VAHokie56 Member Posts: 783
    good luck with it, "don't break anything"
    .ιlι..ιlι.
    CISCO
    "A flute without holes, is not a flute. A donut without a hole, is a Danish" - Ty Webb
    Reading:NX-OS and Cisco Nexus Switching: Next-Generation Data Center Architectures
    · Share on FacebookShare on Twitter
Sign In or Register to comment.