Fast convergence time
-
Hello,
We are trying to switch over from using all static route to using some type of routing protocol. The issue that we are running into is one of convergence time when something changes. We currently use CARP for all of our gateways and are happy with the very fast change over CARP has when an interface goes down. It is barely noticeable from a user perspective when a gateway has to change from one firewall to the other and we would like to achieve this with a routing protocol.
We are currently statically routing traffic to the appropriate VIP of the gateway. We tested OSPF and were not able to do this. When OSPF gets a route from another router it uses the IP of the interface it received the route from as the next hop and we cannot seem to tell it to advertise another IP such as the CARP VIP.
We also tested i-BGP since in BGP you can specify a next hop address to advertise, but it ran into some issues with it. When we would take down the active interface for the VIP it CARP would switch over, but BGP was not very consistent in how it switched. It would see the interface go down and remove the route from its table, and sometimes read it with the new interface and sometimes not. It was pretty consistent on the initial flip, but very inconsistent on the flip back.
My questions is how can we get routing with a routing protocol to converge as quickly as CARP does without using a bunch of static routes. We are currently doing most of our internal routing in pfsense, with a small amount in a couple of Cisco switches. Eventually it will all be in pfsense.Thanks,
Cygnus21 -
Hello there! In case you are going to run a dynamic routing protocol such as IGP-based OSPF or EGP-based BGP you don't have to use CARP for fail over. Fail-over functionality is built-in to dynamic routing protocols by design. So in your case, you have to configure both of your pfsense boxes to be neighbors to the LAN-side router or whatever another router you would like to exchange routes with. Then you have to configure a few others settings. For instance you can decrease Hello time & Dead time, tuning metrics of routes for preferring one path over another one..etc. As soon as one of your pfsense boxes fail the routes forwarding traffic toward that router will be removed from the other neighbors' IP routing table transparently and automatically just as CARP does.
-
That makes total sense. The one issue is that the CARP VIPs that we have are being used as default gateway for systems in those networks though I guess if tuned right both could happen together.
-
But you said you are going to switch from static routes to dynamic routing protocols, right? At this point I guest it would be much better if you could elaborate more on the issue you are facing. Kindly let me know your thoughts.
-
We would like to keep the VIPS as they are used as the default gateways for our systems this allows us to have failover without having to reconfigure DHCP or static IP settings on out machine in the event that a FW goes down. We also want to use dynamic routing between these networks. The ideal scenerio would be to be able to route through the VIPs but I am not sure if that is possible. The next best option would be to be able to tune the routing protocol to be able to converge as quickly as CARP does in the event of a network change so that there is a minimal interruption in traffic. We see that CARP failsover very quickly, usually within a second and would like routing to do the same.
-
You don't have to reconfigure any edge IP settings. End-user machines should be kept unchanged regarding IP settings. Dynamic routing protocols should be used ONLY between IP-based routing-ware devices. No need to change IP settings on end-user machines. Even after configuring OSPF or BGP as two neighbors, CARP still has to be active to fail over for machines whose use it as their gateways. Did you get my point?
-
If you didn't get my point, then you have to make a diagram for your imaged setup
-
Check the image. That is what I see about your setup. Correct it according to your needs ans suggestions and let me know.
-
That is a reasonable approximation. I think where the issue comes in is that we also have CARP on the interfaces between routers and have a static route pointing to the VIP. The we like the fast fail over of CARP compared to default for say OSPF. Is there any way to get OSPF to converge on a similar time frame, I imagine you could set hello time to say .25sec but that seems like it would create a huge amount of hello traffic on those segments.
-
Yes that is what I've been suggesting since a while. To replace CARP between routers with OSPF! Static routes, of course, should be removed because OSPF will take care of exchanging routes between involved routers. Kindly before thinking that way about slowness of OSPF perform a test in your environment and observe for how well OSPF performs. Don't forget OSPF is being used in many huge enterprise networks all over the world!