Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 8885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to setup bgp in ha

TwanHermans

Hi,

I have a question about bgp in ha.
We have two CR1500iNG-XP (SFOS 15.01.0 MR-2) en two datacenter locations. For each location is one CR1500 planned. Each datacenter has its own isp connection, bgp between them is possible. We have got one pair of fibers between the datacenters, to create a single (internal) connection between these datacenters.

Now my question; how to setup the cr1500's ? We would like to have them in HA, but what's best practice to connect both the ISP's ? Active-passive, or Active-active ? We don't need to use both the ISP connections at the same time, but it would be nice. We have got a public /27 iprange.

Take a look at the picture voor a setup that i have in mind.  In this scenario, the configuration has two interfaces with a isp bgp peer configuration, but only one is connected. The Sophos is in active passive state. 

I am wondering if this is a good solution, or maybe there will be a better solution.

Greetings,
Twan Hermans



This thread was automatically locked due to age.
Parents
  • 0

    Hi, 

    If my understanding is correct you have one 1500 per Data-center and you are setting up the second one as a DR site. So the question i have for you is a.a.a.2 and b.b.b.2 are these terminating on primary and auxilary, if yes, HA is not going to work in the first place.

    You need to make sure both the firewalls have identical interface settings (Including the IP addresses), you may need to set the DR site with out the HA for this to work and you need to find out another way to redirect the traffic to DR if the primary goes down. 

    Thanks,
    Kranthi 

  • 0 in reply to Kranthi

    Hi Kranti,

    Thanks for your reply. I guess i understand now why it will not work, it is because in the HA configuration we tell the sophos to monitor two interfaces (p1 and p2) for failover conditions, so thats one (of the probaply more) reason(s) why it will not work for us.

    Oke, so my idea wil not work. Do you, or anyone else, have some suggestions about how to implement a HA cluster over two locations with our public ip's available at both site's ?

    Greetings,

    Twan Hermans

Reply
  • 0 in reply to Kranthi

    Hi Kranti,

    Thanks for your reply. I guess i understand now why it will not work, it is because in the HA configuration we tell the sophos to monitor two interfaces (p1 and p2) for failover conditions, so thats one (of the probaply more) reason(s) why it will not work for us.

    Oke, so my idea wil not work. Do you, or anyone else, have some suggestions about how to implement a HA cluster over two locations with our public ip's available at both site's ?

    Greetings,

    Twan Hermans

Children
No Data