I am redesigning a network where there are two SRX650 firewalls at two different locations, each connecting externally to two different ISPs. internally, the firewalls will be connecting to two EX core switches that comprise a routed core. I will be peering with each of the service providers using EBGP and want to control the outbound and inbound path of ALL Internet traffic. I plan to only accept a default route from each of my service providers. The default route will be advertised into my core switches via OSPF, so my internal network will have to routes out of the network.
Since these are firewalls, not routers, and they are not being clustered, I can't have traffic exiting through one ISP and entering via the other ISP. Asymmetric routing, even in a clustered firewall architecture, can be problematic, as I have learned painfully in the past.
I thought I could set the BGP local-preference to control the outboud path. If I set the local preference on the preferred ISP configuration to a number higher than 100, the firewalls should share this information via IBGP and make this the preferred outbound path. And, if I adjust the Community attribute via an export policy, I can control the inbound path that is used. In the past I have sent a community attribute of 70 to the least preferred ISP.
Could I alternatively manipulate the OSPF advertisements into my cores to make one default route preferred and use as-path prepend to control inbound routing? I want dynamic failover of the inbound and outbound path into and out of my network.
ISP1 ISP2
| |
| |
| |
SRX-----------------IBGP---------------------SRX
| |
OSPF OSPF
| |
Core1----------------OSPF-------------------Core2
Regards,