[j-nsp] ISG dropping BGP Keepalives
Jason Dearborn
jasondearborn at gmail.com
Wed Apr 29 18:52:10 EDT 2009
I'm evaluating an ISG 2000 and running into a problem when trying to
insert the firewall between two BGP speaking peers. For purposes of
port scarcity on the edge as well as to minimize physical topology
changes during the evaluation, I'd like to do this in a single-armed
configuration off the core using link aggregates and sub-interfaces.
When the firewall is in single-armed mode, BGP keepalives for sessions
that traverse the firewall appear to be filtered out, resulting in
session flapping. If I put the firewall in a two-armed configuration,
BGP sessions traversing the firewall are stable.
Policies are all set to "allow any any"
Example:
FAIL: peer1 -> ISG_eth2.1 -> ISG_ethe2.2 -(L2 via peer1)-> peer2
SUCCESS: peer1 -> - ISG_ethe2.1 -> ISG_ethe3.1 -> peer2
JTAC has been slow to respond and fairly unhelpful so far.
I'm happy to send a simple arch diagram or further clarification to
off-list replies.
Thanks,
Jason Dearborn
More information about the juniper-nsp
mailing list