ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    VyOS - Best practices and questions

    Scheduled Pinned Locked Moved IT Discussion
    vyosedge devicevirtual machine
    18 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @DustinB3403
      last edited by

      @DustinB3403 said in VyOS - Best practices and questions:

      @scottalanmiller That is what I assumed as well (bonded or teaming), and the only way to do that is to dedicate the interfaces for that purpose.

      No way around it, right?

      It's not as if you'd team every interface on a server into a single "team" and then dole out the single interface from that, to be the external, internal and whatever else you might need.

      No, and you can't really team above four interfaces, anyway.

      1 Reply Last reply Reply Quote 0
      • DustinB3403D
        DustinB3403
        last edited by

        So the next question I have is what if you lost your host, how would you set up the routing for a second firewall to take over and start routing the traffic?

        Or a better question, what would be the best way to set fail-over to another firewall?

        scottalanmillerS 1 Reply Last reply Reply Quote 0
        • DashrenderD
          Dashrender
          last edited by

          Wow - these are really high end business questions.

          I only have one firewall in my office, I've never had more. Perhaps considering costs of the ER series it might be worth considering a cold spare on the shelf for just such a situation.

          In most of our cases here, I would assume a single LAN interface would be sufficient. If it fails, you log into the host and reconfigure it for a new LAN connection to the outside.

          As for the inside, why would it need a dedicated port out of the box? Again, in most of our cases the vSwitch will probably be on the same network as everything else on the network, so you point the inside interface at that vSwitch, and the vSwitch has a bonded/teamed pair of LAN connections.

          Of course, if you're a huge company or can't afford downtime (as in really can't and it's worth the spend to not have any), then money isn't the issue, and you can afford to do what is required for a higher level of up time.

          1 Reply Last reply Reply Quote 1
          • scottalanmillerS
            scottalanmiller @DustinB3403
            last edited by

            @DustinB3403 said in VyOS - Best practices and questions:

            So the next question I have is what if you lost your host, how would you set up the routing for a second firewall to take over and start routing the traffic?

            Simple answer is.... set it to the IP address of the first one in case of failure.

            1 Reply Last reply Reply Quote 1
            • JaredBuschJ
              JaredBusch @DustinB3403
              last edited by

              @DustinB3403 said in VyOS - Best practices and questions:

              However the question I have is would you dedicate a physical interface on your hypervisor to be the external edge for this? And then dedicate another interface to be the internal edge?

              Obviously dedicating one to the external interface and associated vSwitch is required for security. It keeps the WAN IP off of everything except the VM that is supposed to see it.

              Why do something on the LAN though? All that does is make you go through a wire for other virtual machines also on the LAN. Instead they could use the native vSwitch bus and get higher speeds internally because it never goes over the wire.

              @DustinB3403 said in VyOS - Best practices and questions:

              What happens if you lose that external or internal interface? How would you setup fail-over for the physical interfaces?

              What happens when you lose your physical edge device now? You are down until you replace it. That it is virtualized has no bearing on the actions that need to happen. A virtualized system can allow you to mitigate downtime with hardware redundancy, but why waste money on more NICS?

              DustinB3403D 1 Reply Last reply Reply Quote 0
              • DustinB3403D
                DustinB3403 @JaredBusch
                last edited by

                @JaredBusch The question was asked because we have BGP setup by our ISPs and I was curious if there was a reasonable way to do so internally.

                Which would be iBGP apparently.

                JaredBuschJ 1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch @DustinB3403
                  last edited by

                  @DustinB3403 BGP should have nothing to do with you or any system you have on your network. That is something maintained by the ISP for their traffic. At most they will make iBGP routes for your subnets if you are connecting more than one facility through their network.

                  I would not want to be the ISP that lets my clients setup their own BGP routing rules.

                  DustinB3403D 1 Reply Last reply Reply Quote 0
                  • DustinB3403D
                    DustinB3403 @JaredBusch
                    last edited by DustinB3403

                    @JaredBusch But you can have internal BGP, which was what I was trying to figure out.

                    As the scenario is given, if I have multiple ISP's feeding 1 site for fail-over reasons and I wanted to have separate firewalls, what would I have to use.

                    And the answer is iBGP.

                    JaredBuschJ 1 Reply Last reply Reply Quote 0
                    • DustinB3403D
                      DustinB3403
                      last edited by

                      it wasn't a question of what your internal IT team or even network administrator may configure, but a question of what would have to be configured.

                      We're I am currently we have 2 ISPs feeding two separate firewalls, and the traffic from these LANs go out their respective firewalls, unless either firewall goes offline, in which case the traffic is forward to the other network and then heads out from there.

                      But this occurs at the ISP level, and not at all at our local firewall. The ISP is checking to see if the internal firewalls are online, and if not they reroute the traffic.

                      1 Reply Last reply Reply Quote 0
                      • NerdyDadN
                        NerdyDad
                        last edited by

                        Here is what I would suggest.

                        0_1487000948789_Blank Diagram - Page 1.png

                        If you're already using VMware, check to see if you're using Ent+. If so, you could replicate the vSwitches across both hosts. Also, you could replicate the VyOS VM from your active host to your passive host for a level of redundancy. I would also suggest an unmanaged switch outside of your firewall for another level of redundancy. However, this may also prove to be a security risk as well.

                        1 Reply Last reply Reply Quote 0
                        • JaredBuschJ
                          JaredBusch @DustinB3403
                          last edited by

                          @DustinB3403 said in VyOS - Best practices and questions:

                          @JaredBusch But you can have internal BGP, which was what I was trying to figure out.

                          BGP has nothing to do with the topic as posted.

                          1 Reply Last reply Reply Quote 1
                          • DustinB3403D
                            DustinB3403
                            last edited by

                            I think BGP has to do intricately with the OP, just because I wasn't aware of BGP as the technology used, doesn't mean it wasn't what I was trying to figure out.

                            It's literally the last question in the OP, what do you do if you lose the physical interface for fail over. Answer: Use BGP.

                            DashrenderD 1 Reply Last reply Reply Quote 0
                            • DashrenderD
                              Dashrender @DustinB3403
                              last edited by

                              @DustinB3403 said in VyOS - Best practices and questions:

                              I think BGP has to do intricately with the OP, just because I wasn't aware of BGP as the technology used, doesn't mean it wasn't what I was trying to figure out.

                              It's literally the last question in the OP, what do you do if you lose the physical interface for fail over. Answer: Use BGP.

                              uh - no. That assumes the ISP is what failed, not the NIC that failed on the firewall. Those are two different things.

                              1 Reply Last reply Reply Quote 1
                              • 1 / 1
                              • First post
                                Last post