OSPF default gateway path design question

Unanswered Question
Aug 15th, 2007
User Badges:

I have a situation where I would like manipulate how the traffic flows in an OSPF area of 3 devices connected via ethernet.


I have a CSS that is configured in one-armed config and it cannot be set up in any other logical layout. It is not configured with OSPF, but I it has the capability.


OSPF is configured on the PIXs and the edge router. All devices are in the same subnet. The edge router is distributing the default gateway from the edge router serial interface BGP into OSPF then to both PIX firewalls.


It has to stay dynamic for our failover scenarios.


When inbound traffic is destined for the servers it arrives on the edge router and is sent to the CSS service addresses via the ethernet and is redirected to either PIX depending on which server is active, this is all working.


The problem is when the servers initiate a connection, the OSPF distributed default gateway send the traffic directly to the router and the NAT address is from the PIX and not the CSS VIP address, which is what I want.


I would like the traffic to go the the CSS first, then back out the ethernet to the edge router, then to the Internet.


Can OSPF be configured to do this?


Is there any problem associated in doing this?


Any input would be greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
sundar.palaniappan Wed, 08/15/2007 - 15:39
User Badges:
  • Green, 3000 points or more

I don't have much experience with CSS to suggest the optimal solution in your case. But if all that you are trying to do is to force the server initiated traffic to go to CSS before the edge router processes those packets then you can do policy routing on the edge router.


On the edge router's inside interface you can match the traffic sourced from the server outside (NATted by PIX) address and send it back out the same interface to the CSS. CSS can then use it's address as the source and send it over to the edge router to be forwarded out wherever it needs to go.


HTH


Sundar

Edison Ortiz Wed, 08/15/2007 - 17:09
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I believe the easiest way to implement what you are asking for is:


1) PIX should have a default route to the VIP's CSS.


2) CSS should have network routes back to the PIX and a default route to the edge router.


3) Edge router will continue to run its BGP but instead of learning from the internal network via OSPF, it should rely on static routing as well with network routes pointing to the VIP's CSS.


HTH,



wilson_1234_2 Thu, 08/16/2007 - 05:49
User Badges:

Thanks for the reply.


The PIX is configured with "default information-originate" and advertises the default route to the core network.


Also, the default route that the edge router learns from BGP is distributed into OSPF and advertised to the PIX firewalls.


The core network gets the default route originating from BGP, to the PIX firewalls, to the 6509 core switches.


When we loose the Internet connection at HQ site, the default route flips to the router on the edge of our MPLS network to the DR site which is configured with a higher AD.


Then all traffic bound for Internet goes out DR Internet edge router.


I am thinking I cannot statically route the default on the PIXs because I will loose the dynamic default route change when we loose HQ Internet.



sundar.palaniappan Thu, 08/16/2007 - 15:35
User Badges:
  • Green, 3000 points or more

You can use the static route using object tracking feature to have the PIX remove the static default route if the upstream router/address is unreachable. This way you could make the traffic failover to the DR link when the primary link to the provider network goes down. Have a look at this link.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml


HTH


Sundar

Actions

This Discussion