- Silver, 250 points or more
Hi All ,
I have 2 no of 4506 Switch holding 6 L3 Vlan connecting downlink to 6 no user access segment switches ,and uplink connecting to 2 firewall , I am running HSRP among each VLAN for gateway Redudancy , 3 Vlan will have higher priority on switch A and 3 Vlan will have higher priority on Switch B , IP traffic for 3 Vlan will go via Fw 1 and for another 3 vlan should go via second fw2 , I need enable OSPF between my both Firewall inside interface and for both 4506 switches . So my both firewall should know routes for all 6 Vlan .
Kindly let me know whether i can have same 6 networks command configured for both 4506 switches on router OSPF process ,so that it can learn routes clearly for corresponding vlan
Inter Vlan 1 : 192.168.1.0/23
Inter Vlan 2 : 192.168.3.0/23
Inter Vlan 3 : 192.168.5.0/23
Inter Vlan 4 : 192.168.7.0/23
Inter Vlan 5 : 192.168.9.0/23
Inter Vlan 6 : 192.168.11.0/23
Interafce IP ADDRESS
FW1 - SWA : 172.16.1.0/30
FW2 - SWB : 172.16.1.4/30
SWA-SWB : 172.16.1.8/30
My Vlan 1-3 will have higher HSRP priority on switch A and push traffic to fw1
My Vlan 4-6 will have higher HSRP priority on switch B and push traffic to fw2
If my Fw1 device or link fails , fw2 should route traffic for all 6 networks , vice versa ,
If my 4506 Sw A fails , Sw B should carry all 6 Vlan traffics , Vice versa
Help me on OSPF commands between Switches along with redudancy.
I agree with Jon that something is not convincing in this design:
if you want to run the FWs in standalone the LANFO cable present in your diagram is not needed.
If you want to run the FWs in indipendent mode you need to ensure symmetric routing.
HSRP influences what gateway is used by end user hosts. STOP.
to ensure that traffic comes back at same FW --- Core switch column you need to play with OSPF metrics on the client vlans.
for example let's assume that default cost is one: without no changes and if there is no common subnet between the two core switches and the two FWs each FW will use the neighboring SW as the next-hop for client vlans: using the other one means going from core1 to core1 so adding cost 1+1.
That is your architecture could work in case all traffic flows are started from the client vlans to the outside.
to ensure symmetry of path the border router has to use FW1-Core1 for even vlans IP subnets and FW2 -core2 for odd vlans subnets.
on core 1 you need to increase OSPF metric for odd vlans
int vlan Y
ip ospf cost 100
with Y = 2*k+1, k=0,1,2,3...
on core2 you need to increase OSPF metric for even vlans
int vlan Z
ip ospf cost 100
with Z= 2*K K=0,1,2,3...
This would provide symmetry on return path on normal scenario.
However, if one path fails all traffic is going to be processed by only one firewall.
That firewall works in a stateful manner: that is doesn't allow a TCP session that is already established it needs to see TCP handshake.
This would cause an impact on traffic and all diverted TCP sessions are stopped.
For this reason the usual deployment is to use two FWs in a failover pair so that standby FW is kept informed of what TCP sessions are active and switchover is smooth in comparison to previous case.
You may need to review your design.
Hope to help
Hi Jon ,
Thanks for reply , I have default route on my outside interface of ASA pointing to ISP router , similarly for inside network i want to run OSPF between ASA and Switches so that my ASA can learn about internal 6 networks ,If i am wrong over here , Suggest me which method will give me HA for networks along with stateful failover .
If you want stateful failover you need to
1) connect the ASA firewalls to the 4500s on a common vlan
2) configure the ASA firewalls to be active/standy - this means alll traffic will go to one ASA and if it fails it goes to other
3) You can run OSPF between your ASAs and 4500s but be aware that the standby firewall does not get any routes until the active fails so there is a delay. You may well be better off just using static routes on the 4500s pointing to the virtual address of the ASAs
4) If you did use a static route(s) on the 4500s then you would need static routes on the ASAs for the internal networks hanging off your 4500s.
If you don't like the idea of statics then as i say run OSPF between them and propogate a default route back from the ASAs to the 4500s.
This is the only way to get stateful failover between the firewalls ie. you cannot run them independently. Active/active on the ASAs is misleading because it is actually active/standby per context and you only have one context by the looks of it.
Edit - re point 2. If you have HSRP active gateways split between 4500s because you only have one active firewall it does mean that the interconnect between the 2 4500s will get used a lot for internet traffic so make sure you size it accordingly.