OSPF Help

Answered Question
Jan 21st, 2010

Hi All ,

                 I have 2 no of 4506 Switch holding 6 L3 Vlan connecting downlink to 6 no user access segment switches ,and uplink connecting to 2 firewall , I am running HSRP among each VLAN for gateway Redudancy , 3 Vlan will have higher priority on switch A and 3 Vlan will have higher priority on Switch B , IP traffic for 3 Vlan will go via Fw 1 and for another 3 vlan should go via second fw2  ,  I need enable OSPF between my both Firewall inside interface and for both 4506 switches . So my both firewall should know routes for all 6 Vlan .

                  Kindly let me know  whether i can have same 6 networks command configured for both 4506 switches on router OSPF process ,so that it can learn routes clearly for corresponding vlan

Inter Vlan 1 : 192.168.1.0/23

Inter Vlan 2 : 192.168.3.0/23

Inter Vlan 3 : 192.168.5.0/23

Inter Vlan 4 : 192.168.7.0/23

Inter Vlan 5 : 192.168.9.0/23

Inter Vlan 6 : 192.168.11.0/23

Interafce IP ADDRESS

FW1 - SWA : 172.16.1.0/30

FW2 - SWB : 172.16.1.4/30

SWA-SWB :   172.16.1.8/30

My Vlan 1-3 will have higher HSRP priority on switch A and push traffic to fw1

My Vlan 4-6 will have higher HSRP priority on switch B and push traffic to fw2

             If my Fw1 device or link fails , fw2 should route traffic for all 6 networks , vice versa ,

             If my 4506 Sw A fails , Sw B should carry all 6 Vlan traffics , Vice versa

                Help me on OSPF commands between Switches along with redudancy.

Attachment: 
I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 6 years 10 months ago

Hello Sanvaishu,

I agree with Jon that something is not convincing in this design:

if you want to run the FWs in standalone the LANFO cable present in your diagram is not needed.

If you want to run the FWs in indipendent mode you need to ensure symmetric routing.

HSRP influences what gateway is used by end user hosts. STOP.

to ensure that traffic comes back at same FW --- Core switch column you need to play with OSPF metrics on the client vlans.

for example let's assume that default cost is one: without no changes and if there is no common subnet between the two core switches and the two FWs each FW will use the neighboring SW as the next-hop for client vlans: using the other one means going from core1 to core1 so adding cost 1+1.

That is your architecture could work in case all traffic flows are started from the client vlans to the outside.

to ensure symmetry of path the border router has to use FW1-Core1 for even vlans IP subnets and FW2 -core2 for odd vlans subnets.

on core 1 you need to increase OSPF metric for odd vlans

int vlan Y

ip ospf cost 100

with Y = 2*k+1, k=0,1,2,3...

on core2 you need to increase OSPF metric for even vlans

int vlan Z

ip ospf cost 100

with Z= 2*K K=0,1,2,3...

This would provide symmetry on return path on normal scenario.

However, if one path fails all traffic is going to be processed by only one firewall.

That firewall works in a stateful manner: that is doesn't allow a TCP session that is already established it needs to see TCP handshake.

This would cause an impact on traffic and all diverted TCP sessions are stopped.

For this reason the usual deployment is to use two FWs in a failover pair so that standby FW is kept informed of what TCP sessions are active and switchover is smooth in comparison to previous case.

You may need to review your design.

Hope to help

Giuseppe

Correct Answer by Jon Marshall about 6 years 10 months ago

sanvaishu wrote:

Hi Jon ,

              Thanks for reply , I have default route on my outside interface of ASA pointing to ISP router , similarly for inside network i want to run OSPF between ASA and Switches so that my ASA can learn about internal 6 networks ,If i am wrong over here , Suggest me which method will give me HA for networks along with stateful failover .

If you want stateful failover you need to

1) connect the ASA firewalls to the 4500s on a common vlan

2) configure the ASA firewalls to be active/standy - this means alll traffic will go to one ASA and if it fails it goes to other

3) You can run OSPF between your ASAs and 4500s but be aware that the standby firewall does not get any routes until the active fails so there is a delay. You may well be better off just using static routes on the 4500s pointing to the virtual address of the ASAs

4)  If you did use a static route(s) on the 4500s then you would need static routes on the ASAs for the internal networks hanging off your 4500s.

If you don't like the idea of statics then as i say run OSPF between them and propogate a default route back from the ASAs to the 4500s.

This is the only way to get stateful failover between the firewalls ie. you cannot run them independently. Active/active on the ASAs is misleading because it is actually active/standby per context and you only have one context by the looks of it.

Edit - re point 2. If you have HSRP active gateways split between 4500s because you only have one active firewall it does mean that the interconnect between the 2 4500s will get used a lot for internet traffic so make sure you size it accordingly.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Thu, 01/21/2010 - 09:57

Just to clarify - are your ASA firewalls running independantly of each other or are they in failover mode ? If they are in failover mode and it is active/standby or active/active with one context then you can't send some traffic to one firewall and some to the other ie. only one firewall can be active at any one time.  Could you confirm.

Also what exact help do you need with OSPF config ?

Jon

SANTHOSHKUMAR S... Thu, 01/21/2010 - 10:39

Hi Jon ,

               My both firewall are in running independently , My doubt over here is all 6 VLAN are connected VLAN for both switches , IF i am enabling OSPF between these both switches and FW  ,

                         , If my fw2 fails how does IP my traffic for Vlan 4 - Vlan 6 will pass through firewall 1 , whether i need to decrement HSRP priority r automatically OSPF for Van 4-Vlan 6  will take the traffic .

Similalry let me know how to config Active /Active mode for Fw with context .Thank you

Jon Marshall Thu, 01/21/2010 - 10:51

sanvaishu wrote:

Hi Jon ,

               My both firewall are in running independently , My doubt over here is all 6 VLAN are connected VLAN for both switches , IF i am enabling OSPF between these both switches and FW  ,

                         , If my fw2 fails how does IP my traffic for Vlan 4 - Vlan 6 will pass through firewall 1 , whether i need to decrement HSRP priority r automatically OSPF for Van 4-Vlan 6  will take the traffic .

Similalry let me know how to config Active /Active mode for Fw with context .Thank you

There are a few things getting mixed up here.

If you firewalls are runnning independantly why do you have a failover link between them ?

Lets assume for the moment you do have independant firewalls. How are you proprogating routes back to the 4500s from the ASA firewalls ie. are you sending a default route from each ASA to the firewall.  And how are you configuring the links between the 4500s and the ASAs ? As Giuseppe mentioned if you want to run as failover then it has to be common vlan between the 4500s and the ASAs.

If the firewalls really are independant then you could use L3 routed links. But bear in mind that there will be no stateful failover if the traffic has to switch from one firewall to another.

Why are you running independant firewalls ?

Jon

SANTHOSHKUMAR S... Thu, 01/21/2010 - 11:02

Hi Jon ,

              Thanks for reply , I have default route on my outside interface of ASA pointing to ISP router , similarly for inside network i want to run OSPF between ASA and Switches so that my ASA can learn about internal 6 networks ,If i am wrong over here , Suggest me which method will give me HA for networks along with stateful failover .

Correct Answer
Jon Marshall Thu, 01/21/2010 - 11:08

sanvaishu wrote:

Hi Jon ,

              Thanks for reply , I have default route on my outside interface of ASA pointing to ISP router , similarly for inside network i want to run OSPF between ASA and Switches so that my ASA can learn about internal 6 networks ,If i am wrong over here , Suggest me which method will give me HA for networks along with stateful failover .

If you want stateful failover you need to

1) connect the ASA firewalls to the 4500s on a common vlan

2) configure the ASA firewalls to be active/standy - this means alll traffic will go to one ASA and if it fails it goes to other

3) You can run OSPF between your ASAs and 4500s but be aware that the standby firewall does not get any routes until the active fails so there is a delay. You may well be better off just using static routes on the 4500s pointing to the virtual address of the ASAs

4)  If you did use a static route(s) on the 4500s then you would need static routes on the ASAs for the internal networks hanging off your 4500s.

If you don't like the idea of statics then as i say run OSPF between them and propogate a default route back from the ASAs to the 4500s.

This is the only way to get stateful failover between the firewalls ie. you cannot run them independently. Active/active on the ASAs is misleading because it is actually active/standby per context and you only have one context by the looks of it.

Edit - re point 2. If you have HSRP active gateways split between 4500s because you only have one active firewall it does mean that the interconnect between the 2 4500s will get used a lot for internet traffic so make sure you size it accordingly.

Jon

Giuseppe Larosa Thu, 01/21/2010 - 10:30

Hello Sainvashu,

>> Kindly let me know  whether i can have same 6 networks command configured for both 4506 switches on router OSPF process ,so that it can learn routes clearly for corresponding vlan

you can have multiple network ... area commands under router ospf process

router ospf 10

network 192.168.1.0 0.0.1.255 area X

network 192.168.3.0 0.0.1.255 area X

network 192.168.5.0 0.0.1.255 area X

network 192.168.7.0 0.0.1.255 area X

....

you can put them in an area X, you can put them also in area0

(note X stands for a number or a dotted decimal number that is an area-id)

In any case you need a network area command for IP subnet(s) in common with the firewalls to build the OSPF adjacency.

for example:

network 192.168.20.0 0.0.0.255 area 0

To be noted return traffic can be sent to the other core switch without any real issue.

Traffic from client vlans to core switches to FW will follow HSRP priorities.

If you use OSPF HSRP is not needed towards the FWs.

However, as Jon has noted if your firewalls act as a failover pair only one of them will be active at any given time.

A common IP subnet is needed and the corresponding vlan has to be permitted on the L2 trunk between the two core switches.

In your diagram I see LANFO label for a cable between the two ASA.

Hope to help

Giuseppe

SANTHOSHKUMAR S... Thu, 01/21/2010 - 10:54

Hi Giu ,

                 yes i need have all 6 Networks commands on both switches ,

As per ur comments

Traffic from client vlans to core switches to FW will follow HSRP priorities.

If you use OSPF HSRP is not needed towards the FWs.

                                 If my fw2 device fails here whether my traffic for Vlan4 - vlan6 will be redirected automatically ,My doubt over here is though i have higher priority for VLAN 4 - VLAN6 my traffic will come to SWB and get dropped over here , I am correct over here  similalry if i remove HSRP how can i achieve gateway redudancy for VLANs,

Correct Answer
Giuseppe Larosa Thu, 01/21/2010 - 11:14

Hello Sanvaishu,

I agree with Jon that something is not convincing in this design:

if you want to run the FWs in standalone the LANFO cable present in your diagram is not needed.

If you want to run the FWs in indipendent mode you need to ensure symmetric routing.

HSRP influences what gateway is used by end user hosts. STOP.

to ensure that traffic comes back at same FW --- Core switch column you need to play with OSPF metrics on the client vlans.

for example let's assume that default cost is one: without no changes and if there is no common subnet between the two core switches and the two FWs each FW will use the neighboring SW as the next-hop for client vlans: using the other one means going from core1 to core1 so adding cost 1+1.

That is your architecture could work in case all traffic flows are started from the client vlans to the outside.

to ensure symmetry of path the border router has to use FW1-Core1 for even vlans IP subnets and FW2 -core2 for odd vlans subnets.

on core 1 you need to increase OSPF metric for odd vlans

int vlan Y

ip ospf cost 100

with Y = 2*k+1, k=0,1,2,3...

on core2 you need to increase OSPF metric for even vlans

int vlan Z

ip ospf cost 100

with Z= 2*K K=0,1,2,3...

This would provide symmetry on return path on normal scenario.

However, if one path fails all traffic is going to be processed by only one firewall.

That firewall works in a stateful manner: that is doesn't allow a TCP session that is already established it needs to see TCP handshake.

This would cause an impact on traffic and all diverted TCP sessions are stopped.

For this reason the usual deployment is to use two FWs in a failover pair so that standby FW is kept informed of what TCP sessions are active and switchover is smooth in comparison to previous case.

You may need to review your design.

Hope to help

Giuseppe

Actions

This Discussion