Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
5
Replies

Is there something else like HSRP but that can be use on a L3 core?

Go to solution
tunderx_cisco
Level 1
Level 1

‎02-11-2016 10:58 PM - edited ‎03-05-2019 03:20 AM

Hello

I have been asked to find an alternative way to load balance the traffic because we would like to replace our network topology from L2 to L3, but I dont know if its possible

So I will try to explain first how we have the network topology, lets say that we have 5 buildings that are interconnected using L3 switches, also we have 2 ASR that operate as Internet Gateways and are located on two different buildings, we use HSRP between those 2 ASR to create 2 virtual IP, in order to load balance the traffic all the firewalls on the other buildings have configured different gateways, I hope the next image explain what I said:

We would like to remove the VLAN and use only IP address and OSPF, but also I would like to keep the configuration on the firewalls unless there is no other way.

Does anybody know and alternate protocol that works like HSRP but can be used on a L3 core?, a few hours ago I heard about Locator ID Separation Protocol (LISP), so I will start to read about it, but if you know something else that should work I would really appreciate it.

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-12-2016 12:24 AM

Hello Tunderx_cisco,

you need to be consistent in your network design.

Current design works because a common Vlan is propagated between all the 5 building switches and connects also the firewalls and the two ASR1001 that are your exit points.

If you want to remove this backbone Vlan and use OSPF between the 5 building switches and the two ASR1001 you can do it, but be preparared that you need also the following:

a) the two ASR1001 have to generate an OSPF default route 0.0.0.0/0 with an LSA type 5. Being two exit points you should use OSPF External type 1 (external metrici is comparable to internal metric) in the generation of the two default route LSAs. Use the same seed metric of 50 from both ASR1001.(the metric of the LSA itself).

b) Move all the inter building links to OSI layer3, assign /30 IPv4 subnets and run OSPF over it.

c) Run OSPF also on the firewalls on the link to the neighboring L3 building switch, and have them learn about the default route from OSPF, two LSAs will be received with equal external cost 50, but being type 1 (O E1) each firewall will use the nearest ASBR ASR1001 as its exit point, because internal OSPF metric to reach the ASBR is summed to the external metric with type 1.

The design presented above is a consistent L3 design that works.

In fact the firewall on the left of your picture will send the traffic to the ASR1001 on the left being the nearest ASBR from its point of view (OSPF SPF calculation). The firewall on the right will send traffic to the ASR1001 on the right for the same reason.

You cannot mix the current design with a L3 design, so you cannot keep the static routes on the firewalls because if you remove the backbone Vlan the ASR1001 will be some router hops away from the firewalls.

Hope to help

Giuseppe

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-12-2016 12:24 AM

Hello Tunderx_cisco,

you need to be consistent in your network design.

Current design works because a common Vlan is propagated between all the 5 building switches and connects also the firewalls and the two ASR1001 that are your exit points.

If you want to remove this backbone Vlan and use OSPF between the 5 building switches and the two ASR1001 you can do it, but be preparared that you need also the following:

a) the two ASR1001 have to generate an OSPF default route 0.0.0.0/0 with an LSA type 5. Being two exit points you should use OSPF External type 1 (external metrici is comparable to internal metric) in the generation of the two default route LSAs. Use the same seed metric of 50 from both ASR1001.(the metric of the LSA itself).

b) Move all the inter building links to OSI layer3, assign /30 IPv4 subnets and run OSPF over it.

c) Run OSPF also on the firewalls on the link to the neighboring L3 building switch, and have them learn about the default route from OSPF, two LSAs will be received with equal external cost 50, but being type 1 (O E1) each firewall will use the nearest ASBR ASR1001 as its exit point, because internal OSPF metric to reach the ASBR is summed to the external metric with type 1.

The design presented above is a consistent L3 design that works.

In fact the firewall on the left of your picture will send the traffic to the ASR1001 on the left being the nearest ASBR from its point of view (OSPF SPF calculation). The firewall on the right will send traffic to the ASR1001 on the right for the same reason.

You cannot mix the current design with a L3 design, so you cannot keep the static routes on the firewalls because if you remove the backbone Vlan the ASR1001 will be some router hops away from the firewalls.

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-12-2016 02:42 AM

Giuseppe's answer is spot on.

One other thing to mention is that if you need the same vlans across multiple switches  then using L3 links to interconnect your switches won't work so you need to understand exactly what vlans you have and where.

Obviously the firewall vlan can go but only if you don't have servers or wireless for example  connected to multiple switches that need to be L2 adjacent because L3 connections will break that.

Jon

0 Helpful

Go to solution
milan.kulik
Level 10
Level 10

‎02-12-2016 06:41 AM

Hi Giuseppe,

is c) Run OSPF also on the firewalls 

a must here?

Wouldn't it be easier just to use static routes between the FW-1 and SW_L3-4 (and between FW-2 and SW_L3-5)?

Best regards,

Milan

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to milan.kulik

‎02-12-2016 08:49 AM

Hello Milan,

yes a modified default static route on the FWs can be acceptable too.

I had in mind a customer of mine that was used to run OSPF on his ASA devices and it worked.

Best Regards

Giuseppe

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎02-12-2016 07:09 AM

It seems to be my day for making mistakes.

You are currently receiving internet traffic and sending it first to your firewalls at L2 across your infrastructure.

Not a great idea but it works and is relatively secure.

If you change to L3 then internet traffic is routed within your network before it ever gets to the firewalls.

That really isn't a good idea at all because you want your internal infrastructure to be protected from the internet by your firewalls at least at L3.

You could potentially use a VRF between the outside interface of your firewalls and the ASRs but you would need to extend that VRF across all L3 links and you are still routing internet traffic before getting to the firewalls.

If you want to go to L3 move your firewalls to where the ASRs are, that is really the safest option.

Jon

0 Helpful
Customers Also Viewed These Support Documents