Solved: Need Advise for OSPF Failover Design

ahmad82pkn · ‎08-01-2024

Hi Guys,

I am tasked to design a network. And looking for some guidance.

Two FTD ( Not in HA ) Standalone with 1 ISP Link connected on each with static default route.

Two Core Switches

Each Core Switch connected with Both FTD with Layer 3 links

Both Core switch connected with each other with L2 Trunk.

Core 1 is HSRP Active. Core 2 is HSRP Standby.

Goal: Keep All traffic going in/out through FTD1 -> ISP1

If Track goes down due to ISP Failure. Send traffic towards FTD2->ISP2

I just want someone to confirm if IP OSPF Cost I am assigning will help me in achieving this fail over ?

Anything I Should be worried about?

UPDATING Diagram to show Area 5 Between Core and Access

Giuseppe Larosa · ‎08-01-2024

Hello @ahmad82pkn and @MHM Cisco World ,

by using E1 type of metric for the default route and by setting a different seed metric for the two default routes LSA type 5 generated by the two FTD you can even avoid to play with OSPF costs on link paths.

Just have a seed metric of 5000 on FTD2 and of 50 on FTD1 and you are fine .

You can use a route-map to set both the metric type and the seed metric value

ip prefix-list ONLY-DEFAULT permit 0.0.0.0/0

route-map DEF1 permit 10

match address prefix ONLY-DEFAULT

set metric-type 1

set metric 50

router ospf 10

default-information originate route-map DEF1

! avoid to add the always keyword .

Using different OSPF costs at two ends of the same link is to be considered a bad practice stay away from this.

Hope to help

Giuseppe

View solution in original post

Pavel Tarakanov · ‎08-01-2024

> I just want someone to confirm if IP OSPF Cost I am assigning will help me in achieving this fail over ?

As I can see, you assigned different costs to two sides of one link (192.168.10.0/30, 192.168.10.4/30). It's not a good thing.

In general - yes, you can increase cost of the path toward FTD2 to stick outgoing traffic to FTD1.

MHM Cisco World · ‎08-01-2024

MHM

MHM Cisco World · ‎08-01-2024

MHM

Giuseppe Larosa · ‎08-01-2024

Hello @ahmad82pkn and @MHM Cisco World ,

by using E1 type of metric for the default route and by setting a different seed metric for the two default routes LSA type 5 generated by the two FTD you can even avoid to play with OSPF costs on link paths.

Just have a seed metric of 5000 on FTD2 and of 50 on FTD1 and you are fine .

You can use a route-map to set both the metric type and the seed metric value

ip prefix-list ONLY-DEFAULT permit 0.0.0.0/0

route-map DEF1 permit 10

match address prefix ONLY-DEFAULT

set metric-type 1

set metric 50

router ospf 10

default-information originate route-map DEF1

! avoid to add the always keyword .

Using different OSPF costs at two ends of the same link is to be considered a bad practice stay away from this.

Hope to help

Giuseppe

ahmad82pkn · ‎08-01-2024

1- If Link between Core 1 and FTD1 go down. I want to go this way Core1->Core2->FTD1

2- Link between Core 1 and Core 2 will have default Cost of 1

3- I dont understand how can i keep traffic symmetric by keeping cost same on both sides. Cant get my head around this.
4- its already same

5- Yes, I will PAT on external interface on each FTD

6- Yes E1 redistribution so that when Core 1 Learn route it learn route like this

Core 1 Learn route

with 1000 Cost from FTD1

with 1001 Cost from Core 2

with 2000 Cost from FTD2

MHM Cisco World · ‎08-01-2024

MHM

ahmad82pkn · ‎08-01-2024

I know suggestion is to have cost same on both sides. But how? I tried to draw it and make same. but then return path from FTD to Core become equal cost.

MHM Cisco World · ‎08-01-2024

MHM

MHM Cisco World · ‎08-01-2024

MHM

MHM Cisco World · ‎08-01-2024

MHM

Giuseppe Larosa · ‎08-01-2024

Hello @MHM Cisco World , @ahmad82pkn

it is equivalent for the return traffic to what I had suggested for the outgoing traffic using different seed metric values on the two FTDs in generating the two LSA type 5 LSAs for the default route in my previous post on this thread.

In both cases a primary/secondary path can be provided without playing with the link costs.

A multi area OSPF design is needed to achieve this in order to make the two core devices act as ABR.

It is more granular and more in line with OSPF design best practices.

Hope to help

Giuseppe

MHM Cisco World · ‎08-01-2024

MHM

ahmad82pkn · ‎08-01-2024

Hi Giuseppe,

I see what you are saying. And this way My Core will be able to find suitable exit path based on E1 Metric advertised as you suggested.

But how return traffic path from FTD back to Core 1 will be decided?

Like How FTD 1 will know it needs to use direct link between FTD 1 and Core 1 , or FTD 1 to Core 2 to Core 1.

I think I found the answer while typing this. It will be tackled natively due to OSPF Best path mechanism.

So, when FTD 1 wants to send packet back to Core 1. It will always see FTD1-Core 1 cost less than FTD1-Core2-Core1 . Correct?

I have attached updated diagram.

MHM Cisco World · ‎08-01-2024

Friend direction of traffic is opposite of direction of route'

Defualt route inject from ftd with same cost (E1 or E2 metric different) or different cost (same E1 or E2 metric same) effect the traffic from core to ftd to internet.

Where prefix behind advertise by core will effect traffic from ftd to core' here mandatory to use two area and use area range in core or as link I share use zone secuirty ECMP (same cost link).

For ECMP zone secuirty please read link and read more about it before decide use it.

MHM