03-22-2018 06:09 AM - edited 03-05-2019 10:08 AM
Two firewalls in active-passive state is connected to two Nexus via OSPF in a full mesh design. Upon testing the failover of the FWs, not all OSPF neighbors is in FULL state, making the user behind the Nexus unable connect to web. I've read here (http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/) on diagram#3 section that this design won't work because of Nexus loopguard feature. What workaround is the best for this? Or is there a feature in new OS release that may fix this?
03-22-2018 07:11 AM
Hi,
From the FW perspective, it is like both the FW are connected to a single switch (for the vPC features), so, how are configured the OSPF? There are 3 or 4 neighbors?
We have some similar configuration, but we are not connecting the devices with L2 links, instead we are using L3 interfaces, each Nexus and each FW is a OSPF neighbor, all in the same area and all is working fine.
03-22-2018 07:30 AM
Not sure what vendor's fw you are using but if the firewalls are configured as a cluster, you can simply use one link from each firewall (no cross-connects). So, fw-1 to 7k-1 and fw-2 to 7k-2. Put all interfaces in one vlan with a /29 subnet and configure them with OSPF.
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: