cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1674
Views
3
Helpful
9
Replies

Nexus 9000 OSFP / VPC / HSRP

jean-damien
Level 1
Level 1

Hi there,

I'm trying to find the best design to connect my Nexus 9000 Pair to a single firewall. The physical view is bellow, the two VPC enabled Nexus are connected to the firewall with a virtual port-channel :

Physical viewPhysical view

The overall idea is to create an OSPF area between this two routing stages, the firewall will send the default route to the Nexus, the Nexus will send their HSRP VLANs to the firewall. The actual logical view is :

Logical viewLogical view

My firewall does not support ECMP so i had to enable BFD both side and use different export metrics on the Nexus > FW links. Doing so, the routing convergence time is less than 1 second wich is pretty good.

I'm facing the following issue :

  • When RT-1 to FW link is available and RT-1 is the HSRP master for the 1234 VLAN, everything works.
  • When RT-1 to FW link is not available, OSPF routing goes from FW to RT-2
    • If RT-2 is the HSRP master for the 1234 VLAN, everything works.
    • If RT-1 is the HSRP master for the 1234 VLAN, I can't reach the 10.100.0.0/24 subnet from the FW.

I believe that something is wrong with my design but I can't figure out what.

Any help would be greatly appreciated.

9 Replies 9

when you do show ip ospf neighbor in FW and two NSK 
do you see two or one neighbor?

MHM  

jean-damien
Level 1
Level 1

No, I have two neighbors on each devices :

DC-TLS-N9K-OOB-RT-1(config)# sh ip ospf neighbors vrf ADM
 OSPF Process ID ADM VRF ADM
 Total number of neighbors: 2
 Neighbor ID     Pri State            Up Time  Address         Interface
 192.168.250.50    1 FULL/DR          15:06:53 192.168.250.50  Vlan1235
 192.168.250.52    1 FULL/DROTHER     15:01:58 192.168.250.52  Vlan1235
DC-TLS-N9K-OOB-RT-2(config)# sh ip ospf neighbors vrf ADM
 OSPF Process ID ADM VRF ADM
 Total number of neighbors: 2
 Neighbor ID     Pri State            Up Time  Address         Interface
 192.168.250.50    1 FULL/DR          15:03:01 192.168.250.50  Vlan1235
 192.168.250.51    1 FULL/BDR         15:03:06 192.168.250.51  Vlan1235

 

that good for NSK 
and for FW do you see two ospf neigbor (two NSK )
if Yes 
in routing table since both NSK advertise the 10.100.0.0/24 do you see two path or one path ?
MHM

jean-damien
Level 1
Level 1

Same on the FW :

FW OSPF NeighborsFW OSPF Neighbors

And the FW routing table :

 

  2 0.0.0.10        192.168.250.51  10.100.0.0/24      type-7 (NSSA Ext)    0x80000020 0x0000FA09     5    36
            Options: [NSSA]
            Mask 255.255.255.0, type 2, tos 0 metric: 10, forward 192.168.250.51, tag 0.0.0.0

  2 0.0.0.10        192.168.250.52  10.100.0.0/24      type-7 (NSSA Ext)    0x80000020 0x00006790    97    36
            Options: [NSSA]
            Mask 255.255.255.0, type 2, tos 0 metric: 20, forward 192.168.250.52, tag 0.0.0.0

 

 

 

I believe that the OSPF part is ok, BFD ensure fast route replacement if one peer fails.

 

The ospf part is OK.

And if issue thst NSK-2 when it not master can not forward traffic' then use 

Peer-gateway under vpc domain 

MHM

jean-damien
Level 1
Level 1

Il have already done that :

DC-TLS-N9K-OOB-RT-1

vpc domain 1
  role priority 20
  peer-keepalive destination 10.255.0.71 source 10.255.0.70
  peer-gateway
  layer3 peer-router
  auto-recovery

 DC-TLS-N9K-OOB-RT-2

vpc domain 1
  role priority 30
  peer-keepalive destination 10.255.0.70 source 10.255.0.71
  peer-gateway
  layer3 peer-router
  auto-recovery

 

in RT-2 (NSK-2) did it learn the prefix of FW from FW directly or from NSK-1 (RT-1)?
MHM

jean-damien
Level 1
Level 1

Il just figured out my problem. To simulate the loss of RT-1 I was shutting the VLAN interface associated to the OSPF process thus this was preventing the L3 routing to be carried through the VPC link (I guess).

Killing the physical interface connected to the FW force the OSPF to switch to RT-2 and the trafic correctly goes through the VPN link.

Thanks for your help.

Friend you are so so welcome

Last note:- the metric between nsk-2 and fw must less than sum of metric between nsk-1 and nsk-2 and nsk-1 and fw

Have a nice day 

MHM

Review Cisco Networking for a $25 gift card