02-08-2024 11:47 PM
Hi there,
I'm trying to find the best design to connect my Nexus 9000 Pair to a single firewall. The physical view is bellow, the two VPC enabled Nexus are connected to the firewall with a virtual port-channel :
The overall idea is to create an OSPF area between this two routing stages, the firewall will send the default route to the Nexus, the Nexus will send their HSRP VLANs to the firewall. The actual logical view is :
My firewall does not support ECMP so i had to enable BFD both side and use different export metrics on the Nexus > FW links. Doing so, the routing convergence time is less than 1 second wich is pretty good.
I'm facing the following issue :
I believe that something is wrong with my design but I can't figure out what.
Any help would be greatly appreciated.
02-08-2024 11:55 PM
when you do show ip ospf neighbor in FW and two NSK
do you see two or one neighbor?
MHM
02-09-2024 12:11 AM
No, I have two neighbors on each devices :
DC-TLS-N9K-OOB-RT-1(config)# sh ip ospf neighbors vrf ADM
OSPF Process ID ADM VRF ADM
Total number of neighbors: 2
Neighbor ID Pri State Up Time Address Interface
192.168.250.50 1 FULL/DR 15:06:53 192.168.250.50 Vlan1235
192.168.250.52 1 FULL/DROTHER 15:01:58 192.168.250.52 Vlan1235
DC-TLS-N9K-OOB-RT-2(config)# sh ip ospf neighbors vrf ADM
OSPF Process ID ADM VRF ADM
Total number of neighbors: 2
Neighbor ID Pri State Up Time Address Interface
192.168.250.50 1 FULL/DR 15:03:01 192.168.250.50 Vlan1235
192.168.250.51 1 FULL/BDR 15:03:06 192.168.250.51 Vlan1235
02-09-2024 12:15 AM
that good for NSK
and for FW do you see two ospf neigbor (two NSK )
if Yes
in routing table since both NSK advertise the 10.100.0.0/24 do you see two path or one path ?
MHM
02-09-2024 12:25 AM - edited 02-09-2024 12:29 AM
Same on the FW :
And the FW routing table :
2 0.0.0.10 192.168.250.51 10.100.0.0/24 type-7 (NSSA Ext) 0x80000020 0x0000FA09 5 36
Options: [NSSA]
Mask 255.255.255.0, type 2, tos 0 metric: 10, forward 192.168.250.51, tag 0.0.0.0
2 0.0.0.10 192.168.250.52 10.100.0.0/24 type-7 (NSSA Ext) 0x80000020 0x00006790 97 36
Options: [NSSA]
Mask 255.255.255.0, type 2, tos 0 metric: 20, forward 192.168.250.52, tag 0.0.0.0
I believe that the OSPF part is ok, BFD ensure fast route replacement if one peer fails.
02-09-2024 12:29 AM
The ospf part is OK.
And if issue thst NSK-2 when it not master can not forward traffic' then use
Peer-gateway under vpc domain
MHM
02-09-2024 12:31 AM
Il have already done that :
DC-TLS-N9K-OOB-RT-1
vpc domain 1
role priority 20
peer-keepalive destination 10.255.0.71 source 10.255.0.70
peer-gateway
layer3 peer-router
auto-recovery
DC-TLS-N9K-OOB-RT-2
vpc domain 1
role priority 30
peer-keepalive destination 10.255.0.70 source 10.255.0.71
peer-gateway
layer3 peer-router
auto-recovery
02-09-2024 12:46 AM
in RT-2 (NSK-2) did it learn the prefix of FW from FW directly or from NSK-1 (RT-1)?
MHM
02-09-2024 02:08 AM
Il just figured out my problem. To simulate the loss of RT-1 I was shutting the VLAN interface associated to the OSPF process thus this was preventing the L3 routing to be carried through the VPC link (I guess).
Killing the physical interface connected to the FW force the OSPF to switch to RT-2 and the trafic correctly goes through the VPN link.
Thanks for your help.
02-09-2024 02:17 AM
Friend you are so so welcome
Last note:- the metric between nsk-2 and fw must less than sum of metric between nsk-1 and nsk-2 and nsk-1 and fw
Have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide