cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1407
Views
15
Helpful
5
Replies

OSPF and IP SLA failover design

caesarkrit
Level 1
Level 1

Hi, I'll try to best explain my goal and what I'm trying to achieve. By working through this I came up with several options or solutions on how this can be done. But I don't understand is from a CCIE or high level architecture standpoint what is the best practice, how would this problem be approached and why would you pick one solution over the other. That being said this is my diagram. To best explain, i have 2 "black box" devices that load balance traffic and advertise routes to every other branch via OSPF. My local branch switches have local interface Vlans and advertise the networks for that specific subnet. One dedicated Vlan 220 share subnet IPs with the black boxes. That's fine. Now a new addition "managed checkpoint firewall" and "AT&T" router that goes out to the internet was added. checkpoint firewall has 2 static routes. 10/8 points back to 10.191.51.1 and 0.0.0.0 points out to the At&t. My dhcp is currently configured for 10.191.51.0/24 to have a gateway to 10.191.51.3(firewall IP) and dns to 8.8.8.8.

 

Now for the good part. The only subnet I have going out and over the managed checkpoint firewall is 10.191.51.0/24. My switch has ACL policies to limit what this subnet can send over the 10/8 network, and a policy configured on the black boxes to only send this 10.191.51.0/24 network over the internet no matter what. My goal is to best build redundancy for this specific subnet, while leaving the rest working as expected.

 

What I first found is I can run OSPF and leverage VRFs to run a completely different routing table and another area between the cisco switches and checkpoint firewall, but the issue here is that I'm not sure of how the"AT&T" IP of 192.168.1.254 can be advertised back to the cisco switch via ospf to tell it it's down, leverage the other route to go out to the internet.

 

One solution to the is IP SLA, now if I ICMP monitor the 1.254 IP and use that as primary, how would I fail over to my black box route and back over once the IP is up again. 

 

Another question I had was if someone knew of a completely different method to use. My limitation comes from the fact that dhcp gateway for the 51 subnet needs to be 51.3, otherwise if it's 51.1 and the firewall goes down, there is no automatic failover method to another default gateway and someone will have to manually change. So if the only choice is to leverage the 51.3 gateway, what auto detection or routing solutions can be used here, can IP SLA be added within OSPF?

 

Thanks 

1 Accepted Solution

Accepted Solutions

Hello
You could incorporate policy base route (PBR) with ipsla on vlan 51 for that subnet so any traffic originating from it will be routed via the checkpoint next hop, as/when reachability is lost via the checkpoint routing would default back via the mpls link, this way you can negate acl filtering etc, however this will not have any influence on the return traffic path for that vlan/subnet, this all depends how its being advertised egress via both egress points(mpls/internet)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

5 Replies 5

can you in simple word explain the issue here, 
as I understand there are two ISP and WAN MPLS, 
so you face routing issue ?

I need to route my 10.191.51.0/24 network through the firewall, it's a requirement. All other networks can route through the 2 ISP links. I am not sure what the best method to use in order to build redundancy for the 10.191.51.0/24 network. I currently use static routes. 

Hello
You could incorporate policy base route (PBR) with ipsla on vlan 51 for that subnet so any traffic originating from it will be routed via the checkpoint next hop, as/when reachability is lost via the checkpoint routing would default back via the mpls link, this way you can negate acl filtering etc, however this will not have any influence on the return traffic path for that vlan/subnet, this all depends how its being advertised egress via both egress points(mpls/internet)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Besides monitoring reachability to only the firewall's IP address, would I also be able to monitor the AT&T internal 192 address? If so, this could be exactly what I was looking to do.

Thanks

 

You can monitor reachability to any IP as long as you have routing to it. 

 

Jon

Review Cisco Networking for a $25 gift card