Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
5
Helpful
4
Replies

OSPF design suggestions/challenges we are facing.

network_geek1979
Level 1
Level 1

‎10-25-2020 09:15 AM

Folks,

We are working on some OSPF design where 2 routers need to talk OSPF with an internal network.

 

The catch, we want to pass the traffic via a Palo Alto firewall.

 

I have attached the diagram on the design on how we are going to implement this.

 

In the attached diagram:

1. Both the Router A and Router B have been assigned the same IP address on their Gi00/2 and Gi0/0/3 interfaces.

This is because the Palo Alto Firewall are in Active-Passive mode where they have to be configured with the same IP on their interfaces facing the router.

 

2. In the normal state the OSPF is formed only between the Firewall-01 and the Router A.

 

We have an issue:

1. The Router B does not learn routes coming in from the Router A and the log messages show as OSPF flood war.

When we remove the IP addresses we have assigned to Router B things start working fine.

 

Any possibles solutions on this?

 

I can think of:

1. The Gi0/0/2 and Gi0/0/3 IP addresses we have assigned to Router B can be changed. We could assign the next IP from the same subnet.

 

Do you think this will work?

 

 

Regards,

N!!

Labels:
Preview file
70 KB
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎10-25-2020 09:56 AM - edited ‎10-25-2020 09:57 AM

asa-ha2.pngadd SW between the both router and FW.
make two VLAN in SW 
on VLAN for each link.
in FW active it will appear as primary and backup link and if it failed then the traffic go to passive FW.

0 Helpful

network_geek1979
Level 1
Level 1
In response to MHM Cisco World

‎10-25-2020 07:55 PM

Hello, and many thanks for the response.

In this solution the switch become a single point of failure which is also what we are trying to eliminate.

 

Thanks,

N.

0 Helpful

ngkin2010
Level 7
Level 7

‎10-26-2020 02:31 AM - edited ‎10-26-2020 02:31 AM 

1. The Gi0/0/2 and Gi0/0/3 IP addresses we have assigned to Router B can be changed. We could assign the next IP from the same subnet.

No, it will not work. You can check the OSPF database by 'show ip ospf database router' , you should able to find something like "Adv Router is not-reachable in topology Base with MTID 0". Which means the Router B is unable to build the current topology with the received Type 1/2 LSA.  

 

The Type 1/2 LSA care about subnet, not IP address. So changing IP address will not help in your problem.

 

General speaking, your design is an unsupported design. Adding L2 switch(es) as mentioned by @MHM Cisco World  is the most appropriate design.

 

For the workaround, you can try the following options:

- Migrating from OSPF to other distance vector protocol (e.g. EIGRP)

- Change the links connecting to PaloAlto from Backbone Area 0 to Area 1, so that it will behavior like a distance vector protocol

 

Keep in mind, neither of the above options are suggested solution, it may only make the thing work.

MHM Cisco World
VIP
VIP
In response to ngkin2010

‎10-26-2020 04:10 AM - edited ‎10-27-2020 11:04 AM

For sw as single point of failure I recommend config sw stack (this is one of cisco solution).
please mention this issue as solved.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card