Hi Meheretab

Thanks for your question!

SW1 and SW2 are at different physical locations and are directly connected via point to point line. They are providing the VLAN for the circuit between the FWs and there is one service VLAN for managing network devices. 

In order to connect from SW1 to FW2 I must have SVI in SW1 and corresponding SVI in FW2. SW2 is just a medium providing the track.

I hope that doesn't sound too confusing ..

Hello

---

@Chris_78 wrote:

 

I hope that doesn't sound too confusing ..

  

---

It does really as as you say , if either FW fails looking at your topology, how do the two site connect, you dont have any other physical connection between those sites or do you?

Hi Paul

I'm sorry I know it sounds very complicated - below is topology with IPs. The green connection between FW1 and FW2 is currently in use as main circuit between both FWs. I have default route on both switches blue and black connections. 

SW1 ip route 0.0.0.0/0 10.10.10.2

SW2 ip route 0.0.0.0/0 10.20.20.2

However these are not in use due to PBR on the switches with tracking pushing all the traffic towards the FWs in each site. If FW1 outage occurs then tracking fails and the SW is routing as usual - default route towards FW2 (blue connection) is in use and that works and Inter-VLAN routing is operational on the SW1. The issue is that I have to advertise VLAN10 and VLAN20 subnets to FW2. 

Best 

Chris

Chris,

It would make it easier if you share configs (at least config of SW1 and SW2). Could you do that while hiding sensitive information?

HTH,

Meheretab

Hi Meheretab

Below is config from SW1, the same applies to SW2 just different IP scheme.

ip access-list SVI-FW

  10 permit ip any any

track 1 ip sla 1 reachability

 delay up 10 down 35 

ip sla 1

  icmp-echo 10.99.99.1 (FW1 interface for tracking)

    frequency 100

ip sla schedule 1 life forever start-time now

route-map PBR-CLIENTS permit 10

  match ip address SVI-FW

  set ip next-hop verify-availability 10.99.99.1 track 1 (OSPF area 10 link)

route-map PBR-Servers permit 10

  match ip address SVI-FW

  set ip next-hop verify-availability 10.99.99.9 track 1 (OSPF area 20 link)

interface Vlan98

description UPLINK-CLIENTS-FW

  no shutdown

  no ip redirects

  ip address 10.99.99.2/29

  no ipv6 redirects

  ip ospf network broadcast

  ip ospf mtu-ignore

  ip router ospf 1 area 10

interface Vlan99

description UPLINK-SERVERS-FW

  no shutdown

  no ip redirects

  ip address 10.99.99.10/29

  no ipv6 redirects

  ip ospf network broadcast

  ip ospf mtu-ignore

  ip router ospf 1 area 20

interface Ethernet1/48
description CONNECTION-BETWEEN-SITES
switchport mode trunk
switchport trunk allowed vlan 1-1000
duplex full
speed 100

Interface VLAN111

Description SW1-FW2-BACKUP (this is the backup link from SW1->FW2 that should be used in case of FW1 outage)

  no shutdown

  ip address 10.10.10.1/29 (not sure if I should keep it in the same subnet or change it to something different and match on FW2) this is the port that I can use to tap into are 0. 

interface Vlan10

  no shutdown

  no ip redirects

  ip address 10.18.19.254/23

  no ipv6 redirects

  ip ospf passive-interface

  ip router ospf 1 area 10

  ip policy route-map PBR-CLIENTS

  no shutdown

interface Vlan20

  no shutdown

  no ip redirects

  ip address 192.168.1.254/24

  no ipv6 redirects

  ip ospf passive-interface

  ip router ospf 1 area 20

  ip policy route-map PBR-Servers

  no shutdown

ip route 0.0.0.0/0 10.10.10.2

router ospf 1

  rfc1583compatibility

  area 10 range 10.18.18.0/23

   area 20 range 192.168.1.0/24

Thanks!

Chris

Can you move the OSPF Area 0 backbone down between the two switches, create another OSPF adjacency from switches to FWs to propagate routes and then redistribute routes via Area 0 backbone on switches?  That way, each switch knows about the routes from each side and if the FW fails, move default route to other FW that already knows about the routes from the OSPF adjacent on SW2 and FW2.  Thanks. 

That would work - however Inter-VLAN will happen on the switches which is something we are trying to avoid. We need each VLAN traffic to pass through the FWs so we can inspect the traffic. 

The only occasion when we can allow Inter-VLAN routing performed on the switch is when there is FW outage. 

Thanks!

Chris

You can send to FW for inspection.  Port on switch directly connected to FW, access vlan x and then default route to FW.  We are doing something very similar on our end so I am familiar with what you are trying to do.  

@mwood000111

Is your gateway for your Access/Clients on your FWs?

In our case access/client gateway is at the SW1 level. They are actually two pairs of NX OS switches at each side - (not showing on the topology)  Pair of Nexus switches is providing the gateway redundancy for the clients and servers along with VPC towards the switches south and north for the FW.

Chris,

What is the problem with configuring all switch-fw links in area 0 and ramping up their costs to something silly? In that case default path to other areas will be via area 0, in which the fw-fw link will be the cheapest and hence selected first. In case it fails, then more expensive link kicks in.

Thanks Sergei @Sergey Lisitsin

This was my initial idea - The main problem was setting up the metrics, my FWs are Palo Alto and my switches are Nexus 3k - I had some issues getting the correct metrics, I wasn't sure how bandwidth is reacting on SVIs - since these are my main interfaces on the switches. 

However I was able to mess up with it last night and pump the metrics/cost for the link between SW and FW and things are looking promising. I wasn't able to fully test anything we have scheduled maintenance tonight so fingers cross :)

Hello

Use ospf costing on the least preferred links for resiliency

I've tried that couple of times but the FW doesn't really gets it and keep forward all the traffic to the backup connections hitting the VLANs directly through the switch instead of sending the traffic to the opposite FW.

On the switches I tried bandwidth 10, 100 and 1000 and there was no difference on the FW end - traffic was forwarded through the backup route.

The only way I finally got it to work is by adjusting the cost at FWs to 100 on the backup links FW2-SW1 and FW1-SW2, however I had to have each backup connection in a separate subnet as shown on my topology. Here is also a screenshot from the FWs web interface. Just to wrap things - 

Each FW ended with 2 interfaces to area 0: one interface directly connected to the opposite FW (priority route) and one interface to the opposite SW (used as backup) - cost had to be applied on the FW end as shown. For some reason we couldn't manipulate on the SW no matter what values we were applying. Not sure if that matters - but please note these were SVI.

Thanks to everyone for the input!