05-31-2022
01:29 AM
- last edited on
12-20-2022
01:37 AM
by
Translator
I have a Router that is connected to High Availability Firewall using 2 different interfaces on the Router.
The interfaces are layer 3 interfaces with the HA Firewall.
The router is receiving the internal routes from the Firewall on both Interfaces.
The routes are preferred on the router from the second interface and I would like to change it to first interface.
When giving the command on Second Interface
show ip ospf interface g0/2 | inc Cost
The output:
Process ID 1, Router ID 10.10.10.1, Network Type BROADCAST, Cost: 1
Also, when giving the command on First Interface
show ip ospf interface g0/2 | inc Cost
The output:
Process ID 1, Router ID 10.10.10.1, Network Type BROADCAST, Cost: 1
Now the question I want the router to prefer the first interface not the second interface, so can I do that by increasing the cost under Second Interface? or is there a different way?
Solved! Go to Solution.
06-15-2022
03:21 AM
- last edited on
12-20-2022
01:50 AM
by
Translator
as mention before, ASA HA work as Active/standby and ONLY active is forward traffic the standby is not until failover happened.
FW default route toward WAN router
FW subent route toward Core SW
in WAN router
static route toward active ASA interface.
remember that during the failover the standby will use previous active ip and that make WAN router never detect change and you don't have any issue with FW.
05-31-2022 01:42 AM
That would be the best way to do it, so just increase the cost on the second interface.
Jon
05-31-2022 01:45 AM
Hi
To prefer the first interface, change the cost of second interface
R1#conf t R1(config)#int gi0/2 R1(config-if)#ip ospf cost 10
Now, something seems weird in this example.
The cost will interfere on the router sending traffic. You mention that the router has two interface to the same firewall cluster with different IP address?
Can you share this topology just for curiosity?
05-31-2022 01:50 AM
Now the question I want the router to prefer the first interface not the second interface, so can I do that by increasing the cost under Second Interface?
Certain degree you have answered some point here.
But what happends if the fail over take place, and Firewall seconday become active ? (stay as active ?) - you going to change again manually cost ?
or is there a different way?
Not sure at this stage. until we see clear picture of topology here ?
05-31-2022 02:19 PM
the config is wrong !!
the router have two interface toward ASA active/standby,
this make failover is not work ever.
the ASA active and standby must share same subnet and hence the router will connect via one interface.
the solution for you case is
ASA active/active this give you the choice to config two router interface to both ASA.
05-31-2022 07:26 PM - edited 05-31-2022 07:28 PM
Hello
although the ospf interface cost can influence path cost in this case the active path should be based on the active primary FW in the HA cluster
06-01-2022
01:00 AM
- last edited on
12-20-2022
01:41 AM
by
Translator
I will prepare the topology and share today for clear understanding.
Just to mention that we have
3 x WAN Routers --> 2 x L2 Switches --> Firewalls (Active/Standby).
The reason to use L2 switch is the firewall doesn't have enough fiber ports to connect the 3 WAN Routers.
All the connections are full mesh from
3 x WAN RTR's --> 2 x L2 Switches --> FW's.
06-01-2022 01:35 AM
can I ask why OSPF not static route ?
06-14-2022
11:44 AM
- last edited on
12-20-2022
01:48 AM
by
Translator
The reason the client wants dynamic routing all the way from
WAN Routers --> FW --> Data Center.
In order to have full mesh from the
3 WAN Routers --> FW --> Data Center
we need to connect each WAN router to the FW's and since the FW doesn't have enough Fiber ports we have to use L2 switches in between as a HUB for the connection.
I hope this explains the setup in the best way possible. I will try to share the layout but I am out of the office on emergency leave.
06-15-2022
03:21 AM
- last edited on
12-20-2022
01:50 AM
by
Translator
as mention before, ASA HA work as Active/standby and ONLY active is forward traffic the standby is not until failover happened.
FW default route toward WAN router
FW subent route toward Core SW
in WAN router
static route toward active ASA interface.
remember that during the failover the standby will use previous active ip and that make WAN router never detect change and you don't have any issue with FW.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: