Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
244
Views
0
Helpful
3
Replies

cannot form an OSPF neighbour between virtual firewall and leaf switch

SabeelShakeel00430
Level 1
Level 1

‎03-12-2024 10:44 AM

Hi,

We have been trying to get our virtual firewall to form an OSPF neighbourship with our leaf switch, but cant the two devices cant see each other.

The firewall and the leaf are configured in area 0 and we want it to form a neighbourship with an SVI on the leaf. this SVI is the gateway of the firewalls "transit interface". The SVI also has a VXLAN (as the DC is in a spine-leaf configuration using VXLAN L2 VPN Tunnels). Area 0 was also a newly created area to separate the traffic from the existing area (area 1). 

What we noticed was that when we remove the "anycast gateway" command from the SVI it prevents us from pinging the SVI or the transit interface on the firewall. 

We also notice that when the interface is added to ospf - it doesn't get registered, as the area shows inactive and does not show any interfaces inside it. 

Please advise if you have any suggestions.

Best Reagrds,

Sabeel.

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎03-12-2024 10:52 AM

you need to provide some configuration for us to review and suggest.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

SabeelShakeel00430
Level 1
Level 1
In response to balaji.bandi

‎03-13-2024 03:22 AM

Hi,

existing OSPF config for underlay:

router ospf DC
router-id xx.xx.xx.xx
area 0.0.0.1 stub
area 0.0.0.1 authentication message-digest
auto-cost reference-bandwidth 400 Gbps

Newly created OSPF:

router ospf DC_DMZ
router-id yy.yy.yy.yy
area 0.0.0.0 default-cost 0
auto-cost reference-bandwidth 400 Gbps

Interface:

interface Vlan970
description ### Firewall Transit ###
no shutdown
vrf member MY_VRF
no ip redirects
ip address yy.yy.yy.yy/28
no ipv6 redirects
ip ospf network point-to-point
ip router ospf DC_DMZ area 0.0.0.0

above config shows inactive OSPF even with the firewall configured under same area and OSPF. This SVI is not pingable from the same switch, nor is it able to ping the firewalls interface (firewall has ping enabled for testing).

The SVI is able to ping with the config bellow, however we feel this will not work correctly for OSPF:

interface Vlan970
description ### Firewall Transit ###
no shutdown
vrf member MY_VRF
no ip redirects
ip address yy.yy.yy.yy/28
no ipv6 redirects
fabric forwarding anycast-gateway

I have tried adding the OSPF statement into the config above too, and can confirm everything pings ok, but still see an inactive OSPF with no interfaces in area 0.

Best Regards,

Sabeel

0 Helpful

SabeelShakeel00430
Level 1
Level 1
In response to SabeelShakeel00430

‎03-13-2024 05:03 AM

also,

see output im getting from the "show ip ospf " command:

Area BACKBONE(0.0.0.0) (Inactive)
Area has existed for 00:25:14
Interfaces in this area: 2 Active interfaces: 1
Passive interfaces: 0 Loopback interfaces: 1
No authentication available
SPF calculation has run 3 times
Last SPF ran for 0.000242s
Area ranges are
Number of LSAs: 1, checksum sum 0x7bc5

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card