Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3783
Views
12
Helpful
5
Replies

OSPF to active/passive FW - theory of operations pls

Go to solution
lpassmore
Level 1
Level 1

‎02-07-2017 12:00 AM - edited ‎03-08-2019 09:13 AM

Hi all

I am just trying to work out in my head how OSPF works in the scenario where I have two L3 switches (Nexus 7K) and two firewalls (acting as active/passive pair) will operate best in an OSPF neighbour relationship.  

I have two locations with one FW and one switch in each location.  The devices will be connected as a square with a single (port-channel) link between the FW and the switch each each location, and a trunk link between the switches.  The FW heartbeat will be via separate VLAN but is not particularly relevant to this discussion.  Nor are the relative merits of the physical connectivity relevant to the discussion.  Diagram of topology is attached.

OSPF will be configured on the FW LAG interface which connects to the each switch.  If the FW fails over to the alternate unit, the IP address will move accordingly.

I am trying to work out the best method for configuring the IP addresses on the switches.  

I see my choices are:

  1. VLAN across both switches using SVI interfaces with individual addresses
  2. VLAN across both switches using SVI interfaces with HSRP for a single virtual address 
  3. Individual interfaces on each L3 switch uplink. But since these would have to be in the same IP range I can see that this would most likely not work properly.

I would like to know which works better in peoples' experience.  

If I use option 1, can you please explain how the OSPF adjacencies and route advertising would work when failing over from one FW to the other?

If option 2, are adjacencies formed between all 3 IP addresses on the switches or just the HSRP virtual?


Thanks in advance...

Labels:
Preview file
15 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to lpassmore

‎02-07-2017 05:45 PM

Hello,

When the active Fortigate fails, the mac address on the active member moves to the standby member. The IP address on both are the same.

When you are using OSPF, choice 1 and choice 2 do not make any difference. OSPF uses IP on the SVI to establish adjacency, not the HSRP IP address.

Using choice 1 and 2, Fortigate will be adjacent with switch 1 and switch 2. In case of failover, there will be no change in OSPF adjacency since mac from the master will move to the standby Fortigate. I supposed the standby Fortigate will take over before OSPF dead time.

Hope it helps,

Masoud

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Masoud Pourshabanian

‎02-08-2017 09:59 AM

Thanks for the clarification. Knowing that the firewalls are Fortigate does make some difference, especially in terms of how many IP addresses are in use. But fundamentally the answer remains the same. There is no advantage in using HSRP since the switches use the configured interface address and not the HSRP address as  they negotiate OSPF neighbor relationship.

I realize that I did not express my point very well about forming OSPF neighbor relationships. And it was based on Cisco ASA functions and may not apply at all to Fortigate. Fundamentally my point was that the standby ASA does not participate in the dynamic routing protocol and that while it might receive OSPF hello messages that it would not respond to them. I was factually incorrect when I said that switch B would receive no response and I am sorry about that. Yes switch B would receive a hello response from the primary ASA and would form a neighbor relationship. And neither switch would have a neighbor relationship with the standby ASA. When failover occurs the newly active ASA would form its own neighbor relationships with both switches. See this link for discussion of this

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_overview.html#wp1078953

And since this whole point is Cisco specific it may not apply to Fortigate.

HTH

Rick

HTH

Rick

View solution in original post

5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-07-2017 08:02 AM

I am not sure if it makes much difference, but can you tell us whether the firewalls are ASA or are some other type of firewall? I am assuming ASA but if it is something else then I might need to rethink part of what I am about to say.

Am I correct in understanding Option 3 to indicate that each link switch to firewall would be a separate point to point connection (and a separate subnet)? If so then this is clearly the worst choice and I suggest that you give it no further attention. The biggest issue here is that if there is a failover event and the primary IP is now used by the backup firewall then the switch connected to the backup firewall is suddenly looking at a neighbor whose IP address is not in the same subnet.

Option 2 might have some value if there are static routes on the firewall and you want to direct that traffic to the "active" switch. But HSRP has no value when you are running OSPF. OSPF discovers neighbors and establishes neighbor relationships based on physical interface address and does not consider the virtual address.

So basically your best choice is option 1. You would have a single vlan/single subnet with 4 IP addresses in it. Both switches will send OSPF hello messages attempting to discover neighbors. Only the primary firewall will respond to the hello messages. So switch A connected to the primary firewall will form a neighbor relationship. Switch B will continue to send OSPF hello messages but will not receive responses. If there is a failover event and the backup firewall becomes active then the previously active firewall connected to switch A will stop communicating and the OSPF neighbor relationship will time out and be dropped. Now switch B is sending OSPF hello messages and receiving responses and a neighbor relationship will be negotiated.

HTH

Rick

HTH

Rick

Go to solution
lpassmore
Level 1
Level 1
In response to Richard Burts

‎02-07-2017 04:26 PM

Great response thanks Rick and very much what I was thinking.  Sorry, I meant to give you a higher rating but I misclicked.  I will fix it if I can.

The firewalls are actually Fortigate but I don't think that would matter in the scenario.  The Fortigate only presents 1 IP address (not 2 like the ASA).

I am curious about your point that switch B will send hello messages but not receive a response. Because the IP addresses are in the same VLAN, I would have thought that there would be a neighbour relationship between all three.  Correct me if that is wrong, but if it is true then both switches would be route candidates and the closest (by the timing of an extra 10Gb link) would find its way into the routing table.  If the firewall fails over, I am curious as to whether the route would actually change over to the new nearest switch or not. 

0 Helpful

Go to solution
Masoud Pourshabanian
VIP Alumni
VIP Alumni
In response to lpassmore

‎02-07-2017 05:45 PM

Hello,

When the active Fortigate fails, the mac address on the active member moves to the standby member. The IP address on both are the same.

When you are using OSPF, choice 1 and choice 2 do not make any difference. OSPF uses IP on the SVI to establish adjacency, not the HSRP IP address.

Using choice 1 and 2, Fortigate will be adjacent with switch 1 and switch 2. In case of failover, there will be no change in OSPF adjacency since mac from the master will move to the standby Fortigate. I supposed the standby Fortigate will take over before OSPF dead time.

Hope it helps,

Masoud

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Masoud Pourshabanian

‎02-08-2017 09:59 AM

Thanks for the clarification. Knowing that the firewalls are Fortigate does make some difference, especially in terms of how many IP addresses are in use. But fundamentally the answer remains the same. There is no advantage in using HSRP since the switches use the configured interface address and not the HSRP address as  they negotiate OSPF neighbor relationship.

I realize that I did not express my point very well about forming OSPF neighbor relationships. And it was based on Cisco ASA functions and may not apply at all to Fortigate. Fundamentally my point was that the standby ASA does not participate in the dynamic routing protocol and that while it might receive OSPF hello messages that it would not respond to them. I was factually incorrect when I said that switch B would receive no response and I am sorry about that. Yes switch B would receive a hello response from the primary ASA and would form a neighbor relationship. And neither switch would have a neighbor relationship with the standby ASA. When failover occurs the newly active ASA would form its own neighbor relationships with both switches. See this link for discussion of this

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_overview.html#wp1078953

And since this whole point is Cisco specific it may not apply to Fortigate.

HTH

Rick

HTH

Rick

Go to solution
lpassmore
Level 1
Level 1

‎02-08-2017 05:46 PM

Thank you both. Great input

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card