Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
7
Replies

Question about OSPF

Go to solution
lsimon001
Level 1
Level 1

‎06-11-2016 07:09 PM - edited ‎03-08-2019 06:09 AM

Hello!

From the checkpoint FW, the primary route would be up to the “New Router” then out to the new circuits 1 and 2. If one of the 2 new circuits go down then checkpoint shouldn’t route any traffic to the new router and direct it instead to the secondary route (below it).
The internal dynamic routing protocols I have available on CP are RIP and OSPF. Is it possible with OSPF for the New Router to Advertise the 2 new circuit routes to the check point but only if they are BOTH up. If one of those 2 circuits are down is it possible to not advertise the link from the CP to the New Router so traffic from CP goes out the secondary route?
If not, the other option is to get a 2nd “new router” and have one connect to new circuit 1 and the other to new circuit 2 with a leg coming off of the CP firewall for each. Then we could use OSPF there. However with that setup I’m concerned about looping. 
I guess I’m looking for logic that works in a way that on the New Router if one of the 2 new circuit router are down do not advertise the link back to the CP Firewall.
BTW, these “new routers” are unmanaged so we would have to work with the ATT/Vendor to make changes.

Labels:
Preview file
239 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to lsimon001

‎06-12-2016 08:17 PM

4331 routers are quite new.

Tracking is supported since a very long time now. In case you can't do it on this new router, let me know and we will see to do it on your secondary router. In thaf case the setup will be a little bit more complex but not difficult at all.

PS: if this issue is solved, please don't forget to rate and mark as correct answer.

Thanks 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎06-12-2016 07:33 PM

Hi

I'm not sure I understand your concern.

To take an example, let's assume that Circuit 1 and 2 are advertising subnet 12.0.0.0/8.

Could you tell us what the secondary router announcing to checkpoint? A default route?

Your concern is if 1 of the link Circuit 1 and/or 2 is going down, you want to stop OSPF peering and route traffic to the secondary router?

If this is your concern, you can do some tracking and IP SLA associated to change the routing behaviour.

This tracking could be done on New Router facing Circuit 1 and 2 routers:

- track 1 interface and shutdown the other in case of failure of this tracked interface.

OR

If you aien't managing this new router, you can do an ICMP track of those 2 links from the secondary router and announce a static route with a better AD.

Let's take an example:

- you have to create a static route with the track capability at the end. This route must point to Null0

- redistribute this static route to ospf. As there is a tracking, it will be redistributed only when your tracking changes status.

I would prefer the 1st solution as it's the simplest one.

However, in order to help you better, I would like to have more details on what you want to achieve. I'm sorry but I'm lost with your explaination.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
lsimon001
Level 1
Level 1
In response to Francesco Molino

‎06-12-2016 07:50 PM

Thanks for the reply and sorry I didn't explain better the first time.

You pretty much got it though. If the link for New Circuit 1 OR New Circuit 2 goes down then shutdown the interface that connects to the Check Point Firewall so traffic doesn't even get routed to New Router and Check Point will send it down to the secondary route.

There is a good chance we aren't managing this new router as it's from the vendor but we may be able to work with them and have them setup the tracking (hopefully).

What I do know is the New Router is model 4331 and reading a bit about tracking it seem like it's supported in the OS at least if it's v12.4T or higher, unless I'm mistaken.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to lsimon001

‎06-12-2016 08:17 PM

4331 routers are quite new.

Tracking is supported since a very long time now. In case you can't do it on this new router, let me know and we will see to do it on your secondary router. In thaf case the setup will be a little bit more complex but not difficult at all.

PS: if this issue is solved, please don't forget to rate and mark as correct answer.

Thanks 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
lsimon001
Level 1
Level 1
In response to Francesco Molino

‎06-12-2016 08:42 PM

Will do!

Just to recap, let's say this 4331 router has 3 interfaces

interface serial 0/0 which goes to New Circuit 1

interface serial 0/1 which goes to New Circuit 2

interface fe0/0 which goes to check point.

------

Scenario: If either Serial interface goes down or the link is lost then shutdown interface fe0/0. That said, is it also possible to turn back on fe0/0 once the link of the down circuit comes back up?

As far as OSPF goes, if it's setup to advertise all of those networks once the network on fe0/0 is shutdown because one of the serial interface goes down then it won't advertise the fe0/0 link and traffic will route to the secondary route. 

Should the only static route be the one on Checkpoint for the secondary route?

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to lsimon001

‎06-12-2016 08:57 PM

If you want to keep it very simple, you can shutdown f0/0 when s1/0 or s2/0 is going down and unshut when there are back up. This will stop ospf  peering and no more advertisements from new router.

Does secondary router has an ospf peering with checkpoint? 

You said that the fallback route is secondary that's connected to Internet. It means that you can join new router subnets from Internet in case of fallback?

Where is the default route pointing to  on your checkpoint?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
lsimon001
Level 1
Level 1
In response to Francesco Molino

‎06-13-2016 05:52 AM

Currently the secondary router doesn't have OSPF peering with CheckPoint. However that will be happening if we move forward with this plan.

If fallback occurs yes, we hope to have the Check Point direct traffic to the secondary route. The default route now is pointing to the secondary route drawn up in the visio diagram. 

Lenny

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to lsimon001

‎06-13-2016 08:38 AM

If the default router of checkpoint is secondary router, that's enough and don't need to do OSPF peering. I mean if new router is shutdown then ospf peering is going down. Checkpoint will not have specific routes and will forward then all traffic to the secondary router.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card