topic Re: How to make upstream connected devices learn that downstream core switches are down in General Topics

How to make upstream connected devices learn that downstream core switches are down

Sukhmeet — Mon, 24 Jan 2022 05:58:54 GMT

Hi all,

We have active passive setup of firewalls in both DC and DR site. The scenario I am trying to work on is, if my downstream connected core switches are down in primary DC, how can make ISP and MPLS connected devices on my upstream learn that all traffic should be routed to DR site firewalls.

Basically, How can we make ISP and MPLS router learn that both core switches are down eventhough the firewalls are UP.?

Re: How to make upstream connected devices learn that downstream core switches are down

PavelK — Mon, 24 Jan 2022 12:58:27 GMT

Thank you for the post @Sukhmeet

I would address this issue by enabling routing protocol (OSPF or BGP) between Firewalls and Core Switches. If Core Switches are down routes advertised through core switches will be withdrawn. If you can peer with your MPLS provider by BGP you can do more advanced design with conditional route advertisement to inject a route if another route you are tracking is withdrawn.

Kind Regards

Pavel

Re: How to make upstream connected devices learn that downstream core switches are down

Sukhmeet — Thu, 27 Jan 2022 04:30:52 GMT

Thanks Pavel, yeah it make sense. we will have BGP peering with MPLS router (i will check on conditional route advertisement part) however, we do not have BGP peering with ISP and we are using static route with ECMP enabled on 3 ISP links. Can you tell how can it trigger failover on ISP side when both core switches are down? please note both DCs have same ISP with 3 links and we have VLAN configured which is enabled on primary DC and only when the primary DC ISP link fails secondary DCs ISP Vlans will be enabled.

Thanks in advance

Re: How to make upstream connected devices learn that downstream core switches are down

PavelK — Thu, 27 Jan 2022 23:16:20 GMT

Thank you for reply @Sukhmeet

It is hard for me to give further suggestion without knowing all details of your network. Based on what you described that you rely on a static route, my general advice would be following failover mechanism (I apologize for using Cisco terminology).

Configure 2x ip sla. One is probing loopback of core switch 1 and second probing loopback of core switch 2.

Configure tracking list with boolean "and operator" to match both ip sla.

Add the tracking object to your static route and redistribute static route to BGP.

With the above configuration, once both ip sla fail, the tracking object will invalidate static route and BGP will withdraw this route from advertisement. This is the only way I can think of that upstream devices will learn about failure of downstream devices without running routing with them.

Since you mentioned about disabling and enabling Vlan. You can also create an EEM script to take an action based on tracking object to for example shut / no shut vlan.

Kind Regards

Pavel