OSPF with Active/Passive HA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

OSPF with Active/Passive HA

L2 Linker

Hi,

 

I came across this design guide and looking at labbing this up for testing, as the design could be a good fit for our production environment, with a few tweaks. In my case, I'll be using OSPF between the firewalls and internal routers A and B. The connections to the edge routers  A and B will be the provider routers, so they will be outside facing and I won't be running OSPF between them.

 

OSPF HA.PNG

 

I have a few question about the floating static routes mentioned:

 

1. are these floating static routes configured on internal router A and edge router A?

2. are these floating static routes also configured on the Palo Alto as static routes? As the screen shots show them being on   the Palo Alto.

 

Just to get my upstream and downstream routers right:

 

1. Is the upstream router edge router A?

2. Is the downstream router Internal router A?

 

Anyone used this design on their production network? Any limitations, advantages/disadvantages with the design?

 

Your advice and thoughts are appreciated.

 

 

 

 

7 REPLIES 7

L4 Transporter

IMO,

 

  • If you are doing Active/Passive, why not put a switch between the routers and the Firewall HA pair.  An ARP transition is almost unnoticeable and solves the goofy floating static setup.
  • Or, just go all the way and run this as Active/Active.  While your at it, full mesh the routers/firewalls and build your redundancy that way?

 

There are a lot of design solutions in a setup like this.  But to answer your question, the floating static is set on ALL routers in this setup (but different IP on the internal vs the external routers).  The reason for the floating static is that the Next Hop IP will transition to the Passive Firewall before OSPF reconverges from a failure event.   With a floating static, this means there is a backup route already in the table.  So when OSPF goes down temporarily (and it will), this backup route is ready and waiting to be pushed into the FIB for near uninterrupted traffic flows.

 

I highly recommend reading through the PAN documentation on HA - https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/ha-overview.html

 

Does this make sense?

Hi Jeremy,

 

Thank you for your reply. Why the floating static routes are used, does make sense, in case OSPF does fail, the traffic will still flow.

 

So I would configure a static route on Edge Routers A and B (the upstream routers), pointing to the Datacentre LAN. And a static route pointing to the Internet/0.0.0.0/0, on Internal Routers A and B (the downstream routers). Is this correct for this scenario?

 

An Active/Active option is not possible as the Palo's will be 25 miles apart from each other (for DR purposes). The two Palos will be connected via the HA link over 2 x L2 links between two sites. One of these L2 links will be the primary (the active) and the other will be the secondary (the backup link), hence exploring the Active/Passive design option.

 

Please let me know if I am right about the configs of the static routes, on those routers.

L2 Linker

@ jeremy.larsen

 

So, I've been labbing this up and have created the floating static routes on all the routers as you mentioned. In steps 12 and 13 of the configuration guide, it says redistribute the floating static routes upstream and downstream. Does this mean I have to create a Redistribution Profile on the Palo Alto and add it to the Export Rules in OSPF?

 

OSPF redis.PNG

 

Many thanks in advance.

The redistribution will have to be done on your routers because this is where the static routes are created.  Since you have L2 between the sites, I would REALLY look at either sticking an HA switch stack between the routers and the FW and letting ARP handle all of this for you.  Otherwise I would look at Active/Active and Anycast your Default Gateways down.  It just appears you are over-complicating an easy solution IMO.

@jeremy.larsen 

 

Hi Jeremy, do you mean a switch between Internal Router A (and B) and Firewall 1 (and 2) and use VRRP or HSRP?

Yes.  But, since they are all in the same subnet, you could probably skip the VRRP/HSRP.  The IP on the FW will just move and re-ARP.  Session state would be maintained.  It really depends on how you have your routing set up and if you are able to do the same L2 on the "external" side as well.

Here is another idea you should consider.  Rebuild the way you are thinking about your HA/DR/etc plan.  break the HA pair and operate each FW independently.  Think of them as Routers (because they are) and route ALL traffic between sites through the firewalls.  This is of course only if you have enough horsepower to push whatever bandwidth you have available between sites.  Any inbound services should be routed through some kind of load balancer (ie - F5/Netscaler/etc).  Use DNS to move your inbound services if your primary site goes down or even load balance both ISPs and you could have both sites running even if the interconnects go down.  I really don't like the floating static design as there are more dynamic ways of handling this problem.  You could also run an HA pair at each site in this design which gives you even more failure protections.

 

Penny for you thoughts?

  • 7551 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!