This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA active/passive OSPF design

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA active/passive OSPF design

tirexxerit
L2 Linker

‎08-23-2018 04:48 AM

Hi,

   Following topology is from PAN's design guide for A/P OSPF setup.

I wonder if it brings any benefit to connect firewall1 to Edge Router B and

Firewall 2 to Edge Router A with additional cabling run OSPF there too.

   The only thing I can see is that there won't be a firewall failover but routing protocol

will re-route the traffic via RouterB if RouterA is in trouble and vice versa.

 

thanks for your feedback in advance.

 

 

 

 

ospf_design.png

0 Likes Likes
4 REPLIES 4

JoeAndreini
L4 Transporter

‎08-23-2018 05:01 AM

With the topology in the diagram, you would need link and path monitoring to force a failover in the event of a router failure (internal or external)

 

Your proposed physical links could remove that requirement, given you have enough interfaces to support it.

 

I do not know offhand why PAN suggests this topology over your proposal.

0 Likes Likes

tirexxerit
L2 Linker
In response to JoeAndreini

‎08-23-2018 05:16 AM

Link and path can be monitored but which one would be faster and with less outage considering we follow the HA best

practices.

If OSPF is involved with dual links then there should be BFD for a quick failover in case the neighbor goes down as well.

I need to dig more and do some tests.

 

thanks.

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to tirexxerit

‎08-23-2018 07:30 AM

Hello,

From my experience the failover has been pretty quick. The HA is usually without drops ( i used to vpn into an HA pair and perform upgrades and never lost VPN connection). As for OSPF its pretty quick as well. I have seen anywhere from 3-7 ping drops during the failover.

 

I guess it all depends on your companies pain tolerance during a failover event. I think the guide was written with using as few interfaces as possible. The other thing you have to remember is asymetric routing where the routers are concerened if you are pluggin into both of them. You would then need to add weights to the connections so asymmetry doesnt happen.

 

Just some thoughts.

0 Likes Likes

tirexxerit
L2 Linker
In response to OtakarKlier

‎08-23-2018 08:04 AM

The thing is that outage during a planned upgrade is usually less than

an event causing an outage. At least from our experience:) otherwise during a planned upgrade and failover

it is mostly pretty seamless 1-2 ping loss and no session drop.

Involvement of BFD, Graceful restart greatly impacts too but I think setting which can work for one expected event

may not work for another.

Thanks for your thoughts, much appreciated.

 

0 Likes Likes
  • 3736 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks