01-23-2022 09:58 PM
Hi all,
We have active passive setup of firewalls in both DC and DR site. The scenario I am trying to work on is, if my downstream connected core switches are down in primary DC, how can make ISP and MPLS connected devices on my upstream learn that all traffic should be routed to DR site firewalls.
Basically, How can we make ISP and MPLS router learn that both core switches are down eventhough the firewalls are UP.?
01-27-2022 03:16 PM
Thank you for reply @Sukhmeet
It is hard for me to give further suggestion without knowing all details of your network. Based on what you described that you rely on a static route, my general advice would be following failover mechanism (I apologize for using Cisco terminology).
Configure 2x ip sla. One is probing loopback of core switch 1 and second probing loopback of core switch 2.
Configure tracking list with boolean "and operator" to match both ip sla.
Add the tracking object to your static route and redistribute static route to BGP.
With the above configuration, once both ip sla fail, the tracking object will invalidate static route and BGP will withdraw this route from advertisement. This is the only way I can think of that upstream devices will learn about failure of downstream devices without running routing with them.
Since you mentioned about disabling and enabling Vlan. You can also create an EEM script to take an action based on tracking object to for example shut / no shut vlan.
Kind Regards
Pavel
01-24-2022 04:58 AM
Thank you for the post @Sukhmeet
I would address this issue by enabling routing protocol (OSPF or BGP) between Firewalls and Core Switches. If Core Switches are down routes advertised through core switches will be withdrawn. If you can peer with your MPLS provider by BGP you can do more advanced design with conditional route advertisement to inject a route if another route you are tracking is withdrawn.
Kind Regards
Pavel
01-26-2022 08:30 PM
Thanks Pavel, yeah it make sense. we will have BGP peering with MPLS router (i will check on conditional route advertisement part) however, we do not have BGP peering with ISP and we are using static route with ECMP enabled on 3 ISP links. Can you tell how can it trigger failover on ISP side when both core switches are down? please note both DCs have same ISP with 3 links and we have VLAN configured which is enabled on primary DC and only when the primary DC ISP link fails secondary DCs ISP Vlans will be enabled.
Thanks in advance
01-27-2022 03:16 PM
Thank you for reply @Sukhmeet
It is hard for me to give further suggestion without knowing all details of your network. Based on what you described that you rely on a static route, my general advice would be following failover mechanism (I apologize for using Cisco terminology).
Configure 2x ip sla. One is probing loopback of core switch 1 and second probing loopback of core switch 2.
Configure tracking list with boolean "and operator" to match both ip sla.
Add the tracking object to your static route and redistribute static route to BGP.
With the above configuration, once both ip sla fail, the tracking object will invalidate static route and BGP will withdraw this route from advertisement. This is the only way I can think of that upstream devices will learn about failure of downstream devices without running routing with them.
Since you mentioned about disabling and enabling Vlan. You can also create an EEM script to take an action based on tracking object to for example shut / no shut vlan.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
