Question

Same IP on each side of VOSS cluster for mirrored P2P's to Firewall

  • 4 January 2021
  • 8 replies
  • 106 views

Userlevel 6
Badge

Hi,

Currently trying to convert an EXOS configuration into VOSS with a topology I’m not sure how best to translate.

Here is a simple diagram of the topology. The two VOSS switches are a clustered pair.

 

Here their are two firewalls configured as active / passive, the active is top left, passive top right.

The links actually criss-cross but for simplicity I’ve drawn them as above. In essence there are four VLAN’s 3501 to 3504 that are each P2P /30 subnets and are configured as OSPF / BFD link adjacencies.

On the active firewall the ports are all up and active, the passive firewall the ports are all down. 

The way it works and the way its configured in EXOS is that the same VLAN’s and P2P IP’s are configured on both cores, but because the side of the right is down, the VLAN interfaces are down, and therefor there is no conflict in the fact the same IP configuration is configured on both sides.

Should the active firewall fail, then the same P2P interfaces come up on the other core / firewall and everything is learned through their instead. This is configured that way as the firewalls have identical configuration, so when flipping across the configuration is still the same, hence the link configuration needs to be the same.

Not sure how to mirror this in VOSS i.e. have the same IP both sides. This is required additionally if one VOSS core fails the other VOSS core needs to own the IP addresses, much like the EXOS config would have.

Maybe I can use RSMLT or DVR in this capacity to create a common IP between the clustered VOSS switches?

Maybe I could do something with Flex-UNI to put the same VLANs each side into different I-SID’s. That would essentially be the same VLAN ID on port, but each port will have a different I-SID, meaning I could possibly use the same IP (P2P Subnet)?

The only other option I can think of is having one side own two of the VLAN’s IP addresses (P2P Subnets), and have the other side own the other two. I could then just use the fabric to get each of the VLANs to the correct place. Issue with that is if one of the cores fail, I effectively only have two OSPF adjacencies instead of four?

Many thanks in advance.


This topic has been closed for comments

8 replies

Userlevel 4

Martin

 

what you need to know is that if you are running the VSPs in a vIST cluster, then the two switches exchange MAC addresses through the IST protocol (you need to configure a VLAN always on both sides incl. ISIDs). However what the switches in that case by default check for, is whether they learn the peer MAC through edge ports between the peer vIST switches, like in your setup as the firewalls are L2 only. In this case to avoid the peer MAC checking, you need to turn this feature off: “no sys control virtual-ist mac-move-protection”. 

Now what I don’t understand is the following: You are talking about pt-t-pt links, but then you are talking about a cross-connection. In that case, you don’t have point-to-points anymore, but there are multiple ports that are used for the same VLAN - one to FW 1 and one to FW 2, correct? Are you saying the firewall takes care of taking the ports up/down and thus in an active setup, only one port is up for a given VLAN per switch?

 

Roger

 

Userlevel 6
Badge +1

Hi Martin,

As it is a VOSS cluster, all VLANs have to be present on both VOSS switches ad have an i-sid.

You can perfectly mirror the vlan config on the ports and to ensure high-availability on the L3 side of the VOSS cluster you can use RSMLT (using 2 IP addresses) or VRRP (using 3 IP addresses). This will clean the “same IP issue”.

If the firewall is putting down the port, the fdb should be cleaned. I don’t see any MAC issue.

Mig

Userlevel 4

Believe me, if the traffic is bridged through the firewalls, then you will see a MAC complaint and VSP will move the peer MAC to the vIST if you don’t turn off the “sys control virtual-ist mac-move-protection”.

 

Roger

Userlevel 6
Badge +1

Hi Roger,

If I understand well the description, we have an active/passive firewall cluster.

I have seen such setup in production (checkpoint) and the passive member is not forwarding any client traffic to the VSP. The MAC entries on both VSP clusters are different on the uplink ports towards the firewall.

Martin is also mentioning OSPF between the firewalls and the VSP. In such case, a /30 subnet is not enough to activate RSMLT

@Martin Flammia , can you clarify the behaviour of your firewalls concerning the active/passive (traffic forwarding) and OSPF?

Mig

 

Userlevel 4

yes, but don’t forget he is talking about a single VLAN (actually 4 vlans) being on both vIST switches bridged by the cross-links from/to the FW, which he has not drawn.

Roger

Userlevel 6
Badge +1

yes, but don’t forget he is talking about a single VLAN (actually 4 vlans) being on both vIST switches bridged by the cross-links from/to the FW, which he has not drawn.

Roger

@Martin Flammia 

Could you complete the topology diagram with the missing links?

Are the 4 VLANs on 4 different ports?

Are the uplinks between VSPs in SMLT config?

Mig

Userlevel 6
Badge

Sorry guys, I should have added more detail to the query. My head is in the problem so I’ve made assumptions on the detail you needed to know about without realising it.

Hopefully this diagram will help better, it also shows what I meant by criss-crossing links that I wasn’t clear on.

 

So each of the connections are L3 PTP connections, running OSPF and using ECMP. 

Drawing it out like this actually makes it clearer to myself (and jogs my memory), in that the third option I gave would actually do the trick i.e. I don’t actually need to configured each of the 4 PTP IP addresses on both sides - its just how the config is written in EXOS but it doesn’t actually serve any advantage or used in that way (some old config was lingering around).

If the firewall to left goes down the second firewall goes active and all the links come up. That means each of the four PTP links come  before but just pointing to the other firewall, but the bit to pay attention too is the fact the same VLAN ID’s are used on the same switches.

The reason for that is when I come across this issue:

Basically I originally had all the VLANs and IP addressing configured on each core (hence thinking I need to mirror it in VOSS) i.e. if you just focus on core 1 (bottom left), I had it configured for VLANs 3501 (Active), 3502 (Active), 3503 (Passive) an 3504 (Passive). When the firewall flipped it went 3501 (Passive), 3502 (Passive), 3503 (Active) and 3504 (Active).

This created an issue where the PTP links stopped working. This turned out to be that the firewall would see the same MAC address from the switch when the VLANs changed from 3501 & 3502 to 3503 & 3504. This caused an issue because when the firewall goes from passive to active it is expecting to see the same MAC coming from the same VLAN’s, but it didn’t and so stopped working.

The answer was to make sure the VLANs stayed the same on the cores when the firewalls flipped across from passive to active, and this was done by pluming it in as above.

The thread was really useful though as its presented answers to other scenario’s, maybe this isn’t the best way of doing it and a different way of doing it VOSS.

Hopefully the information will be helpful to someone else :)

Apologies for the confusing and miss-leading the conversation.

Thanks,

Martin

Userlevel 4

This makes sense now :-) There are multiple ways to do it. I actually prefer a L3 solution over an L2 solution where the FW bridges two VLANs.

 

Roger