Switching

Hi, We are planning to enable ospf on three switches which are located in different location and we have a query on enabling OSPF on switches i,e, What is the best option to enable OSPF on a interface loop back or Default VLAN? Please suggest on this. Regards, Yugandhar

Are the 3 different locations connected via LAN or WAN?

 

OSPF is enabled globally, and you'll add the interfaces which are going to peer with other OSPF routers to your necessary area (0, to start with..). Best practice is to also add your device's loopback interface (passive) and set that address as your router ID. Also, I highly recommend using a VLAN just for your routing rather than using the default VLAN for everything. For 3 switches you can do a /29 subnet. Or you can use 3 /30s (I can't remember offhand if you can use /31s on Junos?) and set all your router links as point-to-point -- this will speed up peer formation and convergence since there is no DR/BDR election.

 

Any interfaces which should participate in routing, but not peer with other routers should be set to passive. On your peering interface use MD5 authentication. There are various things that people will suggest as far as tuning timers, etc., but I suggest sticking with defaults unless you have a demonstrated reason not to. Unless your routing domain is huge or you have other esoteric design issues, messing with default timers usually leads to more confusion than it helps. There are other [better] ways to solve design issues.

You can use /31's in p2p interfaces only, which ethernet is not.

Sent from a tiny keyboard.
(potential brevity and typos)

---

@erdems wrote:
You can use /31's in p2p interfaces only, which ethernet is not.

---

Actually, ethernet can be point-to-point.

 

From the Configuring the Interface Address section of the Junos OS Network Interfaces guide:

 

Note: Juniper Networks routers and switches support /31 destination prefixes when used in point-to-point Ethernet configurations; however, they are not supported by many other devices, such as hosts, hubs, routers, or switches. You must determine if the peer system also supports /31 destination prefixes before configuration.

 

Hi Keithr, Thank you for your response and suggestion. We have a network setup of 3 locations ICC, QP, ST and are interconnected Point to Point links. We are looking for auto fail-over option whenever any point to point link goes down traffic should go over alternate path. "ST" location is LAN extension of "QP" location and will get internet from "QP" Location's ISP and we have existing VPN tunnels on both the locations ISPs. So that we have following requirement. 1. Whenever QP to ST p2p is down "ST" location users should get internet from "ST" location ISP through QP location 2. Whenever "QP" Location ISP is down QP & ST location users should get internet from ICC location ISP 3.If ICC location ISP goes down users should get internet from QP location. Please find attached network diagram and Core switches configuration for your reference. JTAC engineer suggested the attached OSPF configuration. Please look into the configuration and suggest the best possible solution. Regards, Yugandhar

Please ignore previous configuration files. Please find updated configuration files.

 

Regards,

Yugandhar

What they have provided / suggested is a very basic setup that should work as you've described.

 

Really, the only thing they've done is assign the link from ST -> ICC with a metric of 6 and the link from ST -> QP with a metric of 5, which means that traffic passing through ST will prefer the route to QP if it is available.

 

What it does not take into account, however, is how your ISPs are going to route traffic back to your networks.  The scenarios are different if the ICC ISP and QP ISP are different ISPs or the same, but in either way, because you have firewalls (are they standalone or are the ICC and QP firewalls a cluster that share session state?) you don't want an asymmetric routing situation.

 

For example, traffic from VLAN 90 at ST may go out through QP and then out through QP's ISP, however, depending on how your routes are set up with your ISPs, traffic could possibly come back to your network via ICC's ISP.

 

I also will reiterate that OSPF should be set to passive on your non router-to-router links (your access VLANs which appear to be all VLANs except 0?) and you should use MD5 authentication on your vlan 0 links for security.

 

If your firewalls support OSPF you could alleviate some of the static routing, but that may or may not be a benefit depending on how you do your outside routing with your ISPs.

Hi Keithr,

 

We have SSG-320M HA in both the locations and there is no HA between ICC and QP Firewalls. We are using simple defualt route in both the locations to get internet. ICC and QP ISPs are different ISPs.

 

This setup is not yet implemented and tommorow we are planning to implement this setup.

 

Now as per your suggession we will do some small changes in the configuration i.e. MD5 authentication for Vlan.0 and will set OSPF as passive for all other VLANs in all the locations.

 

As i mentioned we have Exchange network which all the three location users will access over p2p links. We planned to add static route in the firewall as well as in ICC core for exchange. Is it helpful or enable OSPF if we have more networks like Exchange on the firewall. Please suggest us the same.

 

One more query is what will be the default route i need to mention in the ST core? Shall i mention default route to QP core default IP address? Please suggest

 

Regards,

Yugandhar.

 

 

---

@yugandhar.mocherla wrote:

 

We have SSG-320M HA in both the locations and there is no HA between ICC and QP Firewalls. We are using simple defualt route in both the locations to get internet. ICC and QP ISPs are different ISPs. 

---

I will caution you to investigate your routing with your ISPs carefully.  In order for your setup to work, you're going to be advertising the same networks into your ISPs, or else you're going to be running everything through NAT at your SSG firewalls and having separate address ranges for the ICC and QP Internet links.  If you're not running everything through NAT, then you will have to see how your networks are advertised to your ISPs as you can potentially have issues with asymmetric routing, and that won't work with your setup.

 

---

Now as per your suggession we will do some small changes in the configuration i.e. MD5 authentication for Vlan.0 and will set OSPF as passive for all other VLANs in all the locations.

---

I would also remind you to set a loopback address for each switch with a consistent address scheme and be sure to set your router-id to the loopback address on each switch.  This is best practice.

---

As i mentioned we have Exchange network which all the three location users will access over p2p links. We planned to add static route in the firewall as well as in ICC core for exchange. Is it helpful or enable OSPF if we have more networks like Exchange on the firewall. Please suggest us the same. 

---

When you say p2p links to the exchange network -- what do you mean by that?  Do you have dedicated links to the Exchange network switch from each of your other 3 switches?  What I see on the diagram doesn't show p2p links to/from the Exchange network.  Are you running VPNs from your users to your Exchange network through the ICC SSG firewall?

---

One more query is what will be the default route i need to mention in the ST core? Shall i mention default route to QP core default IP address? Please suggest

---

You don't set a default route on the ST core -- that's what the OSPF link metrics are going to do for you.  ICC and QP are both going to be sending default routes through OSPF, and ST is going to be configured to prefer QP's path.  If QP goes down, traffic will then go through ICC.  Just to reiterate, though, a big problem here could possibly be how your Internet traffic routes.  You haven't included anything with addressing or network advertisements so we don't know how your Internet routing is going to work.

 

Hi keithr,

 

THank you for your valuable suggessions. Day before yesterday we went for live with this setup and last minuite JTAC engineer has done changes in OSPF setup. Now this setup is in live and with one limitation.

 

Whenever QP and ST link goes down ST users can access the all the internal resources except remote office locations through QP internet. As per juniper TAC there is no possibilty to meet that requirment and changed OSPF configuration. Please find ospf configuration files of all the locations.

 

ICC and QP internet links have separate address ranges and in this setup core switches dont know about internet link status whether it is up or down..I think we need to configure OSPF in firewalls also. Am i correct?

 

Regards,

Yugandhar

Sorry missed the changed network setup diagram.

 

Regards,

Yugandhar

The reason this is happening is because when the link between ST <-> QP goes down, traffic is re-routing through ICC.  However, once traffic hits the ICC switch, ICC says "I have a default route out" and is sending traffic out its Internet link vs. sending over to QP.

 

That's how it's supposed to work, technically, but it's not what you want to happen.

 

If ICC and QP are using different addresses and all traffic is behind NAT, this shouldn't be a problem.  But if you're not NATting your traffic to your remote offices (VPN tunnels?) then I could see it being an issue as traffic will have an asymmetric route back -- which is the scenario I warned of.

 

There are a few different ways that this could be worked around... but any of them require a bit of thought and some changes to your configs.  GRE tunnel is one option.  Or you could involve your firewalls in OSPF and conditionally advertise your default routes, which may not behave as you want either depending on your needs.

 

I noticed in your configs that you still don't have your access VLANs set to passive interfaces, no router-id or loopbacks, and no MD5 authentication on your router links.  Also, you have your ICC - ST link set as a point-to-point (p2p) but your other links are broadcast.  This is not a "clean" config.

 

I suggest at this point you involve a local resource / consultant who can help you design your routing the way you want it to work and nail down a best-practices OSPF configuration.  This isn't really the place for step-by-step walkthroughs of designing networks, though we do it to a certain extent.  

 

Hi keithr,

 

Thank you for your suggestions in the configuration and recommendations. I will consult the local partner for the setup but the problem is we have taken the Juniper TAC support and JTAC engineer configured the OSPF. He missed the all the recommended points like router-id, MD5 authentication and passive interface. I already raised the point about passive interfaces he said that it is an optional and not important.

 

Anyway I will consult any local partner for my requirements and once again thank you for your valuable support and recommendations.

 

Regards,

Yugandhar