New Member

Question

OSPF - Point to Point Failover

Forum|Forum|14 years ago
March 27, 2012
10 replies
16245 views

We currently have two point-to-point lines that connect our main office to our Collocation center. We primary force all traffic over the main point-to-point using static routing. (We do have some traffic going over the backup line via a policy route.) We are currently using the Detect Server (Ping) feature of the Fortinet units to know if the main point-to-point is down. The problem that we are running into is that we would like to move towards dual stacked IPv4 and IPv6, however, the Fortinet has no plans to support Detect Server feature for IPv6. So I was thinking about moving to a routing protocol setup like OSPF to accomplish the same thing as the Detect Server. Is this possible using OSPF with two point-2-point links that connect to the same two end points? Or does anyone have an alternative method?

Ec88185.jpg

rwpatterson

New Member

Possible and being done now by me. The up/down rate is far quicker than using the ping detection feature. Currently used between my home office and a photo lab I manage. I have one Internet connection while the lab has two. I can drop either one on the remote end and still connect through via the other VPN and OSPF without a care.

emnoc

New Member

OSPF would be your best bet and the 2 end-points on the same router is not of a concern. Just place both in area0 and set the metric on what path you prefer. You might need to enable asymmetrical routing if traffic egressing a interface does not fully return on the same path, but outside of that. It is a simple deployment. fwiw: I haven' t played with OSPFv3 but I think you could get creative and route IPv4 out one link via metrics and IPv6 out the other. You can then effectively load up both paths and use all available bandwidth just some food for thought

ddskierAuthor

New Member

Thanks for the input. Of all the routing protocols, I have not implemented OPSF before so I will need to learn as I go. I' m hoping to keep it a simple as possible.

Couple of questions: 1. If I leave the default setup for the timers, would it really take 40 seconds for OSPF to figure out the link is not working and adjust the routing tables? What values do you guys recommend? 2. OSPF Networks: Do I want to define a network of 0.0.0.0 at the office side so that all internet requests get routed over to the collocation? (like in static routing) Then create a network of 10.10.x.x at the collocation side so that it routes office traffic back? Or do I have it reversed? 3. OSPF Interfaces: Do I need to create one interface for IPv4 and another for IPv6 even though it is the same physical route? 4. Can I use policy routing with this method? Or some how control that certain traffic from a source IP goes down the backup line? I would appreciate any additional insight.

rwpatterson

New Member

ORIGINAL: ddskier Thanks for the input. Of all the routing protocols, I have not implemented OPSF before so I will need to learn as I go. I' m hoping to keep it a simple as possible. Couple of questions: 1. If I leave the default setup for the timers, would it really take 40 seconds for OSPF to figure out the link is not working and adjust the routing tables? What values do you guys recommend?

I have never messed with the timers or tested that. Can' t say for sure.

2. OSPF Networks: Do I want to define a network of 0.0.0.0 at the office side so that all internet requests get routed over to the collocation? (like in static routing) Then create a network of 10.10.x.x at the collocation side so that it routes office traffic back? Or do I have it reversed?

The 0.0.0.0 area (A.K.A. ' the backbone' ) is shared between the two. It needs to be common. Any other area(s) may hang off that one.

3. OSPF Interfaces: Do I need to create one interface for IPv4 and another for IPv6 even though it is the same physical route?

Don' t use IPv6 myself, can' t say.

4. Can I use policy routing with this method? Or some how control that certain traffic from a source IP goes down the backup line?

There should be no reason you can' t use policy routing. You have different interfaces to point the traffic down, so in theory, you should be OK.

I would appreciate any additional insight.

ddskierAuthor

New Member

2. OSPF Networks: Do I want to define a network of 0.0.0.0 at the office side so that all internet requests get routed over to the collocation? (like in static routing) Then create a network of 10.10.x.x at the collocation side so that it routes office traffic back? Or do I have it reversed? The 0.0.0.0 area (A.K.A. ' the backbone' ) is shared between the two. It needs to be common. Any other area(s) may hang off that one.

I thought the areas were seperate from the " Networks" ? At least it looks like that from the OSPF GUI. If it is, is my reasoning for the networks correct?

emnoc

New Member

OSPF timers can be adjusted but when you do this take into consideration; 1: both sides must match & use the same timers 2: you increase the chance of flap due to a 1-2-3 missed which would not take place if the stand ospf timers where used

emnoc

New Member

fwiw: Network 0.0.0.0 is the same as saying Area 0. On the default routing, just push or originate a default route into your ospf process like what most others do. If you have a internal uplink gateway devices ( i.e a cisco,juniper, etc..) push that default 0.0.0.0/0 into your ospf process from that device ( at the colo ). In fact you could have multiple exits and provide redundancey if you had a co-lo failure. This would require a 2nd colo uplink location, but that' s another whole design.

emnoc

New Member

After all that converges, the route with the least amount of hops is used for routing

Every thing you said is correct, except the above. Mertic is the only calculation and no where in the OSPF information base or computing, does hops ever comes into play. In fact you could more hops between location X and Y, but have a lower overall metric and that could be installed into the RIB. BGP, RIP, EIGRP (cisco) , all use hops in some shape or fashion for these distance vector protocols. I figure I would clarify this

FWIW :on cisco, you can very much install opsf area statements as either network area 0 or network area 0.0.0.0 , fwiw you can use a network-number for routing via static routes of a default-network for gateway of last resort, but hardly ever seen anybody doing that today and no such need for this with any dynamic routing protocols & a proper defined network imho

rwpatterson

New Member

Yep... The lowest COST is used. My bad. :(

ddskierAuthor

New Member

Sorry it took me so long to respond, I have been swamped with other things. So I think I have a configuration setup that shoudl work (See Diagram). Questions: 1. Does that look right to you guys as it will route traffic by default on the Main Point-2-Point line first? Does the networking look right? 2. Once the routing gets the traffic from the Main Office to the Collocation via OSPF, I assume static and/or BGP routing takes over to route it to the Internet, right? Or do I have to use the " Redistribute" settngs of OSPF within the Fortigate unit? 3. Is there something specific I have to do to enable OSPFv3? or just setup IPv6 Networks and it' s automatic? Thanks for all the help!

Rp42321.jpg

emnoc

New Member

cool diagram and explanation, you can send the default route downwind via the right-side and have an automatic failover. PBR could be use as an alternative for traffic that you might want to breakout of the normal route-selection.

ddskierAuthor

New Member

ORIGINAL: emnoc cool diagram and explanation, you can send the default route downwind via the right-side and have an automatic failover. PBR could be use as an alternative for traffic that you might want to breakout of the normal route-selection.

Questions: 1. Does that look right to you guys as it will route traffic by default on the Main Point-2-Point line first? Does the networking look right? 2. Once the routing gets the traffic from the Main Office to the Collocation via OSPF, I assume static and/or BGP routing takes over to route it to the Internet, right? Or do I have to use the " Redistribute" settngs of OSPF within the Fortigate unit? 3. Is there something specific I have to do to enable OSPFv3? or just setup IPv6 Networks and it' s automatic?

emnoc

New Member

q1: yes q2: yes whatever access or reach at colo is what and how you get to the internte of course appropiate fwpolices and NAT/PAT ules q3: read the manual, the explain how to enable and to use IPv6. I never done IPv6 on fortigates outside of static and my other IPv6 routing has been bgp and EIGRP ( cisco ) But the concept starts with enabling ipv6 interfaces, applying v6 fwpolicy and placing routing dynamic or static. The same thing that ipv4 needs, you will need for ipv6 and the concept is all prefixes based no more class boundaries or classfull networks.

ddskierAuthor

New Member

Thanks for the help. Now that I think I have the settings planned out, I' m going to try them out. I' ll let you know how it goes.

ddskierAuthor

New Member

Ok I believe that I have the OSPF working. I see entires in both firewall' s routing table with a type of OSPF. I can even ping the various interfaces on the other firewall. The issue that I am running into now, is that OSPF is NOT adding a default route so that the " Company" firewall will route all Internet requests to the " Colo' firewall. (See previous diagrams.) Basically, the " Company" firewall doesn' t know to router Internet requests to the Colo. Any ideas on how I can get this default route working with my OSPF config?

emnoc

New Member

You did you investigate the OSPF originate at the colo? Worst case, you add statics and dead gateway detection.

rwpatterson

New Member

You could advertise the default gateway from the colo FGT and that should populate the OSPF database throughout. Caution, you advertise all static routes or none, so if there are some you wish to remain hidden, that' s not a great option.

ddskierAuthor

New Member

The interesting this is that I have OSPF set to advertise the static routes, but the default Internet route isn' t showing up. Here is the " Colo" OSPF config for my test Fortinet: #config router ospf config area edit 0.0.0.0 next end config network edit 1 set prefix 192.168.0.0 255.255.0.0 next end config ospf-interface edit " OSPF1" set dead-interval 20 set interface " port6" set network-type point-to-point next edit " OSPF2" set cost 250 set dead-interval 20 set interface " port8" set network-type point-to-point next end config redistribute " connected" end config redistribute " static" set status enable set metric 15 end config redistribute " rip" end config redistribute " bgp" end config redistribute " isis" end set router-id 192.168.100.1 end Here is the static route configs: #config router static edit 1 set device " port9" set gateway 172.16.1.129 set weight 50 next edit 3 set device " port11" set distance 5 set dst 10.10.0.0 255.255.0.0 set gateway 172.16.4.1 set weight 50 next edit 5 set device " ssl.root" set distance 8 set dst 10.12.254.0 255.255.255.0 set weight 50 next end Here is the output of the " Corp" Fortinet: #get router info routing-table ospf O E2 10.10.0.0/16 [110/15] via 192.168.100.1, port1, 00:00:34 O E2 10.12.254.0/24 [110/15] via 192.168.100.1, port1, 00:00:34 Notice there isn' t a default route. Any ideas?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded