Wired Intelligent Edge

 View Only

  • 1.  OSPF over VXLAN for external firewall connection

    Posted Oct 12, 2023 03:35 AM

    hello

    A fabric composed by 8360 switches with topology spine leaf and various VRF, in which mode you will configure the ospf over the vxlan for communicate with the firewall?

    By static routes it worjk fine, one static route for every vrf and from firewall side the statics routes for the various networks in every VRF point to the active gateway of the VSX border leaf pairs (two firewalls in active passive).

    But, with ospf which is the right approach for not have contrast with the ospf in underlay? different ospf processes? different areas for every vrf? area o in the fw or in the leaf?

    regular stub or not so stubby areas?



    ------------------------------
    ACMP ACSP ACCP ACEP
    ------------------------------


  • 2.  RE: OSPF over VXLAN for external firewall connection

    Posted Oct 12, 2023 07:11 AM
    I have considered this in my design. But ended up with BGP for this. In theory you can have a different OSPF instance for that specific VRF. I ended up using eBGP for this because the BGP config is already there and I think it is a bit more predictable when used in an eVPN vxlan environment. Also there are a lot of examples for a setup using BGP for this and I could not find OSPF examples when I was researching this.



    Original Message


  • 3.  RE: OSPF over VXLAN for external firewall connection

    Posted Oct 13, 2023 04:07 AM
    Edited by vincent.giles Oct 13, 2023 04:13 AM

    OSPF control-plane to interconnect EVPN-VXLAN fabric to upstream firewall is perfectly valid and supported.

    Aruba VSG you'll find only an example of eBGP for DCN:

    https://www.arubanetworks.com/techdocs/VSG/docs/050-dc-deploy/esp-dc-deploy-120-fabric-deploy/#configure-border-leaf-external-bgp-peerings

    For OSPF, please see on the Campus VSG:

    Distributed Overlay Configuration

    Validated Solution Guide remove preview
    Distributed Overlay Configuration
    The Distributed Overlay Configuration section describes the procedures used to configure an EVPN-VXLAN network using the Aruba Central NetConductor workflows. Topics covered include underlay configuration, group base configuration, loopback configuration, loopback interface configuration, transit VLAN and OSPF configuration, role-based policy configuration, wireless integration over static VXLAN configuration, fabric deployment, fabric segment configuration, and border connectivity configuration.
    View this on Validated Solution Guide >

    https://www.arubanetworks.com/techdocs/VSG/docs/020-campus-deploy/esp-campus-deploy-153-distributed-overlay/#configure-external-connectivity

    The OSPF configuration main aspects are:

    • use a dedicated OSPFv2/v3 process per "tenant" VRF. Each border can be in area 0 in each of these OSPF process
    • have a transit VLAN and associated SVI per VRF to peer with FW in each VRF (transit VLAN shared between VSX primary, secondary and FW)
    • redistribute BGP IPv4/IPv6 AF for each VRF into OSPFv2/v3 process per VRF
    • redistribute OSPFv2/v3 into BGP IPv4/v6 AF or alternatively, if you just need the default-route, use a static default route redistributed in BGP IPv4/v6.


    Original Message


  • 4.  RE: OSPF over VXLAN for external firewall connection

    Posted Oct 16, 2023 03:45 AM

    I have wondered about the same.

    I found this EVPN both ways from EVPN AF to OSPF and from OSPF to EVPN AF redistribution a little hard to get.

    Or in my setup EVPN AF to eBGP redistribution of some subnets, and a default route back.

    Thanks for the Campus VSG setup for this.



    ------------------------------
    Ole Morten Kårbø
    ACEA ACSP
    Netnordic Norway
    ------------------------------

    Original Message


Related Content