Success Stories of OSPF with a Cluster

[fdamstra]

The nature of support forums is that the only people who post are those who are having problems. However, for somebody who's evaluating a technology for possible use, this can be very disconcerting.

Is anybody using OSPF on NGX R65 without issue?

I'd hoped to add dynamic routing as a means to increase the stability and availability of my network through redundant routes. From what I'm reading, though, it sounds like I will be losing the near-instant failover of my firewall clusters and introducing a host of new problems.

Is OSPF on Splat Pro ready for mission-critical work? Anybody want to share a success story on how they've increased availability?

[cciesec2006]

Running OSPF on security devices such as firewalls is not a smart idea.
You are adding more complexities to the devices and you will regret later
about this decision.

Firewalls can terminate VPNs most people do not do that. They use
firewalls for firewall purpose and another dedicate device for VPN
(L2L, remote access) and other dedicate device for routing protocols
such as OSPF, eigrp, BGP, etc...

my 2c.

[melipla]

Sadly I do not have a success story to share. Like cciesec2006 I would not recommend using OSPF, but for different reasons. Check Point uses GateD for its dynamic routing and has hooked it into FW-1. While I applaud the work that the GateD folks have done, I've found Check Point's integration with it to be lackluster and incomplete. For example, there are known issues since R60 with OSPF which have yet to make it into the lastest release & HFA of R65 HFA 2. This isn't some small issue either, its a critical "Check Point just lost our entire OSPF table" issue. Given this issue alone I think you'll be hard pressed to find someone who's had a favorable experience with CP & OSPF.

[chillyjim]

I too am of the opinion that you let routers route and firewalls firewall (I disagree on VPNs though, but that's another topic).

That said, the real-world often doesn't let you put a router next to each interface on your firewall, so yo are stuck with running dynamic routing protocols on your firewalls.

My personal experience with OSPF/GateD and SPLAT pro has been fine, but limited. I have heard of folks that have had problems with it. Although it seems to be a small pool of folks with problems, those problems are serious and often very similar to what melipla reports.

Now back to what you want to do. By its nature OSPF is not as fast as a cluster failover but it is in general faster than replacing the router that just let out the magic blue smoke, or finding the server guy who is sure he just unpluged only the server.

Think about why you want to use OSPF, and is there a better way of doing it? If not, try and keep the routing table being propagated to a minimum.

[eduardw]

We are runing a R65 VSX cluster on it we have aproximate 30 VS and 1 VR. We use OSPF on the virtual router. The VR is comunicating with our Cisco core routers. All of the virtual system have got an interface leading to the virtual router. And are propagating there connected networks and routes to the virtual router. We are very happy with this setup.

Eduard

[fdamstra]

Quote:

Originally Posted by chillyjim

I too am of the opinion that you let routers route and firewalls firewall.

How do you avoid it, though?

Certainly, in the classic 3-interface firewall (LAN/WAN/DMZ), you can pretend that the firewall isn't routing, but in reality, it's the default gateway for many devices, and it has to decide where that packet goes next. If you add a dedicated connection (say a T1 to a credit card processor), the firewall needs another route. Do you add an additional router as the next hop so that the routing is handled there (in a sort of router-on-a-stick topology)?

Quote:

That said, the real-world often doesn't let you put a router next to each interface on your firewall, so yo are stuck with running dynamic routing protocols on your firewalls.

Can you explain how/if this would help? The routers are still segmented by the firewall, and can't exchange routing information between them (afaik, but maybe I'm overlooking something).

Quote:

Think about why you want to use OSPF, and is there a better way of doing it? If not, try and keep the routing table being propagated to a minimum.

I can't come up with a better way of doing it, but I'll present the scenario here and maybe somebody else will be able to point me in the right direction.

We have two buildings. Each building hosts one of an active-standby pair of servers that is our flagship application (client-server model). We have a couple hundred clients whose daily business depends on having connectivity to one of those two servers. Clients are connected via a dedicated MPLS circuit to building 1.

We would like to add geographic diversity to their connections by adding an additional MPLS connection to building 2. Ideally, we would like to load balance traffic through the two connections (as we have a 1GB link between building 1 and building 2 so could direct the traffic to either of the active-standby servers).

Each building has its own CheckPoint cluster, and we use these firewalls to protect against internal attacks as well as attacks from the Internet (read: those MPLS connections would have to traverse a firewall before hitting our app server).

With OSPF running on the firewalls, we could conceivably accomplish this. While sessions might drop if the point-to-point path fails between client-and-building1, it could be re-established through the client-to-building2 path (unless our two clusters could share state despite having completely different interfaces). Without OSPF, it would be a completely manual process.

Any thoughts?

[melipla]

We've had very good success with F5 & the load balancing features they offer for several of our web based applications, could that be a possible solution?

[manrag]

Weve got a good experience using ospf with one of our clients using Nokia and Crossbeam, 7 Nokia clusters and 1 cluster over crossbeam all using ospf at this moment over NGX R60 Hfa_05. No problems it works fine.

[fdamstra]

Quote:

Originally Posted by melipla

We've had very good success with F5 & the load balancing features they offer for several of our web based applications, could that be a possible solution?

We use F5's for our web-based applications, but not with any geographic diversity. If I'm missing features of the F5's that I should be using, I'd love to hear about them.

Since our primary facility is near the airport, we use the example of a plane crash. If a plane crash took out one building, (or took out power to the building, or cut off access to the building), could we run out of the other?

If we brought circuits to our 150+ sites into the other building, we could, but it would be a manual process with a lot of room for human error. We would have to redo the anti-spoofing rules (not a big deal with groups), and redo the routes (which could be a problem if only some of the primary facility was nonfunctional).

With OSPF, I can design a network that's very fault tolerant, and giving at most a moment's interruption of services that requires minimal administration to keep functional. Without OSPF, I'm left to writing and maintaining scripts to do what should happen automatically (and, although I pride myself on my accuracy, also opens the door to human error).

[flawless_cowboy]

I have about 5 clusters all running OSPF without issues. 3 of them are splat and 2 are nokia, we are currenlty phasing out the Nokia's and moving to SPLAT. Two of the clusters have a high level of VPN traffic 24/7 (100-400Mbs/sec). I am not having any issues related to OSPF running on either of them. You can see from another post I have about how to redist selected static routes back into OSPF. We have not really experienced any issues directly related to OSPF. Overall the we have found the platform stable.