Hi Jon hello again.

yes its the same Firewall that i am trying to set it up so that we can move everything onto it.

Yup i agree routes need to be on the firewall and thats what i am not sure of how do i advertise those routes from core to Palo.

Yes it can be said that DC internet is Primary but for the servers hosted in DC not the users or the servers hosted in head office. 

This scenario is specifically to the web servers we have hosted in DC. So what i am trying to acheive is to have a back up path to get to the web servers from Head office internet if the DC connection fails.

As i said earlier VIP of the load balancer is reachable from my Core where i have My Palo firewall connected to.

If i put the default route on Palo facing Core its fine  because everything needs to come to core anyways. 

BUT THE PROBLEM I HAVE IS HOW DO I ADVERTISE THE ROUTE 172.31.15.x TO PALO FROM CORE WITHOUT ENABLING OSPF ON PALO.

Er

Your last two sentences seem to contradict each other.

If you don't want to enable OSPF on the firewall then just add a static route for the IP subnet to it pointing to the core switch.

Am I misunderstanding the question ?

As I said originally the harder part I would have thought is making sure the return traffic from the DC goes back to the firewall when the primary internet connection has failed.

Jon

Apologies if i wasnt clear enough..

As you suggested to put a static route for 172.31.15.x on Palo facing core.  That is not a problem however as you rightly pointed out how would traffic from core will route to PALO ?

What i understand is putting a static route on firewall will only allow traffic to flow from Firewall to Core but how can i enable traffic to flow from core to Palo.

Is it any clearer?

Yes, it's basically how do you get the return traffic from that subnet to go back to the firewall.

The answer to that depends on how your current setup works.

How does traffic from the 172.31.15.x subnet get routed back to the primary internet connection when it is working ?

Does it use a default route or is there some other way of doing it ?

Jon

Hi Jon,

Please attached the drawing i just created, apologies its really crude.

XXX-Core-1#sh ip route 172.31.15.27
Routing entry for 172.31.15.0/27
Known via "ospf 1", distance 110, metric 110
Tag Complete, Path Length == 1, AS 64525, , type extern 1
Last update from 10.128.1.4 on GigabitEthernet3/23.1, 2w3d ago
Routing Descriptor Blocks:
* 10.128.1.4, from 10.128.1.4, 2w3d ago, via GigabitEthernet3/23.1
Route metric is 110, traffic share count is 1
Route tag 3489725453

XXX-Core-1#

XXX-Core-1#sh int gigabitEthernet 3/23.1  
GigabitEthernet3/23.1 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 0018.7447.e380 (bia 0018.7447.e380)
Description: Transit Link to DC
Internet address is 10.128.1.1/29
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 2/255, rxload 17/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 989.
ARP type: ARPA, ARP Timeout 04:00:00
EGH-Core-1#

interface GigabitEthernet3/23.1
description Transit Link to DC
bandwidth 1000000
encapsulation dot1Q 989
ip address 10.128.1.1 255.255.255.248
no ip redirects
no ip proxy-arp
ip ospf message-digest-key 1
ip ospf cost 10
end

router ospf 1
router-id 10.131.14.2
log-adjacency-changes
auto-cost reference-bandwidth 100000
area 0.0.0.0 authentication message-digest
redistribute static metric 100 metric-type 1 subnets route-map Static-2-OSPF
passive-interface default
no passive-interface GigabitEthernet3/23.1
no passive-interface Vlan99
network 10.128.0.0 0.7.255.255 area 0.0.0.0
network 128.1.0.0 0.0.255.255 area 0.0.0.0
default-information originate

Neighbor ID Pri State Dead Time Address Interface
10.128.1.4 0 FULL/DROTHER 00:00:37 10.128.1.4 GigabitEthernet3/23.1
10.131.14.3 0 FULL/ - 00:00:31 10.131.0.10 Vlan99

We are just learning it over OSPF from our DC. And advertise static to OSPF from HO.

route-map Static-2-OSPF, permit, sequence 10
Match clauses:
ip address prefix-lists: STATIC
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Hope it gives a better idea.

Thanks

I might be reading this wrong but it looks like your HO core switch is orginating a default route (assuming there is a default route in the IP routing table).

Can we just backtrack a minute and clarify the issue.

You have some web servers in the DC and load balancers in front of them using 172.31.15.x as the IP subnet.

In normal operations the firewall at the DC is used to gain access to the 172.31.15.x IPs (although presumably you are doing NAT on the firewall as these are private IPs - see below for more on this).

So the question is when the return traffic from the load balancers is sent back to the internet client that requested the connection how is this achieved ie. is there a default route on the DC core switch pointing to the DC firewall ?

If so then you need some way of replacing that default route on the core switch if the DC firewall or internet connection fails.

And the default route you replace it with must make the DC send return traffic to HO so it can be sent to the firewall there.

There is however another issue as well.

The 172.31.15.x subnet is using private IPs so you must be translating these on your DC firewall to a public range. Which means in the public DNS you must have entries using those public IPs.

If you failover to the HO firewall you will presumably be using different public IPs which would mean -

1) the DNS entries will be incorrect

2) even if you could use the same public IPs at HO the routing would need to modified so that the public IPs were routed via the HO firewall connection.

I am not trying to make this complicated but it's not clear how you see this working.

Jon

Hmmm, i see what you mean. Let me look into it and will update you.

Thanks again