Wired Intelligent Edge

 View Only
last person joined: 4 days ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Expand all | Collapse all

OSPF IN VSF MODE

This thread has been viewed 41 times
  • 1.  OSPF IN VSF MODE

    Posted Feb 01, 2023 10:07 AM

    Hello, I apologize if I'm not in the right place to ask this question. I would be very grateful if you could assist me.

    I am reaching out for assistance with configuring OSPF between (two firewall) and (two Aruba 5406R zl2 that are connected in VSF mode). When I try to activate OSPF by entering "router OSPF 1" or "router-id", I receive an error message "invalid input". Additionally, I am facing issues assigning an IP address to a port.

    I would greatly appreciate if you could answer the following questions: 

    1)Is it possible to activate OSPF on a VSF?

    2)Is it possible to assign an IP address to a port on a VSF?

    Thank you in advance for your help.



  • 2.  RE: OSPF IN VSF MODE

    MVP GURU
    Posted Feb 01, 2023 01:20 PM
    Yes, it's possible to configure OSPF on  VSF (2 Aruba 5400R zl2)...are you following Aruba documentation to learn what commands to use on ArubaOS-Switch or what?

    No, ArubaOS-Switch operating system (used on switch like Aruba 5400R zl2) doesn't support the concept of assigning an IP to a physical interface (or to a logical one like LAG) but you can configure a particular VLAN Id membership to an interface and the assign an IP to that particular VLAN (that way you overcome the above limitation: you can use that approach, as example, to create a P2P connectivity with a dedicated Transit VLAN between two Routing Switch or between a Routing Switch and a Firewall).





  • 3.  RE: OSPF IN VSF MODE

    Posted Feb 02, 2023 06:17 AM

    I wanted to thank you for your previous response regarding the configuration of the Aruba switches. Thanks to your advice, I was able to successfully configure OSPF after several searches yesterday(I only tried with VLAN 40 and 41 ).

    However, I still have a problem. All the VLANs I created on the VSF switch (2 Aruba 5400R zl2) cannot access the Internet, except for the Manager VLAN 40. I am not sure if the problem comes from the switch configuration or the Fortinet firewall.

    I would be very grateful if you could take a look at the Aruba switch configuration to check if there is a problem. If everything is fine on the Aruba side, I will focus on the Fortinet firewall configuration.

    Thank you in advance for  your assistance.

    Best regards,

    Show Running-Config

    vsf
    enable domain 1
    member 1
    type "J9850A" mac-address f860f0-f8af00
    priority 130
    link 1 1/C1,1/D1
    link 1 name "I-Link1_1"
    exit
    member 2
    type "J9850A" mac-address f860f0-f86000
    priority 128
    link 1 2/C1,2/D1
    link 1 name "I-Link2_1"
    exit
    port-speed 40g
    exit
    trunk 1/C2,2/C2 trk1 lacp
    trunk 1/D2,2/D2 trk2 lacp
    trunk 1/A1,2/A1 trk3 trunk (TO Fortinet Firewall)
    ip router-id 1.1.1.1
    ip routing
    snmp-server community "public" unrestricted
    oobm
    ip address dhcp-bootp
    vsf member 1
    ip address dhcp-bootp
    exit
    vsf member 2
    ip address dhcp-bootp
    exit
    exit
    router ospf
    area backbone
    enable
    exit
    vlan 1
    name "DEFAULT_VLAN"
    no untagged Trk1-Trk2
    untagged 1/A3-1/A8,2/A2-2/A8,Trk3
    tagged 1/A2
    ip address dhcp-bootp
    ipv6 enable
    ipv6 address dhcp full
    exit
    vlan 40
    name "Admin"
    tagged Trk1-Trk3
    ip address 172.17.40.1 255.255.255.0
    ip ospf 172.17.40.1 area backbone
    exit
    vlan 41
    name "Teleaffichage"
    tagged Trk1-Trk3
    ip address 172.17.41.1 255.255.255.0
    ip ospf 172.17.41.1 area backbone
    exit
    vlan 42
    name "Teledistribution"
    tagged Trk1-Trk3
    ip address 172.17.42.1 255.255.255.0
    exit
    vlan 43
    name "WIFI"
    tagged Trk1-Trk3
    ip address 172.17.43.1 255.255.255.0
    exit

    spanning-tree Trk1 priority 4
    spanning-tree Trk2 priority 4
    spanning-tree Trk3 priority 4
    no tftp server
    no autorun
    no dhcp config-file-update
    no dhcp image-file-update
    no allow-v2-modules



    IP Route Entries

    Destination Gateway VLAN Type Sub-Type Metric Dist.
    ------------------ --------------- ---- --------- ---------- ---------- -----
    0.0.0.0/0 172.17.40.250 40 ospf External2 10 110
    0.0.0.0/0 172.17.41.250 41 ospf External2 10 110
    127.0.0.0/8 reject static 0 0
    127.0.0.1/32 lo0 connected 1 0
    172.17.40.0/24 Admin 40 connected 1 0
    172.17.41.0/24 Teleaffichage 41 connected 1 0





  • 4.  RE: OSPF IN VSF MODE

    Posted Feb 02, 2023 07:42 AM
    show ip ospf neighbor

    OSPF Neighbor Information

    Router ID Pri IP Address NbIfState State QLen Events Status
    --------------- --- --------------- --------- -------- ----- ------ ------
    2.2.2.2 1 172.17.40.250 BDR FULL 0 11 None
    2.2.2.2 1 172.17.41.250 BDR FULL 0 11 None

    @ IP of VLAN 40 172.17.40.250 (Fortinet Firewall)
    @ IP of VLAN 41 172.17.41.250 (Fortinet Firewall)



  • 5.  RE: OSPF IN VSF MODE

    Posted Feb 06, 2023 09:52 AM
    Hello Amanar,
    Do your firewall know to route back to your LAN Segments (172.17.42.1 255.255.255.0 and 172.17.43.1 255.255.255.0) ?

    If you rely on OSPF for this, you have to either enable OSPF on both VLAN 42 and 43 (I would also add passive Interface on those VLANs) Or add redistribute connected in the OSPF Context.

    One other potential problem I See :
    0.0.0.0/0 172.17.40.250 40 ospf External2 10 110
    0.0.0.0/0 172.17.41.250 41 ospf External2 10 110
    Your Switch installed two default routes toward the Internet supposedly through firewall(s), your switch is now doing ECMP (Load Balancing on VLAN 40 and 41). Your firewall might not like ECMP and sees asymmetric traffic. You may need to review your design probably use one VLAN to route traffic and the other as backup (Through Cost Manipulation).

    Hope this Helps.

    Regards.



  • 6.  RE: OSPF IN VSF MODE

    Posted Feb 09, 2023 03:36 AM

    Bonjour SSi Achraf,

     j'espère que vous allez bien. récemment, nous avons essayé de vous joindre sans succès, s'il vous plaît contactez-moi