Wednesday, January 30, 2019

Use OSPF for redundancy with firewalls in layer 2 / bridging mode?

I have a historically grown /16 network containing multiple MRP rings, each containing assets with critical availability requirements. Right now, the rings are connected redundantly to the central switches. Is it possible to implement redundant firewalling in bridging mode (transparent on layer 2) by using OSPF?

The setup would be the following, from bottom to top:

  • MRP ring out of which two switches each have a connection to one of the OSPF routers
  • Two OSPF routers who are interconnected and each router has a connection to a transparent firewall
  • Two active UNIX firewalls that are connected to the central switches

The goal is: Send all traffic through transparent firewall A. If the active firewall A fails, the link-state changes, the OSPF routers notice the change and forward the traffic through firewall B.

I understand that OSPF is an IGP routing protocol so intuitively I'd say this isn't possible, however, I talked to a colleague who claims this works. Wouldn't this have to be different networks because of the routing aspect?

The scenario is kind of specific and more complex in reality (we are already changing the MRP rings to /24 subnets one by one at the moment and are using ProxyARP to keep connectivity). I am not able to change the devices (e.g. use Cisco) and am not looking for alternative solutions by using routed /24 subnets with HA firewall (HSRP or VRRP or CARP), since this is our goal anyway. I am looking for an temporary solution that doesn't require changing the network settings in the individual rings.

Thanks in advance!



No comments:

Post a Comment