Each port from the firewall is a separate /30 subnet. One interface to core1 and the other to core2. These cores also have a routed /30 subnet between them. walt
>>> "Kaiser, Markus" <[email protected]> 6/21/2011 11:34 AM >>> Hello, VRRP doesn't help to achieve real load balancing. What I can read from your text is, that the two ports A & B from your firewall are ending up on both cores, in the same vlan, right? Are ports A&B on the firewall located in DMZ or LAN? Best for OSPF load balancing (ECMP) is, to have a separate L3 transport network (30 bit mask / 255.255.255.252) to each of the cores, which both participate in OSPF. This also requires a second DMZ/LAN interface on the firewall. Don't put the three IP Interfaces (1x FW and 1x core2 and 1x core2) in the same VLAN/ip subnet and run OSPF on them. Don't mix L2/L3. Cheers, Markus Sent via iPhone. On 21.06.2011, at 17:11, "Walter Witkowski" <[email protected]<mailto:[email protected]>> wrote: Hi all, Have a question. We have a firewall that is participating in OSPF with two cores (S4's). The firewall has a dmz port C, port A is connected to a port on Core1, port B is connected to Core2. The user vlan is connected to both cores with VRRP running. When initiating an SSH session to a dmz server we see the SSH request come into port A of the firewall which is the shortest path from user to server. The response intermittently will come out of port B of the firewall. The path cost from the server back to the user is equal cost. We are experiencing intermittent connectivity issues to these servers behind the firewall, not only SSH. Nowhere else on the network are we having issues when the error occur. So far today with port B of the firewall disconnected we have not seen an issue. If we elevate the path cost on one link then all returning traffic will use that exit port but then we will lose our attempt to load balance by creating multiple return paths. My question(s) 1) shouldn't the fw send the response out the same port (A) that the request came in on?? 2) eventually we wanted to use vrrp to load balance traffic across the cores which would mean that server requests would come into both port A and B of the firewall. We would like the firewall to adhere to that load balancing by returning traffic back on the same link. Is there a way to force this using OSPF?. 3) is there another answer for doing this? thanks in advance walt * --To unsubscribe from enterasys, send email to <mailto:[email protected]> [email protected]<mailto:[email protected]> with the body: unsubscribe enterasys [email protected]<mailto:[email protected]> --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
