Search This Blog

Monday, August 22, 2016

HPE FlexFabric IRF with Fortigate HA - OSPF and VPN-instances


An HPE comware 7 switches, in IRF mode, connected to Fortigate 600D in HA active/passive mode.

Crossed links between the devices in order to prevent device failure/HA failure situation.

In my first attempt I assumed that since the HPE switches using IRF I should handle them as single device, while connecting them to the Fortigate HA, I’ve connected all 4 ports, from the switches, in one bridge-aggregation group. This configuration led to partial packet loss since all 4 ports, in the link-aggregation group were up and running (Fortigate ports are all up although it’s an HA configuration).

Configuring the Fortigate with 2 ports (port17 and port18) in aggregation mode running all VLAN sub-interfaces while the HPE switches configure with 2 bridge-aggregation interfaces, one for each switch has solved the problem.

Next there was the VPN-instance (VRF lite in Cisco terms) issue, on the switches I’ve configured 5 VPN-instances and one OSPF process per VPN-instance between the Fortigate and the switches. The Fortigate advertised default route (under Router->Dynamic->Advanced) in always mode. In the switches I didn’t manage to see the default route in neither VPN-instance. The problem solved after issuing the command: vpn-instance-capability simple under the VPN-instance sub-command.


This is the network topology:

 HPE FlexFabric switch (relevant) configuration:

ip vpn-instance TEST1
 route-distinguisher 1:10
#
ip vpn-instance TEST2
 route-distinguisher 1:20
#
ip vpn-instance TEST3
 route-distinguisher 1:30
#
ip vpn-instance TEST4
 route-distinguisher 1:40
#
ip vpn-instance TEST5
 route-distinguisher 1:50
#
irf domain 1 
 irf mac-address persistent timer
 irf auto-update enable
 irf link-delay 200
 irf member 1 priority 32
 irf member 2 priority 31
 irf member 1 description IRF_UNIT1
 irf member 2 description IRF_UNIT2
 irf mode normal
#
 irf-port global load-sharing mode destination-ip source-ip
#
ospf 10 router-id 1.1.1.10 vpn-instance TEST1
 vpn-instance-capability simple
 area 0.0.0.10
  network 0.0.0.0 255.255.255.255
#
ospf 20 router-id 1.1.1.20 vpn-instance TEST2
 vpn-instance-capability simple
 area 0.0.0.20
  network 0.0.0.0 255.255.255.255
#
ospf 30 router-id 1.1.1.30 vpn-instance TEST3
 vpn-instance-capability simple
 area 0.0.0.30
  network 0.0.0.0 255.255.255.255
#
ospf 40 router-id 1.1.1.40 vpn-instance TEST4
 vpn-instance-capability simple
 area 0.0.0.40
  network 0.0.0.0 255.255.255.255
#
ospf 50 router-id 1.1.1.50 vpn-instance TEST5
 vpn-instance-capability simple
 area 0.0.0.50
  network 0.0.0.0 255.255.255.255
#






32 comments:

  1. i love reading this article so beautiful!!great job! best vpn services

    ReplyDelete
    Replies
    1. Great Article Cloud Computing Projects

      Networking Projects

      Final Year Projects for CSE

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. Thank You for Your haring this information. Can You share some information about LAG's configuration. Do You use on HP switches LACP mode dynamic? And on Fortigate side what lacp mode Active , passive or static?
    Because we using HP IRF stack and testing Fortigates 100D and this configuration working just then Fortigates LACP is Static. Can You confirm this information?
    Thank You very much.

    ReplyDelete
    Replies
    1. Hello,
      I'm using 2 600D's with Arista 7050S. Both FG's are connected via LACP. Fortigate in default, Arista portchannel in active mode.

      Also make sure if you are running HA with LACP that you configure the LACP-HA-SLAVE DISABLE!!

      I ran into a problem where I could failover once.. But STP kicking in because the second unit was sending lacp packets too ( and because of the floating MAC the the port never came up again )

      Delete
  3. Users are encouraged to rather pay for a reputable VPN which has key privacy protocols in place, uses strong encryption and does not store traffic logs. VPN provider

    ReplyDelete
  4. Thank you again for all the knowledge you distribute,Good post. I was very interested in the article, it's quite inspiring I should admit. I like visiting you site since I always come across interesting articles like this one.Great Job, I greatly appreciate that.Do Keep sharing! Regards, web source

    ReplyDelete
  5. Very good written article. It will be supportive to anyone who utilizes it, including me. Keep doing what you are doing – can’r wait to read more posts. TutuApp Android

    ReplyDelete
  6. I admire this article for the well-researched content and excellent wording. I got so involved in this material that I couldn’t stop reading. I am impressed with your work and skill. Thank you so much. App Valley Download

    ReplyDelete
  7. DOWNLOAD PAID APPS FOR FREE WITH TUTUAPP FROM PLAYSTORE DOWNLOAD TUTUAPP FOR MORE INFO

    Tutuapp

    Tutuapp Android

    ReplyDelete
  8. If more people that write articles really concerned themselves with writing great content like you, more readers would be interested in their writings. Thank you for caring about your content. ios screen recorder

    ReplyDelete
  9. Thanks for the nice post.

    Can you please share the steps you performed.

    Did you create LACP on Fortigate before putting them in Active passive mode or you did it after you configured Fortigate in Active Passive mode?

    Please if you can write the steps. I shall be very thankful.
    We have 100D Fortigate with HP running core and wanted to make sure that its full meshed HA setup for fortigate firewall.


    ReplyDelete
  10. correct please picture - wrong BA group in IRF (BA1 = FG1/0/1, FG2/0/1 and BA2 = FG1/0/2 and FG2/0/2)

    ReplyDelete
    Replies
    1. I agree with you :

      With the displayed topology the LACP links can not be correctly mounted (with flag ACDEF) : only one physical port UP by LACP group. Isn't true ?

      Delete
  11. thank you for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people fiesta ford used

    ReplyDelete
  12. Yes i am totally agreed with this article and i just want say that this article is very nice and very informative article.I will make sure to be reading your blog more. You made a good point but I can't help but wonder, what about the other side? !!!!!!THANKS!!!!!! expressvpn free trial

    ReplyDelete
  13. Great Information sharing .. I am very happy to read this article .. thanks for giving us go through info.Fantastic nice. I appreciate this post. top android vpn

    ReplyDelete


  14. Tutu Helper is the one of the best ios,android App store to get the tons of free app and game. Here the latest version of TutuApp of free.
    Tutu Helper Apk
    TutuApp free
    tutuapp pokemon go

    ReplyDelete
  15. Tweakbox App is the one of the best ios,android App store to get the tons of free app and game. Here the latest version of tweakbox of free.
    Tweakbox Apk
    Tweakbox for ios
    Tweakbox for android

    ReplyDelete

  16. Whatsapp plus is one of the best mod app for official whatsapp for free, get unlimited features of

    whatsapp plus for free. Here Click to download the latest version whatsapp plus apk.
    WhatsApp Plus
    Download WhatsApp Plus

    ReplyDelete
  17. Hello just wanted to give you a quick heads up. The text
    in your article seem to be running off the screen in Opera.
    I’m not sure if this is a formatting issue or something to do with web
    browser compatibility but I thought I’d post to let you know.
    The style and design look great though! Hope you get the issue fixed soon. Cheers
    foxit phantompdf activation key crack
    nitro pro enterprise crack
    easeus data recovery wizard crack
    cyberlink powerdirector crack

    ReplyDelete
  18. I really enjoyed reading your blog, you have lots of great content.Please visit here:Mixcraft Crack

    ReplyDelete
  19. Dubai Fun Club for premium Independent Escorts in Dubai and entertainment services. You can easily find the best call girls in Dubai on our website.

    ReplyDelete
  20. Very interesting and amazing article. I will surely share it with friends. Thanks for sharing.cisco online certification

    ReplyDelete
  21. Is this a paid topic or do you change it yourself?
    However, stopping by with great quality writing, it's hard to see any good blog today.
    Very good article! We will be linking to this particularly great post on our website. Keep up the good writing.
    However, stopping by with great quality writing, it's hard to see any good blog today.
    really a nice post!

    IObit Software Updater Crack
    JetBrains PhpStorm Crack

    ReplyDelete
  22. However, what about the last sentence? Are you sure of the origin?
    Hello friends, your wonderful article on the subject of learning and well explained, keep up the good work. Hello friends a good and offensive note is mentioned here for me
    I love it. Surprised, I have to admit. Rarely do I find a blog that is similarly informative and entertaining, and
    Sure enough you hit a nail in the head. I found your blog site on Yahoo and looked at your first post
    content. Keep it running smoothly.
    eset smart security crack
    filezilla pro crack
    balabolka crack
    camera bits photo mechanic crack

    ReplyDelete

  23. Howdy! This is my 1st comment here so I just wanted to give a
    quick shout out and tell you I truly enjoy reading through your posts.
    Can you suggest any other blogs/websites/forums that go over the same topics?
    Thanks a ton!
    adobe character animator cc crack
    kmsauto net crack
    luxion keyshot pro crack
    navicat premium crack

    ReplyDelete
  24. Hi, sometimes I read your blog and I have a similar one and I was interested if you get a lot of spam answers?
    If so, how can you stop it, could you propose any plugin or anything? I get so much recently that's insane for me, so any support is definitely appreciated.
    izotope ozone crack
    4k youtube to mp3 license key
    chrispc videotube downloader pro crack
    adobe acrobat pro crack download

    ReplyDelete
  25. Wow, amazing block structure! How long
    Have you written a blog before? Working on a blog seems easy.
    The overview of your website is pretty good, not to mention what it does.

    Live Home 3D Pro Crack Free Downloard

    CyberLink PowerDirector Crack Free Downloard
    DaVinci Resolve Crack Free Downloard
    Cool Edit Pro Crack Free Downloard
    FL Studio Crack Free Downloard

    ReplyDelete
  26. This is an excellent post that you have shared with us. Thank you for sharing this excellent post and I hope you will continue to do so in the future.
    InPage Download For PC Windows
    softs4crack
    King Soft Pc

    ReplyDelete