Cluster Support for IPv4 OSPFv2

GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. supports the IPv4 OSPFv2 protocol in ClusterXL and VRRP ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

In this configuration, the cluster becomes a Virtual Router.

The neighbor routers see it as a single router, where the Virtual IP address of the cluster becomes the router ID.

Each Cluster MemberClosed Security Gateway that is part of a cluster. runs the OSPF process, but only RouteD daemon in the master state actively exchanges routing information with the neighbor routers.

When a cluster failover occurs, RouteD daemon on another Cluster Member becomes the master and begins exchanging routing information with the neighbor routers.

Gaia also supports the OSPF protocol over VPN tunnels, which terminate in ClusterXL or VRRP Cluster.

ClusterXL

Gaia ClusterXL advertises the Cluster Virtual IP address. The OSPF routes database of the master is synchronized across all members of the cluster.

The OSPF task of each Cluster Member obtains routing state and information from the master and installs the routes in the kernel as the master does.

During a cluster failover, RouteD daemon on one of the peer Cluster Members becomes the new master and then continues where the old master failed.

During the time that the new master resynchronizes routes database with the neighbor routers, traffic forwarding continues using the old kernel routes until OSPF routes are fully synchronized and pushed into the kernel.

VRRP Cluster

Gaia supports advertising of the VRRP Virtual IP address instead of the actual interface IP address.

If you enable this option, but do not enable OSPF Graceful Restart, OSPF runs only on the VRRP Master.

During a cluster failover, a traffic break may occur, while the new VRRP Master becomes active and learns the OSPF routes.

This happens because the OSPF route database exists only on the VRRP Master and is not synchronized on all VRRP Cluster Members.

The larger the network, the larger the OSPF database and the more time it takes OSPF to synchronize its database and install routes again.

To avoid traffic loss during failovers, you can configure OSPF Graceful Restart.

In this case, the VRRP Master synchronizes the route table with the VRRP Backup members.

If the VRRP Master fails, one of the VRRP Backup members takes on a role of the new VRRP Master, sends grace-LSAs to the OSPF neighbors, and establishes adjacencies with them.

The new VRRP Master keeps the kernel routes that were installed before the failover until it establishing full adjacency with the neighbors.

Note - You must use VRRP Monitored-Circuit, when configuring Virtual IP support for OSPF or any other dynamic routing protocol.