Move public IP connections from cisco switches to network firewall

[hakasapl]

We will install the network firewall in R3-PB even side and move the public IP connections to it from the 2x cisco switches. From the network firewall we will connect to the 2x Dell S4048-ON that will be top-of-rack in R3-PB even side, which has an uplink to OCT. From OCT it can get to everywhere else.

@joachimweyl a downtime needs to be schedule for this. Let's plan to do this on the 10th or 11th of July, so a potential downtime on either of those days. @naved001 can you indicate what will be affected on this ticket?

[joachimweyl]

Naved "R3-PB-C19-U42 and R3-PB-C17-U42, and if those go down bunch of stuff will go down. Mainly the 129.10.5.0/24 network which runs most of our services plus access to the IPMI network is behind that network as well."

[naved001]

can you indicate what will be affected on this ticket?

I shared that here: https://github.com/CCI-MOC/ops-issues/issues/1032#issuecomment-1613249738

[naved001]

The 2 public networks that we get from the cisco switches are:

1. CSAIL VLAN 3802
2. NEU VLAN 127

The CSAIL VLAN config looks simple enough, it's just a VLAN enabled on switchport eth1/48 of the cage17 cisco switch (it's not on the other cisco). But there's also VLAN 3800 which I don't know why it exists (I may try removing it when Hakan is back to test if it does anything). (There's also VLAN 150, but more about it later).

MOC-NEU-PODB-R3C17-1# show running-config interface ethernet 1/48

!Command: show running-config interface Ethernet1/48
!Time: Thu Jun 29 16:15:05 2023

version 7.3(11)N1(1)

interface Ethernet1/48
  description "port-channel to SFCORE-MGH-MDA-R6C23-1 eth2/5"
  switchport mode trunk
  switchport trunk allowed vlan 150,3800,3802

The NEU VLAN 127 looks more complicated to me, the vlan we actually have trunked to is VLAN 125.

MOC-NEU-PODB-R3C19-1# show running-config interface ethernet 1/48

!Command: show running-config interface Ethernet1/48
!Time: Thu Jun 29 16:16:37 2023

version 7.3(11)N1(1)

interface Ethernet1/48
  description "port-channel to SFCORE-MGH-MDA-R6C23-1 eth2/6"
  switchport mode trunk
  switchport trunk native vlan 125
  switchport trunk allowed vlan 125,151
  no shutdown

There's some OSPF configuration that I don't understand, notice VLAN 151 here. We have a similar configuration on cage 17 cisco which has VLAN 150 as part of ospf.

MOC-NEU-PODB-R3C19-1# show ip ospf interface brief
 OSPF Process ID 1 VRF default
 Total number of interface: 4
 Interface               ID     Area            Cost   State    Neighbors Status
 Vlan251                 3      0.3.0.5         40     DR       1         up
 Vlan151                 2      0.3.0.5         10000  BDR      1         up
 Vlan127                 1      0.3.0.5         40     DR       0         up
 Lo0                     4      0.3.0.5         1      LOOPBACK 0         up

And the vlan interface 127 also some config

 MOC-NEU-PODB-R3C19-1# show running-config interface vlan 127

!Command: show running-config interface Vlan127
!Time: Thu Jun 29 16:19:39 2023

version 7.3(11)N1(1)

interface Vlan127
  no shutdown
  no ip redirects
  ip address 129.10.5.3/24
  ip ospf passive-interface
  ip router ospf 1 area 0.3.0.5
  vrrp 13
    priority 110
    address 129.10.5.1
    no shutdown
    exit

similar configuration for vlan 127 exists on the other switch

MOC-NEU-PODB-R3C17-1# show running-config interface vlan 127

!Command: show running-config interface Vlan127
!Time: Thu Jun 29 16:18:23 2023

version 7.3(11)N1(1)

interface Vlan127
  no shutdown
  no ip redirects
  ip address 129.10.5.2/24
  ip ospf passive-interface
  ip router ospf 1 area 0.3.0.5
  vrrp 13
    priority 110
    address 129.10.5.1
    no shutdown
    exit

@hakasapl have you dealt with OSPF before? I have not, and we may need to reach out to NEU for switching this over to the firewall (or the Dells).

[hakasapl]

We should discuss with whoever maintains the upstream network for the OSPF link. OSPF appears to be an L3 peering thing, I don't know much about it but I think if the link is setup like that and we move the link the upstream needs to change config. Dell OS9 does not support OSPF. @naved001 who are the contacts for the upstream?

[naved001]

Dell OS9 does not support OSPF

Where did we get that Dell OS9 does not support OSPF? Edit (July 6): I checked the OCT4 dell switch and it has options for configuring OSPF.

This document talks about Dell EMC OS9 supporting OSPF, I don't know if EMC OS9 is different from OS9. https://www.dell.com/support/manuals/en-hk/dell-emc-os-9/s4048-on-9.14.2.4-config/open-shortest-path-first-ospfv2-and-ospfv3?guid=guid-418deeea-3b3e-4cc2-ac04-eb0ca105e7c8&lang=en-us

who are the contacts for the upstream?

I will send an email to them and CC you on it.

[hakasapl]

My slack response:

Hakan Saplakoglu :spiral_calendar_pad: 2:27 PM Oh, I guess I didn’t google long enough lol 2:27 I still think we should stick to Ciscos for now, one less thing to worry about when we’re changing so much

2:27 We can move that stuff over to the firewall in the weeks after 2:28 I will update the ticket New

naved001 :spiral_calendar_pad: 2:30 PM fair enough. Yeah, our firewall running pfsense would support that.

[naved001]

For the purposes of deprecating Row3-PodB cages, we kept the switches and the config as is and moved the ciscos to Row4-PodA.

We will worry about the OSPF configuration once we have the network firewall. Northeastern is okay with keeping the OSPF config and we can just copy the configurations from the ciscos to the new device.

[joachimweyl]

new firewall did not arrive in time for this week.

[joachimweyl]

@hakasapl I believe this is complete, can you confirm?

[hakasapl]

This is not complete yet. We need to install the firewall and move the connections either later this sprint or early next.