Web: Configuring OSPF Load Balancing

If there are multiple paths with the same cost destined for the same destination, load balancing among equal-cost routes can be configured to load balance IP packets among these paths, which increases the link utilization.

Networking Requirements

InFigure 1:

FW_A, FW_B, FW_C, FW_D, and FW_E are connected to each other through OSPF.
FW_A, FW_B, FW_C, FW_D, and FW_E belong to Area 0.
Load balancing needs to be configured so that the traffic from FW_A to FW_E is load-balanced by FW_C and FW_D.

Figure 1 Networking diagram for configuring OSPF load balancing

Device	Interface	IP Address	Device	Interface	IP Address
FW_A	GE0/0/1	10.1.1.1/24	FW_C	GE0/0/1	10.1.2.2/24
	GE0/0/2	10.1.2.1/24	FW_C	GE0/0/2	192.168.1.1/24
	GE0/0/3	10.1.3.1/24	FW_D	GE0/0/1	10.1.3.2/24
	GE0/0/4	172.16.1.1./24	FW_D	GE0/0/2	192.168.2.1/24
FW_B	GE0/0/1	10.1.1.2/24	FW_E	GE0/0/1	192.168.0.2/24
	GE0/0/2	192.168.0.1/24		GE0/0/2	192.168.1.2/24
				GE0/0/3	192.168.2.2/24
				GE0/0/4	172.17.1.1/24

Configuration Roadmap

The configuration roadmap is as follows:

Enable basic OSPF functions on each FW for interconnection.
Configure load balancing on FW_A.
Configure a priority for equal-cost routes on FW_A.

Data Planning

To implement the configuration, you need to collect the following data:

Router ID (1.1.1.1), OSPF process number (1), and network segments of Area 0 (10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, and 172.16.1.0/24) of FW_A
Router ID (2.2.2.2), OSPF process number (1), and network segments of Area 0 (10.1.1.0/8 and 192.168.0.0/8) of FW_B
Router ID (3.3.3.3), OSPF process number (1), and network segments of Area 0 (10.1.2.0/8 and 192.168.1.0/8) of FW_C
Router ID (4.4.4.4), OSPF process number (1), and network segments of Area 0 (10.1.3.0/8 and 192.168.2.0/8) of FW_D
Router ID (5.5.5.5), OSPF process number (1), and network segments of Area 0 (192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, and 172.17.1.0/24) of FW_E
Number of equal-cost routes for load balancing on FW_A (2)
Next hop weights of the routes from FW_A to FW_B, FW_C, and FW_D (2, 1, and 1, respectively)

Procedure

Configure FW_A.
1. Set interface IP addresses and assign the interfaces to security zones.
  1. Choose Network > Interface.
  2. Click of GE0/0/1 and set required parameters.
    
    Zone
    
    trust
    
    IPv4
    
    IP Address
    
    10.1.1.1/24
  3. Click OK.
  4. Repeat the preceding steps to configure other interfaces.
    Interface Name
    
    GE0/0/2
    
    GE0/0/3
    
    GE0/0/4
    
    Zone
    
    Trust
    
    Trust
    
    Trust
    
    IP Address
    
    10.1.2.1/24
    
    10.1.3.1/24
    
    172.16.1.1/24
2. Configure a security policy for transmitting packets on the network.
  1. Choose Policy > Security Policy > Security Policy.
  2. Click Add and configure the Local -> Trust interzone policy.
    
    Name
    
    policy_sec_1
    
    Source Zone
    
    Local and Trust
    
    Destination Zone
    
    Local and Trust
    
    Action
    
    Permit
  3. Click OK.
3. Configure basic OSPF functions.
  1. Choose Network > Route > OSPF.
  2. Click Add to create an OSPF process.
  3. Configure the area where network segment 10.1.1.0 resides as Area 0.
    1. Click of the created OSPF process.
    2. In the OSPFv2 Process ID:1 navigation tree, choose Basic Configuration > Area Settings.
    3. Click Add and configure the area where network segment as Area 0.
    4. Click OK.
  4. Repeat the preceding steps to configure the area where network segments 10.1.2.0, 10.1.3.0, and 172.16.1.0 reside as Area 0.
    Advanced Settings
    
    Area
    
    0
    
    IP Network
    
    10.1.2.0
    
    10.1.3.0
    
    172.16.1.0
    
    Mask/Wildcard Mask
    
    0.0.0.255
4. Set the maximum number of routes for load balancing to 2.
```
[FW_A] ospf 1
[FW_A-ospf-1] maximum load-balancing 2
[FW_A-ospf-1] quit
```
5. Set the priority for equal-cost routes.
```
[FW_A] ospf 1
[FW_A-ospf-1] nexthop 10.1.1.2 weight 2
[FW_A-ospf-1] nexthop 10.1.2.2 weight 1
[FW_A-ospf-1] nexthop 10.1.3.2 weight 1
[FW_A-ospf-1] quit
```
Configure FW_B.
1. By referring to Step 1 of FW_A, configure IP addresses for interfaces and assign interfaces to security zones.
  
  Interface Name
  
  GE0/0/1
  
  GE0/0/2
  
  Zone
  
  Trust
  
  Trust
  
  IP Address
  
  10.1.1.2/24
  
  192.168.0.1/24
2. By referring to Step 2 of FW_A, configure a security policy for packet exchanges on the network.
  
  Name
  
  policy_sec_1
  
  Source Zone
  
  Local and Trust
  
  Destination Zone
  
  Local and Trust
  
  Action
  
  Permit
3. By referring to Step 3 of FW_A, configure basic OSPF functions.
  
  Add OSPF Process
  
  Process ID
  
  1
  
  Router ID
  
  2.2.2.2
  
  Advanced Settings
  
  Area
  
  0
  
  IP Network
  
  10.1.1.0
  
  192.168.0.0
  
  Mask/Wildcard Mask
  
  0.255.255.255
Configure FW_C.
1. By referring to Step 1 of FW_A, configure IP addresses for interfaces and assign interfaces to security zones.
  
  Interface Name
  
  GE0/0/1
  
  GE0/0/2
  
  Zone
  
  Trust
  
  Trust
  
  IP Address
  
  10.1.2.2/24
  
  192.168.1.1/24
2. By referring to Step 2 of FW_A, configure a security policy for packet exchanges on the network.
  
  Name
  
  policy_sec_1
  
  Source Zone
  
  Local and Trust
  
  Destination Zone
  
  Local and Trust
  
  Action
  
  Permit
3. By referring to Step 3 of FW_A, configure basic OSPF functions.
  
  Add OSPF Process
  
  Process ID
  
  1
  
  Router ID
  
  3.3.3.3
  
  Advanced Settings
  
  Area
  
  0
  
  IP Network
  
  10.1.2.0
  
  192.168.1.0
  
  Mask/Wildcard Mask
  
  0.255.255.255
Configure FW_D.
1. By referring to Step 1 of FW_A, configure IP addresses for interfaces and assign interfaces to security zones.
  
  Interface Name
  
  GE0/0/1
  
  GE0/0/2
  
  Zone
  
  Trust
  
  Trust
  
  IP Address
  
  10.1.3.2/24
  
  192.168.2.1/24
2. By referring to Step 2 of FW_A, configure a security policy for packet exchanges on the network.
  
  Name
  
  policy_sec_1
  
  Source Zone
  
  Local and Trust
  
  Destination Zone
  
  Local and Trust
  
  Action
  
  Permit
3. By referring to Step 3 of FW_A, configure basic OSPF functions.
  
  Add OSPF Process
  
  Process ID
  
  1
  
  Router ID
  
  4.4.4.4
  
  Advanced Settings
  
  Area
  
  0
  
  IP Network
  
  10.1.3.0
  
  192.168.2.0
  
  Mask/Wildcard Mask
  
  0.255.255.255
Configure FW_E.
1. By referring to Step 1 of FW_A, configure IP addresses for interfaces and assign interfaces to security zones.
  
  Interface Name
  
  GE0/0/1
  
  GE0/0/2
  
  GE0/0/3
  
  GE0/0/4
  
  Zone
  
  Trust
  
  Trust
  
  Trust
  
  Trust
  
  IP Address
  
  192.168.0.2/24
  
  192.168.1.2/24
  
  192.168.2.2/24
  
  172.17.1.1/24
2. By referring to Step 2 of FW_A, configure a security policy for packet exchanges on the network.
  
  Name
  
  policy_sec_1
  
  Source Zone
  
  Local and Trust
  
  Destination Zone
  
  Local and Trust
  
  Action
  
  Permit
3. By referring to Step 3 of FW_A, configure basic OSPF functions.
  
  Add OSPF Process
  
  Process ID
  
  1
  
  Router ID
  
  5.5.5.5
  
  Advanced Settings
  
  Area
  
  0
  
  IP Network
  
  192.168.0.0
  
  192.168.1.0
  
  192.168.2.0
  
  172.17.1.0
  
  Mask/Wildcard Mask
  
  0.0.0.255

Zone	trust
IPv4
IP Address	10.1.1.1/24

Interface Name	GE0/0/2	GE0/0/3	GE0/0/4
Zone	Trust	Trust	Trust
IP Address	10.1.2.1/24	10.1.3.1/24	172.16.1.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Advanced Settings
Area	0
IP Network	10.1.2.0 10.1.3.0 172.16.1.0
Mask/Wildcard Mask	0.0.0.255

Interface Name	GE0/0/1	GE0/0/2
Zone	Trust	Trust
IP Address	10.1.1.2/24	192.168.0.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Add OSPF Process
Process ID	1
Router ID	2.2.2.2

Advanced Settings
Area	0
IP Network	10.1.1.0 192.168.0.0
Mask/Wildcard Mask	0.255.255.255

Interface Name	GE0/0/1	GE0/0/2
Zone	Trust	Trust
IP Address	10.1.2.2/24	192.168.1.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Add OSPF Process
Process ID	1
Router ID	3.3.3.3

Advanced Settings
Area	0
IP Network	10.1.2.0 192.168.1.0
Mask/Wildcard Mask	0.255.255.255

Interface Name	GE0/0/1	GE0/0/2
Zone	Trust	Trust
IP Address	10.1.3.2/24	192.168.2.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Add OSPF Process
Process ID	1
Router ID	4.4.4.4

Advanced Settings
Area	0
IP Network	10.1.3.0 192.168.2.0
Mask/Wildcard Mask	0.255.255.255

Interface Name	GE0/0/1	GE0/0/2	GE0/0/3	GE0/0/4
Zone	Trust	Trust	Trust	Trust
IP Address	192.168.0.2/24	192.168.1.2/24	192.168.2.2/24	172.17.1.1/24

Name	policy_sec_1
Source Zone	Local and Trust
Destination Zone	Local and Trust
Action	Permit

Add OSPF Process
Process ID	1
Router ID	5.5.5.5

Advanced Settings
Area	0
IP Network	192.168.0.0 192.168.1.0 192.168.2.0 172.17.1.0
Mask/Wildcard Mask	0.0.0.255

Verification

# Check the routing table of FW_A.

[FW_A] display ip routing-table
Route Flags: R - relay, D - download to fib
----------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 12       Routes : 13

Destination/Mask    Proto  Pre  Cost  Flags     NextHop         Interface

       10.1.1.0/24  Direct 0    0       D        10.1.1.1         GigabitEthernet 0/0/1
       10.1.1.2/32  Direct 0    0       D        10.1.1.2         GigabitEthernet 0/0/1
       10.1.2.0/24  Direct 0    0       D        10.1.2.1         GigabitEthernet 0/0/2
       10.1.2.2/32  Direct 0    0       D        10.1.2.2         GigabitEthernet 0/0/2
       10.1.3.0/24  Direct 0    0       D        10.1.2.1         GigabitEthernet 0/0/3
       10.1.3.2/32  Direct 0    0       D        10.1.2.2         GigabitEthernet 0/0/3
    192.168.0.0/24  OSPF   10   2       D        10.1.1.2         GigabitEthernet 0/0/1
    192.168.1.0/24  OSPF   10   2       D        10.1.2.2         GigabitEthernet 0/0/2
    192.168.2.0/24  OSPF   10   2       D        10.1.2.2         GigabitEthernet 0/0/3
     172.17.1.0/24  OSPF   10   3       D        10.1.2.2         GigabitEthernet 0/0/2
                    OSPF   10   3       D        10.1.3.2         GigabitEthernet 0/0/3
    127.0.0.0/8     Direct 0    0       D        127.0.0.1        InLoopBack0
    127.0.0.1/32    Direct 0    0       D        127.0.0.1        InLoopBack0

As shown in the routing table, the route with 10.1.2.2 and 10.1.3.2 as the next hop addresses has a higher priority than the route with 10.1.1.2 as the next hop address. Therefore, FW_A has only two valid next hops, FW_C (10.1.2.2) and FW_D (10.1.3.2).

Configuration Scripts

Configuration script of FW_A

#
  sysname FW_A
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 10.1.2.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 undo shutdown
 ip address 10.1.3.1 255.255.255.0
#
interface GigabitEthernet0/0/4
 undo shutdown
 ip address 172.16.1.1 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 0/0/1
add interface GigabitEthernet 0/0/2
add interface GigabitEthernet 0/0/3
add interface GigabitEthernet 0/0/4
#
security-policy
  rule name policy_sec_1
    source-zone local
    source-zone trust
    destination-zone local
    destination-zone trust
    action permit
#
ospf 1 router-id 1.1.1.1
 maximum load-balancing 2
 nexthop 10.1.1.2 weight 2
 nexthop 10.1.2.2 weight 1
 nexthop 10.1.3.2 weight 1
 area 0.0.0.0
  network 10.1.1.0 0.0.0.255
  network 10.1.2.0 0.0.0.255
  network 10.1.3.0 0.0.0.255
  network 172.16.1.0 0.0.0.255
#
return

Configuration script of FW_B

#
  sysname FW_B
#
interface GigabitEthernet0/0/1
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet0/0/2
 undo shutdown
 ip address 192.168.0.1 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 0/0/1
add interface GigabitEthernet 0/0/2
#
security-policy
  rule name policy_sec_1
    source-zone local
    source-zone trust
    destination-zone local
    destination-zone trust
    action permit
 #
ospf 1 router-id 2.2.2.2
 area 0.0.0.0
  network 10.1.1.0 0.255.255.255
  network 192.168.0.0 0.255.255.255
#
return

Configuration script of FW_C

#
  sysname FW_C
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 10.1.2.2 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 192.168.1.1 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 0/0/1
add interface GigabitEthernet 0/0/2
#
security-policy
  rule name policy_sec_1
    source-zone local
    source-zone trust
    destination-zone local
    destination-zone trust
    action permit
#
ospf 1 router-id 3.3.3.3
 area 0.0.0.0
  network 10.1.2.0 0.255.255.255
  network 192.168.1.0 0.255.255.255
#
return

Configuration script of FW_D

#
  sysname FW_D
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 10.1.3.2 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 192.168.2.1 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 0/0/1
add interface GigabitEthernet 0/0/2
#
security-policy
  rule name policy_sec_1
    source-zone local
    source-zone trust
    destination-zone local
    destination-zone trust
    action permit
#
ospf 1 router-id 4.4.4.4
 area 0.0.0.0
  network 10.1.3.0 0.255.255.255
  network 192.168.2.0 0.255.255.255
#
return

Configuration script of FW_E

#
  sysname FW_E
#
interface GigabitEthernet 0/0/1
 undo shutdown
 ip address 192.168.0.2 255.255.255.0
#
interface GigabitEthernet 0/0/2
 undo shutdown
 ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet 0/0/3
 undo shutdown
 ip address 192.168.2.2 255.255.255.0
#
interface GigabitEthernet 0/0/4
 undo shutdown
 ip address 172.17.1.1 255.255.255.0
#
firewall zone trust
add interface GigabitEthernet 0/0/1
add interface GigabitEthernet 0/0/2
add interface GigabitEthernet 0/0/3
add interface GigabitEthernet 0/0/4
#
security-policy
  rule name policy_sec_1
    source-zone local
    source-zone trust
    destination-zone local
    destination-zone trust
    action permit
#
ospf 1 router-id 5.5.5.5
 area 0.0.0.0
  network 192.168.0.0 0.0.0.255
  network 192.168.1.0 0.0.0.255
  network 192.168.2.0 0.0.0.255
  network 172.17.1.0 0.0.0.255
#
return