In a collapsed-core enterprise network architecture, I managed a high-performance Cisco Catalyst 9500‑24Q‑A switch functioning as the central Layer 3 gateway and aggregation point for all downstream access switches. This switch connected upstream to two redundant WAN edge routers: Edge1, connected to the primary ISP, and Edge2 connected to the secondary link.
The internal routing domain was built on OSPF Area 0, which included the core switch and both edge routers. Externally, the edge routers established BGP sessions with their respective ISPs and received default routes along with selected Internet prefixes.
An operational issue was discovered after a partial upstream failure on ISP1. Although BGP peering between Edge1 and ISP1 remained active and the default route was still installed in Edge1’s RIB, upstream Internet reachability was lost. OSPF, unaware of the failure, continued to propagate the default route from Edge1 to the core switch, resulting in blackholed traffic for all Internet-bound flows from the enterprise.
To address this, I deployed an IP SLA–based tracking mechanism to verify true Internet reachability. I configured ICMP echo probes on each edge router to periodically ping reliable external IP addresses (e.g., 8.8.8.8). These probes were linked to tracking objects, which were then referenced in route maps controlling conditional default route advertisement.
Using the "default-information originate" command in OSPF, I ensured that each edge router would only inject a default route into the OSPF domain when its corresponding IP SLA probe confirmed external reachability. Additionally, I configured OSPF priority and administrative distance settings to prefer Edge1 under normal conditions and fall back to Edge2 automatically when necessary.
The result was a highly resilient and intelligent Internet failover solution. It prevented recurrence of silent blackholing, ensured accurate default route advertisement based on actual upstream availability, and maintained uninterrupted access to business-critical services including VPNs, cloud platforms, and remote access systems.
Top comments (0)