OSPF neighbor Preferred route problem

wilson_1234_2 · ‎01-15-2008

I have the network shown in the attached file.

I have had problems with this in the past.

The default route is distributed from Verizon BGP into our Internet router OSPF domain then advertised to the rest of the network, as part of our falover scenario.

The PIX firealls are configured with OSPF, the inside networks get the default route from the PIX.

Both PIX firewalls need to have the default route in the route table because they are doing entirely different things. Both Firewall's DMZs need to get to the Internet, have inside networks access their DMZ and failover to DR Interent when HQ Internet is lost.

I am having trouble with the Edge router and Inside 6509 switch preferring the 515 firewall.

I want the Edge router to always use the routes from the 525 PIX for inside and the 6509 to always use the 525 for the default route unless it fails.

The 6509 is also using the PIX 515 as the next hop for Internet. Both PIX firewalls are directly connected to the 6509 in this drawing.

There is another 6509 downstairs that is a neighbor to the 6509 in this drawing, that is getting the default route from the 525 pix as I want.

Looking at the OSPF databases, they all are identical.

The edge router is forming adjacnetcys but isn't the higher Neighbor ID supposed to be preferred? The Internet router is using the 515 firewall.

Internet Router:

Neighbor ID Pri State Dead Time Address Interface

192.168.2.1 1 FULL/DROTHER 00:00:32 2.2.2.3 FastEthernet0/0

192.168.1.1 1 FULL/BDR 00:00:39 2.2.2.2 FastEthernet0/0

The 6509 is also:

6509-#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

192.168.1.1 1 FULL/DROTHER 00:00:30 10.1.7.1 Vlan1

192.168.2.1 1 FULL/DROTHER 00:00:36 10.5.7.1 Vlan5

Will just adjusting the cost of the PIX 515 interfaces correct this problem?

Kevin Dorrell · ‎01-15-2008

Are the external routes E1 or E2? If they are E2, then the routing decision will be based entirely on the seed metrics at the redistribution points. But the routing decision is completely seperate from the DR election decision.

Looking at the DR election process, it will depend on the order things happened. On any segment, the first eligible router to boot will become the DR. I think that the internet router and 192.168.1.1 were the first to come up, and to form an adjacency.

But once a DR and BDR have been elected, then no other router will preempt them. If there are two eligible routers on the segment at boot time, then yes, the higher neighbor IP will become the DR. But if a better router comes along later, it cannot become DR or BDR until one of the others goes off line.

Looking at your architecture, OSPF 1 area would not be much use without the Internet router. So I would give the firewalls a priority of 0 so that the Internet route is always the DR. If the Internet router disappears then the two firewalls would not form adjacencies with each other, but you would not care anyway, provided when the Internet router came back it could form adjacencies with both firewalls.

By the same sort of argument, I would set the OSPF priority of 0 on the inside too, to allow the 6509 always to be the DR.

Kevin Dorrell

Luxembourg

wilson_1234_2 · ‎01-15-2008

Thanks for the reply.

The external routes are E2 inside and outside that I want the 525 to be the next hop for.

Looking at the metrics, they are the same for both firewalls but the undesirable one is the one selcted as the next hop.

Is this because it came on line first?