OSPF totally stubby area connected via VPN (default route issue)

Answered Question
Feb 11th, 2009
User Badges:

Hi,


I'm configuring the following scenario:


Head Office Router (ABR - area 0 and 1) --- VPN tunnel over the Internet --- Branch Office Router (area 1)


Area 1 is configured to be a totally stubby area, therefore the Branch Office Router receives only area 1 routes and a default route to area 0.


But to allow Internet access and to get the vpn up in the first place I need a default route to my ISP. This means that my OSPF default route to area 0 never enters the routing table. If I create a floating default route with an AD of lets say 250 the VPN connections drops as OSPF builds up its connection with its neighbours. Which is true, because the VPN connection needs the default route to my ISP and all the other Internet traffic needs to use this default route too.


What is the best solution for this problem?


Basically I need to send traffic with a public ip as destination to my default route from my ISP, all other traffic can use the OSPF default route.

Correct Answer by Edison Ortiz about 8 years 4 months ago

You want to send the least amount of routes without preventing the remote location access to the internet - in other words, you don't want to summarize a route that will overlap to an internet route.


Based on the list you've provided, you can easily summarize these subnets with 2 entries. I'm including 3 to cover the RFC 1918 guidelines.


Under the HQ Router OSPF process, you do


router ospf xx

area 0 range 10.0.0.0 255.0.0.0

area 0 range 172.16.0.0 255.240.0.0

area 0 range 192.168.0.0 255.255.0.0


HTH,


__


Edison.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.4 (5 ratings)
Loading.
Istvan_Rabai Wed, 02/11/2009 - 09:21
User Badges:
  • Gold, 750 points or more

Hi Armand,


You could use a GRE over IPSEc tunnel, not a site-to-site VPN.


With GRE over IPSec, you configure a tunnel over the IPSec VPN between your sites, and you can use Tunnel interfaces.


You then advertise these Tunnel interfaces in OSPF and the OSPF neighbor relationship builds up over the tunnel.


Here's a link that could help you to configure it:


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml


Cheers:

Istvan

2044418Puts Wed, 02/11/2009 - 09:37
User Badges:

I forgot to mention that I'm already using IPSec tunnel interfaces, else OSPF wouldnt run in the first place.

Edison Ortiz Wed, 02/11/2009 - 09:42
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Do you want the Branch Office users to use the Head Office internet connection -or- do you want them to use their own internet connection?


If you want the remote office to use their own internet connection, the default route needs to point towards their own ISP and the OSPF design needs to change from extending the area 1 stub from the Head Office to the Branch -to- Area 0 to the Branch Office WAN interface and Area 1 stub in the Branch Office LAN interface.


How big is your OSPF domain?


You can also consider other routing protocol such as BGP for this link if you want to limit the size of your OSPF domain.



HTH,


__


Edison.

2044418Puts Wed, 02/11/2009 - 10:00
User Badges:

I would like to let the branch offices use their own ISP. If I change my OSPF border then my small branch routers get a lot of routing information in their tables, thats something that I do not want to happen.


I've been thinking.. Lets say I do the following (whole OSPF domain are private addresses):


1. Remove the static default route.

2. Build the following policy:

INTERNET_IPs_ACL:

deny ip 10.0.0.0 0.255.255.255

deny ip 172.16.0.0 0.15.255.255

deny ip 192.168.0.0 0.0.255.255

deny ip 224.0.0.0 31.255.255.255

permit ip any


route-map ROUTEMAP permit 10

match ip address INTERNET_IPs_ACL

set interface Dialer0 (DSL)


ip local policy route-map ROUTEMAP


int vlan 1 (inside VLAN)

ip policy route-map ROUTEMAP


Would this do the trick?


The tunnel destination IP (and all other internet traffic) matches the routemap and gets routed towards Dialer0. The other traffic gets routed via the default route injected by OSPF.

Edison Ortiz Wed, 02/11/2009 - 10:05
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The implementation of PBR is something to avoid if there are better alternatives, IMHO.


Paulo offered another sound design suggestion - just change the area to a regular OSPF area 1 and summarize your internal networks at the Head Office ABR.


This design will keep the 0.0.0.0 towards the local ISP and receive the summarized internal networks.


What's your internal subnet like in Area 0?


__


Edison.

2044418Puts Wed, 02/11/2009 - 10:14
User Badges:

My internal subnet is a bit messy at the moment (I'm about to change that), but bassically the routers in area 1 only need to get access to the following area 0 subnets:


10.10.10.0 / 24

172.16.100.0 / 24

10.254.254.0 / 24 (this subnet is subnetted into smaller /30 subnets(p2p links))


What is the best way to summarize these (I'm not yet that familair with prefix lists, etc)?

Correct Answer
Edison Ortiz Wed, 02/11/2009 - 10:55
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You want to send the least amount of routes without preventing the remote location access to the internet - in other words, you don't want to summarize a route that will overlap to an internet route.


Based on the list you've provided, you can easily summarize these subnets with 2 entries. I'm including 3 to cover the RFC 1918 guidelines.


Under the HQ Router OSPF process, you do


router ospf xx

area 0 range 10.0.0.0 255.0.0.0

area 0 range 172.16.0.0 255.240.0.0

area 0 range 192.168.0.0 255.255.0.0


HTH,


__


Edison.



2044418Puts Wed, 02/11/2009 - 12:07
User Badges:

Sometimes the solution is soo simple...


I was thinking way to complicated. Thanks!

2044418Puts Thu, 04/02/2009 - 09:49
User Badges:

Okay, i've made some progession here.


I've configured all the area's as stub area's, else I'm not getting the summarized routes in the routing table of the area routers. But I'm also receiving area 2 routes in area 3, 4, etc and vica versa. I would like to only receive the summarized routes in the area's 2,3,4 etc.


Any suggestions?

Giuseppe Larosa Thu, 04/02/2009 - 10:24
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Armand,


>> to get the vpn up in the first place I need a default route to my ISP.


you need to be able to reach the remote vpn peer via the ISP

I suppose you HQ router has a steady public ip address or at least belonging to a pool of an ISP.


if so you can do the following:

define a specific static route pointing to ISP at branch office for the ipsec peer ip address or block.

This can solve the problem of conflicting default routes on the branch offices.


We do in this way for some remote branch routers using GRE+ipsec


Hope to help

Giuseppe

pauloroque Wed, 02/11/2009 - 09:51
User Badges:

i Istvan_Rabai,


You can have only one default route, Right? That default route must be your ISP router.

And you must not use OSPF to create another default route. This means that area 1 can't be a stub area. By the way, a stub area is one area in which there is one only output, but in your case there are two: a output to internet and other to the head office (via tunnel interface).


The solution is to make this area a normal area and use summarization at the ABR.


PRoque




Actions

This Discussion