cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
981
Views
12
Helpful
11
Replies

OSPF totally stubby area connected via VPN (default route issue)

2044418Puts
Level 1
Level 1

Hi,

I'm configuring the following scenario:

Head Office Router (ABR - area 0 and 1) --- VPN tunnel over the Internet --- Branch Office Router (area 1)

Area 1 is configured to be a totally stubby area, therefore the Branch Office Router receives only area 1 routes and a default route to area 0.

But to allow Internet access and to get the vpn up in the first place I need a default route to my ISP. This means that my OSPF default route to area 0 never enters the routing table. If I create a floating default route with an AD of lets say 250 the VPN connections drops as OSPF builds up its connection with its neighbours. Which is true, because the VPN connection needs the default route to my ISP and all the other Internet traffic needs to use this default route too.

What is the best solution for this problem?

Basically I need to send traffic with a public ip as destination to my default route from my ISP, all other traffic can use the OSPF default route.

1 Accepted Solution

Accepted Solutions

You want to send the least amount of routes without preventing the remote location access to the internet - in other words, you don't want to summarize a route that will overlap to an internet route.

Based on the list you've provided, you can easily summarize these subnets with 2 entries. I'm including 3 to cover the RFC 1918 guidelines.

Under the HQ Router OSPF process, you do

router ospf xx

area 0 range 10.0.0.0 255.0.0.0

area 0 range 172.16.0.0 255.240.0.0

area 0 range 192.168.0.0 255.255.0.0

HTH,

__

Edison.

View solution in original post

11 Replies 11

Istvan_Rabai
Level 7
Level 7

Hi Armand,

You could use a GRE over IPSEc tunnel, not a site-to-site VPN.

With GRE over IPSec, you configure a tunnel over the IPSec VPN between your sites, and you can use Tunnel interfaces.

You then advertise these Tunnel interfaces in OSPF and the OSPF neighbor relationship builds up over the tunnel.

Here's a link that could help you to configure it:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

Cheers:

Istvan

I forgot to mention that I'm already using IPSec tunnel interfaces, else OSPF wouldnt run in the first place.

Edison Ortiz
Hall of Fame
Hall of Fame

Do you want the Branch Office users to use the Head Office internet connection -or- do you want them to use their own internet connection?

If you want the remote office to use their own internet connection, the default route needs to point towards their own ISP and the OSPF design needs to change from extending the area 1 stub from the Head Office to the Branch -to- Area 0 to the Branch Office WAN interface and Area 1 stub in the Branch Office LAN interface.

How big is your OSPF domain?

You can also consider other routing protocol such as BGP for this link if you want to limit the size of your OSPF domain.

HTH,

__

Edison.

I would like to let the branch offices use their own ISP. If I change my OSPF border then my small branch routers get a lot of routing information in their tables, thats something that I do not want to happen.

I've been thinking.. Lets say I do the following (whole OSPF domain are private addresses):

1. Remove the static default route.

2. Build the following policy:

INTERNET_IPs_ACL:

deny ip 10.0.0.0 0.255.255.255

deny ip 172.16.0.0 0.15.255.255

deny ip 192.168.0.0 0.0.255.255

deny ip 224.0.0.0 31.255.255.255

permit ip any

route-map ROUTEMAP permit 10

match ip address INTERNET_IPs_ACL

set interface Dialer0 (DSL)

ip local policy route-map ROUTEMAP

int vlan 1 (inside VLAN)

ip policy route-map ROUTEMAP

Would this do the trick?

The tunnel destination IP (and all other internet traffic) matches the routemap and gets routed towards Dialer0. The other traffic gets routed via the default route injected by OSPF.

The implementation of PBR is something to avoid if there are better alternatives, IMHO.

Paulo offered another sound design suggestion - just change the area to a regular OSPF area 1 and summarize your internal networks at the Head Office ABR.

This design will keep the 0.0.0.0 towards the local ISP and receive the summarized internal networks.

What's your internal subnet like in Area 0?

__

Edison.

My internal subnet is a bit messy at the moment (I'm about to change that), but bassically the routers in area 1 only need to get access to the following area 0 subnets:

10.10.10.0 / 24

172.16.100.0 / 24

10.254.254.0 / 24 (this subnet is subnetted into smaller /30 subnets(p2p links))

What is the best way to summarize these (I'm not yet that familair with prefix lists, etc)?

You want to send the least amount of routes without preventing the remote location access to the internet - in other words, you don't want to summarize a route that will overlap to an internet route.

Based on the list you've provided, you can easily summarize these subnets with 2 entries. I'm including 3 to cover the RFC 1918 guidelines.

Under the HQ Router OSPF process, you do

router ospf xx

area 0 range 10.0.0.0 255.0.0.0

area 0 range 172.16.0.0 255.240.0.0

area 0 range 192.168.0.0 255.255.0.0

HTH,

__

Edison.

Sometimes the solution is soo simple...

I was thinking way to complicated. Thanks!

Okay, i've made some progession here.

I've configured all the area's as stub area's, else I'm not getting the summarized routes in the routing table of the area routers. But I'm also receiving area 2 routes in area 3, 4, etc and vica versa. I would like to only receive the summarized routes in the area's 2,3,4 etc.

Any suggestions?

Hello Armand,

>> to get the vpn up in the first place I need a default route to my ISP.

you need to be able to reach the remote vpn peer via the ISP

I suppose you HQ router has a steady public ip address or at least belonging to a pool of an ISP.

if so you can do the following:

define a specific static route pointing to ISP at branch office for the ipsec peer ip address or block.

This can solve the problem of conflicting default routes on the branch offices.

We do in this way for some remote branch routers using GRE+ipsec

Hope to help

Giuseppe

pauloroque
Level 1
Level 1

i Istvan_Rabai,

You can have only one default route, Right? That default route must be your ISP router.

And you must not use OSPF to create another default route. This means that area 1 can't be a stub area. By the way, a stub area is one area in which there is one only output, but in your case there are two: a output to internet and other to the head office (via tunnel interface).

The solution is to make this area a normal area and use summarization at the ABR.

PRoque

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: