OSPF Issue

Unanswered Question
Mar 13th, 2009
User Badges:

Hi,


I have Two sites connected via 3Links

Site(A)========Link1========Site(B) 5MB

Site(A)========Link2========Site(B) 2MB

Site(A)========Link3========Site(B) 8MB


Each link is terminated as VLAN

SiteA

Interface VLAN9

IP address 10.1.1.2 255.255.255.252


Site B

Interface FA 0/1

IP address 10.1.1.3 255.255.255.252



Each site have around 25 VLANS and running OSPF as routing protocol.


Site A has IPSEC VPN with other branch-offices


Branch Office network cannot be seen on site B unless adding a static route, but if that link goes down then reachability is an issue.


I have ospf cost to make failover of links.


Any suggestion how to make it working without static routes.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
adamclarkuk_2 Fri, 03/13/2009 - 06:50
User Badges:
  • Silver, 250 points or more

As far as I see it, you have 2 options ( both include statics I'm afraid)


Option 1.


Have coded static routes on the IPSec termination device that are passed into OSPF via redistribution.


Option 2


Look at using IPSec reverse routes on Site A. This will install a static automatically when the VPN comes up. You can then redistribute static routes into OSPF which will be passed down to the other sites.


Maybe one more.


You could look at passing these static routes into OSPF by redistribution using rtr tracking in a route-map. Below is an example for PBR but the principle is similar.


http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

Giuseppe Larosa Fri, 03/13/2009 - 06:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ronald,

on site A have you redistributed the IPSec VPN routes into OSPF ?


siteA

router ospf 10

red static subnets


2) what type of area is used for the links1,2,3


if it it not a stub area you should be fine with the suggestion above


OSPF has a hierarchy in using routes:

O and O IA routes are always preferred to external routes like the ones that you should see after redistribution

Those external routes are used only when the primary links fail


or always if no internal OSPF route (O or O IA ) exists


Hope to help

Giuseppe



gesadmin1 Fri, 03/13/2009 - 09:47
User Badges:

Adam and Giuseppe, I wonder wouldn't it also be possible to run IPSEC + GRE over the VPN tunnels to allow OSPF to work without the need for statics?? Maybe I'm missing something in the problem description...

Giuseppe Larosa Fri, 03/13/2009 - 14:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello,


>> I wonder wouldn't it also be possible to run IPSEC + GRE over the VPN tunnels


This can be possible it depends on the capabilities of the device terminating the VPN tunnels.


For example I don't know if an ASA can do it. A router can do it.


see


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html


if the original poster provides more details your suggestion can be the best solution.


Hope to help

Giuseppe


ronald.ramzy Sat, 03/14/2009 - 03:09
User Badges:

Thanks for your reply.


routers at both end(siteA+B) support IPSEC.


Can someone assist hwo could I configure GRE+IPSEC for these 3links.


I have tested GRE+IPSEC for one link but dont know how to add other two links to it...





Giuseppe Larosa Sat, 03/14/2009 - 03:59
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ronald,

we were talking about the ipsec tunnels to remote branches connected to siteA.


if between site A and siteB you have three dedicated links you don't need to use ipsec or GRE over ipsec over the links.


Sorry if we have been misleading


From your original post we have got this picture


remote sites -- internet -- SiteA

<----- ipsec -------->


and between the two sites


siteA ==== 3 links ===== siteB


the last suggestion is to move from ipsec to GRE over ipsec tunnels to connect the remote sites to siteA so that you can run ospf over it.


So you need a single point-to-point GRE tunnel for each remote site.

The traffic to be encrypted becomes the GRE traffic


example


Site A --- remote site Ra1


we use ip subnet 10.10.10.0 /30


int tunnel 11

desc GRE tunnel to remote site RA1

ip address 10.10.10.1 255.255.255.252

tunnel source

tunnel destination

no shut


router ospf 10

network 10.10.10.0 0.0.0.3 area 11


the same have to be done on remote site router


router ospf 10

network 10.10.10.0 0.0.0.3 area 11

network 192.168.1.0 0.0.0.255 area 11



int tu11

desc to siteA router

ip address 10.10.10.2 255.255.255.252

tunnel source

tunnel destination


the access-list used in the crypto maps need to be changed in


SiteA:

access-list 111 permit gre host 10.10.10.1 host 10.10.10.2


Remote site RA1:


access-list 121 permit gre host 10.10.10.2 host 10.10.10.1


This is the idea.

on links between siteA and siteB you keep the current configuration


Hope to help

Giuseppe




ronald.ramzy Sat, 03/14/2009 - 06:53
User Badges:

Thanks its great info.


Is there a way to bundle three links under one VLAN and use all links.


Looking for a practical working solution

Giuseppe Larosa Sat, 03/14/2009 - 10:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ronald,

if you give different ip subnets to the three links OSPF will use them to move traffic between the two sites.


OSPF can perform load balancing up to 4 links by default so no problem here.


Edit:

Sorry Ronald by reading again your first post I see that the three links have different bandwidths 8,5, 2 Mbps.

I suggest you to have different metrics over them:

in normal conditions you can use the primary link.

You can the move some traffic quotas to other links using Policy based routing.

All of us have focused on the problem of making known the remote sites to SiteB but you have also this issue.

Actually Adam had suggested PBR and this is the way to use all the links.


Hope to help

Giuseppe


ronald.ramzy Sat, 03/14/2009 - 13:51
User Badges:

Thanks Giuseppe.


Should I have different OSPF Process and Area as per attached file on VPN Router.


I mean for in-country site directly

connectet to Site(A)there should be different OSPF Process and Different OSPF Area then on VPN Router..


I was looking for a similar scenario ospf document but no luck??




Attachment: 
Marwan ALshawi Sun, 03/15/2009 - 03:10
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

ok for deffrent ospf prosses just treat it as deffrent routing protocol

and then you can redistribute between them and do filtering as well


tow prosses helps in redusing the cpu and divid the ospf database


for example here in the router that has tow ospf prossers IDs the second one redistributed in the first one apear as external route with LSA type 5


Router#show ip ospf database


OSPF Router with ID (10.1.1.1) (Process ID 2)


Router Link States (Area 0)


Link ID ADV Router Age Seq# Checksum Link count

10.1.1.1 10.1.1.1 173 0x80000001 0x00215D 1


OSPF Router with ID (150.1.1.1) (Process ID 1)


Router Link States (Area 0)


Link ID ADV Router Age Seq# Checksum Link count

10.1.1.2 10.1.1.2 37 0x80000003 0x00CF28 1

150.1.1.1 150.1.1.1 3 0x80000003 0x00BD24 1


Net Link States (Area 0)


Link ID ADV Router Age Seq# Checksum

10.1.1.1 150.1.1.1 85 0x80000001 0x007873


Type-5 AS External Link States


Link ID ADV Router Age Seq# Checksum Tag

150.1.1.0 150.1.1.1 2 0x80000001 0x000C75 0



10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, FastEthernet1/0

150.1.0.0/24 is subnetted, 1 subnets

O E2 150.1.1.0 [110/1] via 10.1.1.1, 00:00:07, FastEthernet1/0



HTH

Giuseppe Larosa Sun, 03/15/2009 - 05:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Ronald,

even if using multiple routing processes is possible I think in your case it is enough to use a single process and two different Areas.


OSPF allows for effective filtering at area border routers and what it is interesting in your case OSPF has a clear hierarchy of routes:

intra area routes O are preferred over inter-area routes O IA that are preferred over O E1 routes that are preferred over O E2.


so unless you need to build a 3 levels of routes using a different OSPF area should be enough to make paths learned via the vpn router (O IA ) less preferred and not used until a direct link exists (that provide an O route).


if you use multiple OSPF processes then you need also to manage redistribution between them that adds complexity to your solution.


note: you can have direct link in a different area and then if you increase the metric on the vpn routes you still use the direct link until it is alive


I may be wrong but I think you just need to deploy OSPF multi-area single process


Hope to help

Giuseppe


ronald.ramzy Sun, 03/15/2009 - 12:19
User Badges:


Thanks to all for your reply.

I will test based on your recommendation


Marwan ALshawi Sun, 03/15/2009 - 14:27
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

if you follow Giuseppe adivse

you need to take into your consideration that ospf first prefer the path through intra-area regardless the cost or the metric

in otherwords any route through the same area will be prefered over others thorugh other areas


good luck


HTH

Actions

This Discussion