OSPF Issue

Unanswered Question
Mar 13th, 2009

Hi,

I have Two sites connected via 3Links

Site(A)========Link1========Site(B) 5MB

Site(A)========Link2========Site(B) 2MB

Site(A)========Link3========Site(B) 8MB

Each link is terminated as VLAN

SiteA

Interface VLAN9

IP address 10.1.1.2 255.255.255.252

Site B

Interface FA 0/1

IP address 10.1.1.3 255.255.255.252

Each site have around 25 VLANS and running OSPF as routing protocol.

Site A has IPSEC VPN with other branch-offices

Branch Office network cannot be seen on site B unless adding a static route, but if that link goes down then reachability is an issue.

I have ospf cost to make failover of links.

Any suggestion how to make it working without static routes.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
adamclarkuk_2 Fri, 03/13/2009 - 06:50

As far as I see it, you have 2 options ( both include statics I'm afraid)

Option 1.

Have coded static routes on the IPSec termination device that are passed into OSPF via redistribution.

Option 2

Look at using IPSec reverse routes on Site A. This will install a static automatically when the VPN comes up. You can then redistribute static routes into OSPF which will be passed down to the other sites.

Maybe one more.

You could look at passing these static routes into OSPF by redistribution using rtr tracking in a route-map. Below is an example for PBR but the principle is similar.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

Giuseppe Larosa Fri, 03/13/2009 - 06:54

Hello Ronald,

on site A have you redistributed the IPSec VPN routes into OSPF ?

siteA

router ospf 10

red static subnets

2) what type of area is used for the links1,2,3

if it it not a stub area you should be fine with the suggestion above

OSPF has a hierarchy in using routes:

O and O IA routes are always preferred to external routes like the ones that you should see after redistribution

Those external routes are used only when the primary links fail

or always if no internal OSPF route (O or O IA ) exists

Hope to help

Giuseppe

gesadmin1 Fri, 03/13/2009 - 09:47

Adam and Giuseppe, I wonder wouldn't it also be possible to run IPSEC + GRE over the VPN tunnels to allow OSPF to work without the need for statics?? Maybe I'm missing something in the problem description...

Giuseppe Larosa Fri, 03/13/2009 - 14:10

Hello,

>> I wonder wouldn't it also be possible to run IPSEC + GRE over the VPN tunnels

This can be possible it depends on the capabilities of the device terminating the VPN tunnels.

For example I don't know if an ASA can do it. A router can do it.

see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html

if the original poster provides more details your suggestion can be the best solution.

Hope to help

Giuseppe

ronald.ramzy Sat, 03/14/2009 - 03:09

Thanks for your reply.

routers at both end(siteA+B) support IPSEC.

Can someone assist hwo could I configure GRE+IPSEC for these 3links.

I have tested GRE+IPSEC for one link but dont know how to add other two links to it...

Giuseppe Larosa Sat, 03/14/2009 - 03:59

Hello Ronald,

we were talking about the ipsec tunnels to remote branches connected to siteA.

if between site A and siteB you have three dedicated links you don't need to use ipsec or GRE over ipsec over the links.

Sorry if we have been misleading

From your original post we have got this picture

remote sites -- internet -- SiteA

<----- ipsec -------->

and between the two sites

siteA ==== 3 links ===== siteB

the last suggestion is to move from ipsec to GRE over ipsec tunnels to connect the remote sites to siteA so that you can run ospf over it.

So you need a single point-to-point GRE tunnel for each remote site.

The traffic to be encrypted becomes the GRE traffic

example

Site A --- remote site Ra1

we use ip subnet 10.10.10.0 /30

int tunnel 11

desc GRE tunnel to remote site RA1

ip address 10.10.10.1 255.255.255.252

tunnel source

tunnel destination

no shut

router ospf 10

network 10.10.10.0 0.0.0.3 area 11

the same have to be done on remote site router

router ospf 10

network 10.10.10.0 0.0.0.3 area 11

network 192.168.1.0 0.0.0.255 area 11

int tu11

desc to siteA router

ip address 10.10.10.2 255.255.255.252

tunnel source

tunnel destination

the access-list used in the crypto maps need to be changed in

SiteA:

access-list 111 permit gre host 10.10.10.1 host 10.10.10.2

Remote site RA1:

access-list 121 permit gre host 10.10.10.2 host 10.10.10.1

This is the idea.

on links between siteA and siteB you keep the current configuration

Hope to help

Giuseppe

ronald.ramzy Sat, 03/14/2009 - 06:53

Thanks its great info.

Is there a way to bundle three links under one VLAN and use all links.

Looking for a practical working solution

Giuseppe Larosa Sat, 03/14/2009 - 10:34

Hello Ronald,

if you give different ip subnets to the three links OSPF will use them to move traffic between the two sites.

OSPF can perform load balancing up to 4 links by default so no problem here.

Edit:

Sorry Ronald by reading again your first post I see that the three links have different bandwidths 8,5, 2 Mbps.

I suggest you to have different metrics over them:

in normal conditions you can use the primary link.

You can the move some traffic quotas to other links using Policy based routing.

All of us have focused on the problem of making known the remote sites to SiteB but you have also this issue.

Actually Adam had suggested PBR and this is the way to use all the links.

Hope to help

Giuseppe

ronald.ramzy Sat, 03/14/2009 - 13:51

Thanks Giuseppe.

Should I have different OSPF Process and Area as per attached file on VPN Router.

I mean for in-country site directly

connectet to Site(A)there should be different OSPF Process and Different OSPF Area then on VPN Router..

I was looking for a similar scenario ospf document but no luck??

Attachment: 
Marwan ALshawi Sun, 03/15/2009 - 03:10

ok for deffrent ospf prosses just treat it as deffrent routing protocol

and then you can redistribute between them and do filtering as well

tow prosses helps in redusing the cpu and divid the ospf database

for example here in the router that has tow ospf prossers IDs the second one redistributed in the first one apear as external route with LSA type 5

Router#show ip ospf database

OSPF Router with ID (10.1.1.1) (Process ID 2)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

10.1.1.1 10.1.1.1 173 0x80000001 0x00215D 1

OSPF Router with ID (150.1.1.1) (Process ID 1)

Router Link States (Area 0)

Link ID ADV Router Age Seq# Checksum Link count

10.1.1.2 10.1.1.2 37 0x80000003 0x00CF28 1

150.1.1.1 150.1.1.1 3 0x80000003 0x00BD24 1

Net Link States (Area 0)

Link ID ADV Router Age Seq# Checksum

10.1.1.1 150.1.1.1 85 0x80000001 0x007873

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

150.1.1.0 150.1.1.1 2 0x80000001 0x000C75 0

10.0.0.0/24 is subnetted, 1 subnets

C 10.1.1.0 is directly connected, FastEthernet1/0

150.1.0.0/24 is subnetted, 1 subnets

O E2 150.1.1.0 [110/1] via 10.1.1.1, 00:00:07, FastEthernet1/0

HTH

Giuseppe Larosa Sun, 03/15/2009 - 05:40

Hello Ronald,

even if using multiple routing processes is possible I think in your case it is enough to use a single process and two different Areas.

OSPF allows for effective filtering at area border routers and what it is interesting in your case OSPF has a clear hierarchy of routes:

intra area routes O are preferred over inter-area routes O IA that are preferred over O E1 routes that are preferred over O E2.

so unless you need to build a 3 levels of routes using a different OSPF area should be enough to make paths learned via the vpn router (O IA ) less preferred and not used until a direct link exists (that provide an O route).

if you use multiple OSPF processes then you need also to manage redistribution between them that adds complexity to your solution.

note: you can have direct link in a different area and then if you increase the metric on the vpn routes you still use the direct link until it is alive

I may be wrong but I think you just need to deploy OSPF multi-area single process

Hope to help

Giuseppe

Marwan ALshawi Sun, 03/15/2009 - 14:27

if you follow Giuseppe adivse

you need to take into your consideration that ospf first prefer the path through intra-area regardless the cost or the metric

in otherwords any route through the same area will be prefered over others thorugh other areas

good luck

HTH

Actions

This Discussion