03-13-2009 05:22 AM - edited 03-06-2019 04:34 AM
Hi,
I have Two sites connected via 3Links
Site(A)========Link1========Site(B) 5MB
Site(A)========Link2========Site(B) 2MB
Site(A)========Link3========Site(B) 8MB
Each link is terminated as VLAN
SiteA
Interface VLAN9
IP address 10.1.1.2 255.255.255.252
Site B
Interface FA 0/1
IP address 10.1.1.3 255.255.255.252
Each site have around 25 VLANS and running OSPF as routing protocol.
Site A has IPSEC VPN with other branch-offices
Branch Office network cannot be seen on site B unless adding a static route, but if that link goes down then reachability is an issue.
I have ospf cost to make failover of links.
Any suggestion how to make it working without static routes.
03-13-2009 06:50 AM
As far as I see it, you have 2 options ( both include statics I'm afraid)
Option 1.
Have coded static routes on the IPSec termination device that are passed into OSPF via redistribution.
Option 2
Look at using IPSec reverse routes on Site A. This will install a static automatically when the VPN comes up. You can then redistribute static routes into OSPF which will be passed down to the other sites.
Maybe one more.
You could look at passing these static routes into OSPF by redistribution using rtr tracking in a route-map. Below is an example for PBR but the principle is similar.
http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml
03-13-2009 06:54 AM
Hello Ronald,
on site A have you redistributed the IPSec VPN routes into OSPF ?
siteA
router ospf 10
red static subnets
2) what type of area is used for the links1,2,3
if it it not a stub area you should be fine with the suggestion above
OSPF has a hierarchy in using routes:
O and O IA routes are always preferred to external routes like the ones that you should see after redistribution
Those external routes are used only when the primary links fail
or always if no internal OSPF route (O or O IA ) exists
Hope to help
Giuseppe
03-13-2009 09:47 AM
Adam and Giuseppe, I wonder wouldn't it also be possible to run IPSEC + GRE over the VPN tunnels to allow OSPF to work without the need for statics?? Maybe I'm missing something in the problem description...
03-13-2009 02:10 PM
Hello,
>> I wonder wouldn't it also be possible to run IPSEC + GRE over the VPN tunnels
This can be possible it depends on the capabilities of the device terminating the VPN tunnels.
For example I don't know if an ASA can do it. A router can do it.
see
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
if the original poster provides more details your suggestion can be the best solution.
Hope to help
Giuseppe
03-14-2009 03:09 AM
Thanks for your reply.
routers at both end(siteA+B) support IPSEC.
Can someone assist hwo could I configure GRE+IPSEC for these 3links.
I have tested GRE+IPSEC for one link but dont know how to add other two links to it...
03-14-2009 03:59 AM
Hello Ronald,
we were talking about the ipsec tunnels to remote branches connected to siteA.
if between site A and siteB you have three dedicated links you don't need to use ipsec or GRE over ipsec over the links.
Sorry if we have been misleading
From your original post we have got this picture
remote sites -- internet -- SiteA
<----- ipsec -------->
and between the two sites
siteA ==== 3 links ===== siteB
the last suggestion is to move from ipsec to GRE over ipsec tunnels to connect the remote sites to siteA so that you can run ospf over it.
So you need a single point-to-point GRE tunnel for each remote site.
The traffic to be encrypted becomes the GRE traffic
example
Site A --- remote site Ra1
we use ip subnet 10.10.10.0 /30
int tunnel 11
desc GRE tunnel to remote site RA1
ip address 10.10.10.1 255.255.255.252
tunnel source
tunnel destination
no shut
router ospf 10
network 10.10.10.0 0.0.0.3 area 11
the same have to be done on remote site router
router ospf 10
network 10.10.10.0 0.0.0.3 area 11
network 192.168.1.0 0.0.0.255 area 11
int tu11
desc to siteA router
ip address 10.10.10.2 255.255.255.252
tunnel source
tunnel destination
the access-list used in the crypto maps need to be changed in
SiteA:
access-list 111 permit gre host 10.10.10.1 host 10.10.10.2
Remote site RA1:
access-list 121 permit gre host 10.10.10.2 host 10.10.10.1
This is the idea.
on links between siteA and siteB you keep the current configuration
Hope to help
Giuseppe
03-14-2009 06:53 AM
Thanks its great info.
Is there a way to bundle three links under one VLAN and use all links.
Looking for a practical working solution
03-14-2009 10:34 AM
Hello Ronald,
if you give different ip subnets to the three links OSPF will use them to move traffic between the two sites.
OSPF can perform load balancing up to 4 links by default so no problem here.
Edit:
Sorry Ronald by reading again your first post I see that the three links have different bandwidths 8,5, 2 Mbps.
I suggest you to have different metrics over them:
in normal conditions you can use the primary link.
You can the move some traffic quotas to other links using Policy based routing.
All of us have focused on the problem of making known the remote sites to SiteB but you have also this issue.
Actually Adam had suggested PBR and this is the way to use all the links.
Hope to help
Giuseppe
03-14-2009 01:51 PM
Thanks Giuseppe.
Should I have different OSPF Process and Area as per attached file on VPN Router.
I mean for in-country site directly
connectet to Site(A)there should be different OSPF Process and Different OSPF Area then on VPN Router..
I was looking for a similar scenario ospf document but no luck??
03-15-2009 03:10 AM
ok for deffrent ospf prosses just treat it as deffrent routing protocol
and then you can redistribute between them and do filtering as well
tow prosses helps in redusing the cpu and divid the ospf database
for example here in the router that has tow ospf prossers IDs the second one redistributed in the first one apear as external route with LSA type 5
Router#show ip ospf database
OSPF Router with ID (10.1.1.1) (Process ID 2)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.1.1.1 10.1.1.1 173 0x80000001 0x00215D 1
OSPF Router with ID (150.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
10.1.1.2 10.1.1.2 37 0x80000003 0x00CF28 1
150.1.1.1 150.1.1.1 3 0x80000003 0x00BD24 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
10.1.1.1 150.1.1.1 85 0x80000001 0x007873
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
150.1.1.0 150.1.1.1 2 0x80000001 0x000C75 0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet1/0
150.1.0.0/24 is subnetted, 1 subnets
O E2 150.1.1.0 [110/1] via 10.1.1.1, 00:00:07, FastEthernet1/0
HTH
03-15-2009 05:40 AM
Hello Ronald,
even if using multiple routing processes is possible I think in your case it is enough to use a single process and two different Areas.
OSPF allows for effective filtering at area border routers and what it is interesting in your case OSPF has a clear hierarchy of routes:
intra area routes O are preferred over inter-area routes O IA that are preferred over O E1 routes that are preferred over O E2.
so unless you need to build a 3 levels of routes using a different OSPF area should be enough to make paths learned via the vpn router (O IA ) less preferred and not used until a direct link exists (that provide an O route).
if you use multiple OSPF processes then you need also to manage redistribution between them that adds complexity to your solution.
note: you can have direct link in a different area and then if you increase the metric on the vpn routes you still use the direct link until it is alive
I may be wrong but I think you just need to deploy OSPF multi-area single process
Hope to help
Giuseppe
03-15-2009 12:19 PM
Thanks to all for your reply.
I will test based on your recommendation
03-15-2009 02:27 PM
if you follow Giuseppe adivse
you need to take into your consideration that ospf first prefer the path through intra-area regardless the cost or the metric
in otherwords any route through the same area will be prefered over others thorugh other areas
good luck
HTH
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: