OSPF design

Unanswered Question

two Data Center and one office

all interconnected with dual links (internally)

and one ISP at the Data Centers only. Office's ISP access goes through DC1's ISP.


What'd you recommend as far as OSPF design?

Should I have a single area zero ? We do not have many routers(routes)

Should have two areas: area0 internally and area1 for the public address(edge layer) or vice versa ??


I do want to have Internet failover between the Data Centers

And internally OPSF failover configured on the dual links.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinraja Tue, 01/26/2010 - 12:42

Hi Johnson


Do you have any outbound or ISP connection from DC 2 ??


You can have all the core links (between office & Datacenter , between DCs) on area 0. internal networks /loopback can also be a part of area 0.. on the office, if you have multiple user vlans, you can have them on a seperate area (just on a design perspective), though there is no harm keeping it on area 0... but from a scalability point of view its good to have multiple areas, which might help if this network grows in size.. similarly the public networks can be on a different area on the datacenter.. have ospf authentication configured to enhance security.. have loopbackss configured as ospf router-id as a best practice... have descriptions wherever possible..


Hope this helps.. all the best


Raj

sachinraja Tue, 01/26/2010 - 12:53

The DMZ behind the FWSM's can also be in area 0.. Guiseppe has given a very good explanation on the default route propagation between the two datacenters.. with regards to internal networks you can build up your own standards.. for hq networks which is off some kinda vpn tunnel, you can have static routes if required and have them redistributed onto the ospf domain if you had to propagate the vpn ip pools etc....


Raj

sachinraja Tue, 01/26/2010 - 13:47

Hi Johnson


How many networks are there on the DMZ segment ? By the looks of it, doesnt the outside segment (Public) just have back -to -back interfaces which would be used for routing/packet forwarding ? are there any servers or other componenets on the Public segment ? If you dont need network reachability to Outside segment from inside, you can just have static routes on the ASA firewalls pointing to the next hop router and have the static route redistributed onto OSPF Area 0 configured on the FW. if there are too many routes, i understand having ospf between the router and firewall for automatic route propagation.. in that case you can configure the outside segment directly on area 0, instead of assigning them on area 1... think of other areas only on edge locations (on offices) where you have multiple vlans for user traffic...


Hope this helps.. all the best


Raj

I changed a bit my design because of two things.


1. RTT between the Data Center is about 80ms

2. We server apps to the Internet and they are very sensitive.


Please see attached file.

My dilemma now is should I split A1 and make DC1 with A0 and DC2 with A1 ??

I want to have A1 for OSPF/BGP failover convergence.


HQ would be configure as Stub Area.

We can not afford any IGP convergence impacting from DC1 to DC2 or vice-versa.


Suggestions/Comments and Critics...please.


Thanks

Johnson


ps. DMZ the are about 8 public subnets

sachinraja Wed, 01/27/2010 - 19:19

The design has FW5 & FW6, directly on Area 1 & Area 2 ?? it does not have a backbone area ?? i suggest you have your backbone core links (yellow links) all on area 0 and have the LAN segments on area 2.... have you already implemented this on OSPF ? if u have all cisco devices, you can configure EIGRP instead.. convergence is better than OSPF, and you have numerous other benefits with EIGRP.. but it depends on your environment...


what does the HQ segment constitute ? The most important question here as Guiseppe pointed out is, how are you going to control your default gateway, and how will you provide redundancy between DC1 and DC2 of the default gateway.. local routes, whether it be area 0 or area 1, would be propagated fine..


Hope this helps.. all the best


Raj

>> The design has FW5 & FW6, directly on Area 1 & Area 2 ??

YES


>> it does not have a backbone area ??

You mean if connects to Area 0, sure it does.


>> have you already implemented this on OSPF ?

Nope


>>Which IGP to use?

I guess my main concern now is if convergence happen.

a. does it propagate to other areas

b. how much is going to impact the applications in DC1 for instance.

Our internal apps are very sensitive to traffic disruptions.

To give you an idea....if a BGP peer out there connected(peering) to our ISP have a flap.

Some of our app will drop the session



>> what does the HQ segment constitute ?

It is our office head quarters. I can configure a stub area for it.


As far as default gateway G point out, I totally agree.

That's what I have in mind for sure.


Thanks

Johnson

Giuseppe Larosa Tue, 01/26/2010 - 12:48

Hello Johnson,


from OSPF  point of view internet access is represented a default route that will be an O E2 (default type) or O E1 (if explicitly connected).


Using OSPF O E1 with two internet exit points is recommended using a different seed metric you can have a primary exit point and a secondary exit point from the point of view of office site.


to generate the default route you can use


router ospf 10


default-information originate route-map check_bgp type 1


ip prefix-list only-default permit 0.0.0.0/0


route-map check_bgp

match ip address prefix only-default

set metric 50


on secondary exit point ASBR


router ospf 10


default-information originate route-map check_bgp type 1


ip prefix-list only-default permit 0.0.0.0/0


route-map check_bgp

match ip address prefix only-default

set metric 500





You can use OSPF areas for routes internal to each site or you can stay in single area 0 as you like.


Hope to help

Giuseppe

Actions

This Discussion