07-17-2010 06:53 AM - edited 03-06-2019 12:04 PM
Hi!
We have two DMVPN networks (2 hubs with some amount of spokes), the hubs are also connected with each other by encrypted tunnel (GRE + IPSec).
Topology is 2 stars with connected centers. Centers are company's regional centers, and spokes are small branches in one of 2 regions. So in whole it is company's Intranet.
All spoke routers connect to their hub via 2 lines, OSPF is used. On all routers we have 2 external interfaces, 2 Tunnel interfaces, 1 LAN and 1 Loopback0 interface (the latter is set as router id for OSPF on the spokes). The hubs also have the second Loopback1, which is used as their router id for OSPF. (I don't think the second Loopback is really needed, initially it was used when our provider set up BGP between 2 hubs, which then was replaced by OSPF. But it is not so important...)
The target was: to provide reachability of all branches networks between each other, plus regional centers provide Internet connection for spokes of its region (only! => "Default root should not be redistributed between hubs", something like that).
Recently I mentioned we have quite different settings on the spokes regarding passive interfaces. I see everywhere we have both Tunnel interfaces as non-passive, but on some spokes we have also VLAN1 (LAN interface) made non-passive, on some - Loopback0. And on the hubs only tunnel interfaces are not passive (everywhere "passive-interface default" is used).
I want to understand which interfaces I really need to be non-passive. I read about OSPF adjacency, but I don't understand do I need to involve LAN and Loopback interfaces into adjacencies to achieve the above mentioned target?
P.S. Here is the fragments of the routers OSPF configs (to have the full picture):
Hub of region 1:
router ospf 1
log-adjacency-changes
redistribute static subnets route-map static_to_osfp_1
redistribute ospf 2 subnets match internal external 1 external 2
passive-interface default
no passive-interface Tunnel1
no passive-interface Tunnel2
network 192.168.0.0 0.0.0.255 area 0
network 192.168.96.0 0.0.0.255 area 0
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.100 0.0.0.0 area 0
default-information originate
!
router ospf 2
router-id 172.16.1.1
log-adjacency-changes
redistribute ospf 1 subnets match internal external 1 external 2 route-map redistr_ospf1_2_ospf2
passive-interface default
no passive-interface Tunnel3
no passive-interface Tunnel4
network 192.168.91.0 0.0.0.255 area 0
network 192.168.93.0 0.0.0.255 area 0
192.168.0.0 is the regional center network address,
192.168.98.100 is the hub Loopback0 ip,
192.168.96.0 and 192.168.97.0 are the network addresses, from which the hub and regions spokes Tunnel interfaces ip addresses are.
192.168.91.0 and 192.168.93.0 are the network addresses, from which the hubs Tunnel interfaces ip addresses are (for tunnels between hubs!).
Spoke of region 1:
router ospf 1
log-adjacency-changes
passive-interface default
no passive-interface Loopback0
no passive-interface Tunnel1
no passive-interface Tunnel2
network 192.168.11.0 0.0.0.255 area 0
network 192.168.96.0 0.0.0.255 area 0
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.11 0.0.0.0 area 0
192.168.11.0 is the respective branch network address,
192.168.98.11 is the spoke Loopback0 ip,
192.168.96.0 and 192.168.97.0 are the network addresses, from which the hub and regions spokes Tunnel interfaces ip addresses are.
Hub of region 2:
router ospf 1
router-id 192.168.98.30
log-adjacency-changes
redistribute ospf 2 subnets match internal external 1 external 2
passive-interface default
no passive-interface Tunnel1
no passive-interface Tunnel2
network 192.168.30.0 0.0.0.255 area 0
network 192.168.94.0 0.0.0.255 area 0
network 192.168.95.0 0.0.0.255 area 0
network 192.168.98.30 0.0.0.0 area 0
default-information originate
!
router ospf 2
router-id 172.16.2.1
log-adjacency-changes
redistribute ospf 1 subnets match internal external 1 external 2 route-map redistr_ospf1_2_ospf2
passive-interface default
no passive-interface Tunnel3
no passive-interface Tunnel4
network 192.168.91.0 0.0.0.255 area 0
network 192.168.93.0 0.0.0.255 area 0
I think there is no need to explain about addresses, the principle is the same.
Spoke of region 2:
router ospf 1
router-id 192.168.98.31
log-adjacency-changes
passive-interface default
no passive-interface Tunnel1
no passive-interface Tunnel2
no passive-interface Vlan1
network 192.168.31.0 0.0.0.255 area 0
network 192.168.94.0 0.0.0.255 area 0
network 192.168.95.0 0.0.0.255 area 0
network 192.168.98.31 0.0.0.0 area 0
Thanks in advance.
Solved! Go to Solution.
07-17-2010 07:59 AM
Hi,
I think you should make the loopbacks and vlan 1 passive - you only need to establish adjacencies over the tunnels, not with routers connected to vlan 1 or a loopback (there aren't any). As long as the ospf config contains the vlan 1 and loopback network statements, they will be advertised to the hubs.
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/defint.html should clarify the feature.
Hope this helps,
Jason.
07-17-2010 11:23 AM
Alen
I quite agree with Jason. I do not see that there is ever a reason to have a loopback interface not be passive. And the only reason to make the LAN interface not passive is if there is another router to which it connects over the LAN. From your description this is not true.
So - you need network statements for loopback, LAN, and tunnels. But only the tunnels need to be not passive.
HTH
Rick
07-17-2010 07:59 AM
Hi,
I think you should make the loopbacks and vlan 1 passive - you only need to establish adjacencies over the tunnels, not with routers connected to vlan 1 or a loopback (there aren't any). As long as the ospf config contains the vlan 1 and loopback network statements, they will be advertised to the hubs.
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t2/feature/guide/defint.html should clarify the feature.
Hope this helps,
Jason.
07-17-2010 11:23 AM
Alen
I quite agree with Jason. I do not see that there is ever a reason to have a loopback interface not be passive. And the only reason to make the LAN interface not passive is if there is another router to which it connects over the LAN. From your description this is not true.
So - you need network statements for loopback, LAN, and tunnels. But only the tunnels need to be not passive.
HTH
Rick
07-18-2010 03:49 AM
Thank you very much for your help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: