Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

OSPF Issue

Hi,

I have Two sites connected via 3Links

Site(A)========Link1========Site(B) 5MB

Site(A)========Link2========Site(B) 2MB

Site(A)========Link3========Site(B) 8MB

Each link is terminated as VLAN

SiteA

Interface VLAN9

IP address 10.1.1.2 255.255.255.252

Site B

Interface FA 0/1

IP address 10.1.1.3 255.255.255.252

Each site have around 25 VLANS and running OSPF as routing protocol.

Site A has IPSEC VPN with other branch-offices

Branch Office network cannot be seen on site B unless adding a static route, but if that link goes down then reachability is an issue.

I have ospf cost to make failover of links.

Any suggestion how to make it working without static routes.

  • LAN Switching and Routing
13 REPLIES

Re: OSPF Issue

As far as I see it, you have 2 options ( both include statics I'm afraid)

Option 1.

Have coded static routes on the IPSec termination device that are passed into OSPF via redistribution.

Option 2

Look at using IPSec reverse routes on Site A. This will install a static automatically when the VPN comes up. You can then redistribute static routes into OSPF which will be passed down to the other sites.

Maybe one more.

You could look at passing these static routes into OSPF by redistribution using rtr tracking in a route-map. Below is an example for PBR but the principle is similar.

http://www.cisco.com/en/US/tech/tk364/technologies_configuration_example09186a0080211f5c.shtml

Hall of Fame Super Silver

Re: OSPF Issue

Hello Ronald,

on site A have you redistributed the IPSec VPN routes into OSPF ?

siteA

router ospf 10

red static subnets

2) what type of area is used for the links1,2,3

if it it not a stub area you should be fine with the suggestion above

OSPF has a hierarchy in using routes:

O and O IA routes are always preferred to external routes like the ones that you should see after redistribution

Those external routes are used only when the primary links fail

or always if no internal OSPF route (O or O IA ) exists

Hope to help

Giuseppe

New Member

Re: OSPF Issue

Adam and Giuseppe, I wonder wouldn't it also be possible to run IPSEC + GRE over the VPN tunnels to allow OSPF to work without the need for statics?? Maybe I'm missing something in the problem description...

Hall of Fame Super Silver

Re: OSPF Issue

Hello,

>> I wonder wouldn't it also be possible to run IPSEC + GRE over the VPN tunnels

This can be possible it depends on the capabilities of the device terminating the VPN tunnels.

For example I don't know if an ASA can do it. A router can do it.

see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html

if the original poster provides more details your suggestion can be the best solution.

Hope to help

Giuseppe

New Member

Re: OSPF Issue

Thanks for your reply.

routers at both end(siteA+B) support IPSEC.

Can someone assist hwo could I configure GRE+IPSEC for these 3links.

I have tested GRE+IPSEC for one link but dont know how to add other two links to it...

Hall of Fame Super Silver

Re: OSPF Issue

Hello Ronald,

we were talking about the ipsec tunnels to remote branches connected to siteA.

if between site A and siteB you have three dedicated links you don't need to use ipsec or GRE over ipsec over the links.

Sorry if we have been misleading

From your original post we have got this picture

remote sites -- internet -- SiteA

<----- ipsec -------->

and between the two sites

siteA ==== 3 links ===== siteB

the last suggestion is to move from ipsec to GRE over ipsec tunnels to connect the remote sites to siteA so that you can run ospf over it.

So you need a single point-to-point GRE tunnel for each remote site.

The traffic to be encrypted becomes the GRE traffic

example

Site A --- remote site Ra1

we use ip subnet 10.10.10.0 /30

int tunnel 11

desc GRE tunnel to remote site RA1

ip address 10.10.10.1 255.255.255.252

tunnel source

tunnel destination

no shut

router ospf 10

network 10.10.10.0 0.0.0.3 area 11

the same have to be done on remote site router

router ospf 10

network 10.10.10.0 0.0.0.3 area 11

network 192.168.1.0 0.0.0.255 area 11

int tu11

desc to siteA router

ip address 10.10.10.2 255.255.255.252

tunnel source

tunnel destination

the access-list used in the crypto maps need to be changed in

SiteA:

access-list 111 permit gre host 10.10.10.1 host 10.10.10.2

Remote site RA1:

access-list 121 permit gre host 10.10.10.2 host 10.10.10.1

This is the idea.

on links between siteA and siteB you keep the current configuration

Hope to help

Giuseppe

New Member

Re: OSPF Issue

Thanks its great info.

Is there a way to bundle three links under one VLAN and use all links.

Looking for a practical working solution

Hall of Fame Super Silver

Re: OSPF Issue

Hello Ronald,

if you give different ip subnets to the three links OSPF will use them to move traffic between the two sites.

OSPF can perform load balancing up to 4 links by default so no problem here.

Edit:

Sorry Ronald by reading again your first post I see that the three links have different bandwidths 8,5, 2 Mbps.

I suggest you to have different metrics over them:

in normal conditions you can use the primary link.

You can the move some traffic quotas to other links using Policy based routing.

All of us have focused on the problem of making known the remote sites to SiteB but you have also this issue.

Actually Adam had suggested PBR and this is the way to use all the links.

Hope to help

Giuseppe

New Member

Re: OSPF Issue

Thanks Giuseppe.

Should I have different OSPF Process and Area as per attached file on VPN Router.

I mean for in-country site directly

connectet to Site(A)there should be different OSPF Process and Different OSPF Area then on VPN Router..

I was looking for a similar scenario ospf document but no luck??

172
Views
4
Helpful
13
Replies
This widget could not be displayed.