Re: Ospf neighborship in different subnet

amitak · ‎10-22-2010

Hi Friends,

Ospf neighborship is not coming up.Please help.

sh ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
N/A 0 DOWN/ - - 10.224.16.122 outside

Firewall 1

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.224.16.122 255.255.255.248 standby 10.224.16.123

ospf network point-to-point non-broadcast

router ospf 1
network 10.224.16.120 255.255.255.248 area 0
network 10.224.131.104 255.255.255.248 area 0
neighbor 10.224.131.106 interface outside
log-adj-changes

route outside 10.224.131.104 255.255.255.248 10.224.16.122 1
route outside 10.224.131.106 255.255.255.255 10.224.16.122 1

Firewall 2

interface Ethernet0/0
nameif outside
security-level 0
ip address 10.224.131.106 255.255.255.248 standby 10.224.131.107
ospf network point-to-point non-broadcast

router ospf 1
network 10.224.16.120 255.255.255.248 area 0
network 10.224.131.104 255.255.255.248 area 0
network 203.132.216.0 255.255.255.0 area 0
neighbor 10.224.16.122 interface outside
log-adj-changes

route outside 10.224.16.120 255.255.255.248 10.224.131.106 1
route outside 10.224.16.122 255.255.255.255 10.224.131.106 1

Dan-Ciprian Cicioiu · ‎10-22-2010

Hi ,

The adjacency will not come up.The TTL of the OSPF packet is 1.

Dan

Giuseppe Larosa · ‎10-22-2010

Hello Amitak,

adiajcency = to be in the SAME IP subnet

you cannot achieve OSPF neighborship over different IP subnets

this is by protocol design.

Every internal Gateway Protocol including RIP, RIPv2, EIGRP, OSPF requires this.

you need to enable OSPF also on device(s) in the middle

Hope to help

Giuseppe

amitak · ‎10-25-2010

Hi,

Thanks for you reply.

I was refering the document

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml .The Ospf neighborship is being achieved with differnt ip segments ver VPN. I have a similar requirement and have done Crypto configuration too.

Can u please suggest ?

Giuseppe Larosa · ‎10-25-2010

Hello Amitak,

I would suggest to use point to point GRE tunnels defined on the two routers.

the devices performing IPSec will encrypt traffic of the GRE tunnels

This is a well known configuration that can work

the ACL for the crypto map will have a line like

access-list 111 permit gre host A.B..C.D host E.F.G.H

on one side

access-list 111 permit gre host E.F.G.H host A.B..C.D

(mirrored ACLs)

the tunnel interface on R1 will be something like

interface tunnel12

ip address 10.10.100.1 255.255.255.252

tunnel source A.B.C.D

tunnel destination E.F.G.H

on other device R2:

interface tunnel12

ip address 10.10.100.2 255.255.255.252

tunnel source E.F.G.H

tunnel destination A.B.C.D

in this way you can run OSPF over the common IP subnet 10.10.100.0/30

router ospf

network 10.10.100.0 0.0.0.3 area 0

Note:

devices in the middle must be able to route traffic towards addresses used by IPSec endpoints.

Hope to help

Giuseppe

amitak · ‎10-25-2010

This is quite helpful. But the device i am using is Cisco ASA and its

not supporting GRE tunnels.Your guidance would be of great help.

Bastien Migette · ‎10-25-2010

If the asa is the middle device you can use the GRE Passthrough. If the ASA is actually doing OSPF, you can set-up an ipsec tunnel and adding the remote device as a unicast neighbor, using the neighbor command in the ospf configuration. This can also be done in ASDM.

you will find an example here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml