Solved: RRI with Ezvpn and VPN Clients

Vineeshmathur · ‎07-16-2013

Hi,

I have a ASA 5585 running on 8.4. I have it setup to accept ezvpn clients in NEM mode and then to push the routes via RRI into the OSPF via redistribution list on a route map. Now I have come up with a second requirement of adding VPN Clients to the same firewall. In the current setup if i enable clients, they will push the /32 routing updates into the routing table hence making it a pretty lengthy table and I do not want to do that. What I understand from the static route redistribution is that:

1). Route should be static in the ASA routing table, whether inserted via RRI or added manually

2). My redistribution list will allow all the routes which fall in the particular subnet.

If I have a 192.168.1.0/24 defined in the redistribution ACL, any route in that /24 will be added to the routing table. Please refer to the config example:

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00809d07de.shtml

In the config example the route added to the redisttribution list is /24 network but if you review the output at the end of the document, a /32 route was inserted into the routing table of the router.

I would like to keep Ezvpn clients with RRI and at the same time have VPN Clients working without RRI. Would appreciate any help in this!

Thanks,

Vineesh

Andrew Phirsov · ‎07-17-2013

Route-summarisation is possible for OSPF only on ABR/ASBR routers. I wasn't talking about another ospf process, but about another ospf-area.

if I add summary-address for only my client vpn pool (10.10.0.0/16) will my other routes for ezvpn stop being advertised or will they continue to be advertised as before and only VPN Pool would be summarized?

If you enable summarization for 10.10.0.0/16 only that network will be sumarized. Why would other advertisement be terminated due to summarization of 10.10.0.0/16?

View solution in original post

Andrew Phirsov · ‎07-16-2013

If you wan't to summarize /32 routes to, say 24 when announcing them from ASA to other OSPF domain, I assume you should put your ASA in a different OSPF area (i.e. make it ABR). Without doing this, i think it won't be possible to perform any summarization with OSPF.

Vineeshmathur · ‎07-17-2013

Thanks for your reply Andrew!

I only have one OSPF process running and route summarization can be done without the ASA acting as ABR. Under the OSPF Process you can define summary-address command to do route summarization. Now the problem is that I dont wanna do route summarization for my ezvpn clients and need to have that for VPN Clients. So, I would like to inject about 40 different networks coming via ezvpn into my network's routing table but would not like to advertise the /32's which would be sent by the VPN Client. Please see below example:

Ezvpn Client networks:

192.168.10.0/24

192.168.20.0/24

192.168.25.0/24

VPN Client Pool:

10.10.0.0/16

What my question for summary-address command would be... if I add summary-address for only my client vpn pool (10.10.0.0/16) will my other routes for ezvpn stop being advertised or will they continue to be advertised as before and only VPN Pool would be summarized?

Summary-address command:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_ospf.html

Andrew Phirsov · ‎07-17-2013

Route-summarisation is possible for OSPF only on ABR/ASBR routers. I wasn't talking about another ospf process, but about another ospf-area.

if I add summary-address for only my client vpn pool (10.10.0.0/16) will my other routes for ezvpn stop being advertised or will they continue to be advertised as before and only VPN Pool would be summarized?

If you enable summarization for 10.10.0.0/16 only that network will be sumarized. Why would other advertisement be terminated due to summarization of 10.10.0.0/16?

Vineeshmathur · ‎07-17-2013

Yes I understand your point Andrew. Thanks for your help! I will try this and let you know the results.

I am still concerned about around 1000-2000 /32 statics inserted into the ASA's routing table. Can you think of anything to prevent that?

Andrew Phirsov · ‎07-17-2013

Vineesh, to my understanding there's nothing to be done about that routes. ASA should know how to access clients when they are connected, so it should have static routes installed. There's no way to "summarize" them locally on the ASA. But when redistributing them to other devices, summarization should work fine, although i didn't personally tried this.

Vineeshmathur · ‎07-17-2013

Just contemplating, creating another sub-interface and segregating the ezvpn and client vpn traffic. That would save me from doing RRI for client while RRI for ezvpn would still work. What are your thoughts Andrew?

Andrew Phirsov · ‎07-17-2013

Actually i don't quite understand what you're going to achieve doing this. Also, just to point out, disabling RRI won't delete static routes to each client from ASA.

Vineeshmathur · ‎07-17-2013

Dont worry about it... i though through the idea and realized I would face routing challenges in having two different interfaces. So, the idea is no good. I will try the summary-address and let you know the results.

Thanks for your help!