Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

OSPF Routing question

Dear Support Community,

while looking at metrics of some of our routes I noticed something that I don't understand and I would really like some help in figuring it out.

We are running OSPF in our envirornment. As can be seen in the attached xls file, in SITE-A we have the connections to our internet provider.

So on the cisco6509 in SITE-A we have a static route: ip route 0.0.0.0 0.0.0.0 checkpoint_ip

Lets say that the checkpoint is in vlan_10 with an IP address 10.10.10.1

The configuration of ospf for cisco6509 is:

router ospf 1

...

passive-interface vlan 10

redistribute static subnets

There is no command of the sort: network 10.10.10.0 0.0.0.255 area y

On the same site we have a connection to a 3rd party, through a cisco ASA running OSPF. Lets say that the ASA is on vlan_11, which has an IP 10.11.11.1. The configuration on 6509 is:

router ospf 1

...

network 10.11.11.0 0.0.0.255 area y

The internet is working fine.

What I noticed is that when from SITE-B or SITE-C I run sh ip route 10.10.10.1 (vlan of checkpoint - connection to internet)

it seems that I am learning this route from the ASA as an external route! The same is true for any network/vlan on 6509 which has no network statement under the OSPF process.

Traceroute from SITE-B on SITE-B to 10.10.10.1 truly stops at the 6509 and doesn't show the ASA as a hop.

6509 has a "default originate". Is this enough, in addition to ip route 0.0.0.0 0.0.0.0 checkpoint_ip, for somebody to access the internet or should the  network statement also be configured under the OSPF process?

Why am I learning these routes through the ASA?

What am I missing?

Please help me clarify this, since I don't fully understand the routing impact on the network!!!!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Bronze

Re: OSPF Routing question

It sounds the ASA is doing some kind of redistribution into OSPF but in reality is not affecting your internet connection because routing is done hop-by-hop and even if SITE B and C see those routes in OSPF pointing to the ASA, they physically have to use your SITE A 6500 which has a static route pointing to your checkpoint.

In this case, your physical layout dictates your traffic flow.

FYI, when you redistribute statics into OSPF, it doesn't include the default gateway.

You need to use default information originate (which you've already doing).

You don't need to include the 6500-Checkpoint subnet into OSPF for the internet to work. Make sure to clean-up the routing on the ASA device.

3 REPLIES
Hall of Fame Super Bronze

Re: OSPF Routing question

It sounds the ASA is doing some kind of redistribution into OSPF but in reality is not affecting your internet connection because routing is done hop-by-hop and even if SITE B and C see those routes in OSPF pointing to the ASA, they physically have to use your SITE A 6500 which has a static route pointing to your checkpoint.

In this case, your physical layout dictates your traffic flow.

FYI, when you redistribute statics into OSPF, it doesn't include the default gateway.

You need to use default information originate (which you've already doing).

You don't need to include the 6500-Checkpoint subnet into OSPF for the internet to work. Make sure to clean-up the routing on the ASA device.

New Member

Re: OSPF Routing question

Thank you for your reply!

The ASA does have a static route that says:

route Inside Lans-SiteA 255.255.0.0 ip-address-of-vlan11 1

where the ip address of vlan10 (namely 10.10.10.1) is include in Lans-SiteA. All static routes are redistributed in OSPF as E1. So as I understand, that is why I am learning all networks not advertised in the OSPF process of SITE-A 6509, from the OSPF process on the ASA.

Thank you for clearing things up for me!

Re: OSPF Routing question

Hi Katerina,

As Edison suggested. looks like the ASA is doing some redistribution.

What I am thinking is that the 3rd party also have a 10.10.10.1 range on their end. check the routing on the ASA

sh route  first and see what networks you are learning on the ASA from the 3rd party.and because seems like there is a redistribute command on the ASA under the ospf process the prefixes are getting into the site A and site B via ospf as external routes.

In your network the 6509 and the ASA are acting as 2 ASBR's and they advertise the cost to reach the external networks to the site B and site C. Now, the reason why internet works is because as Edison mentined when the packet arrives to 6500 it has a static route our to the checkpoint and hence will forward it that way.

"The same is true for any network/vlan on 6509 which has no network statement under the OSPF process."

If site B doesnt know a network via OSPF (network command or redis on 6500) then site B will know that via the default route ( if one exists which in your case it does). However if try to ping the network on the 6500 say 192.168.1.1 or something the response will come from the 6509 as it wil have this in its routing table and doesnt foward this to the ASA.

Things would have gone bad if you had a Layer 2 switch instead of 6500 and the checkpoint doing the L3 stuff instead. your 6500 is saving the day

HTH

Kishore

576
Views
0
Helpful
3
Replies
CreatePlease to create content