Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1693
Views
0
Helpful
7
Replies

ASA OSPF Summary for IPSEC VPN

Steven Williams
Level 4
Level 4

‎05-17-2019 03:16 PM

Let's say I am terminating tons of /30 devices via IPSEC to ASAs. Now I need to get all these Networks into my corporate network using OSPF. So rather then sending a ton of /30 networks how do you go about sending a summary of this?

I understand how to send summary address in router/switch ospf but I am not sure how VPN routes work since they are in the route table as "V". 

 

I am trying to understand how these routes are even getting advertised out from the ASA. All /30 networks belong to 10.100.0.0/16 network. 

 

router ospf 110
router-id 10.53.0.89
network 10.53.0.89 255.255.255.255 area 2
area 2 authentication message-digest
log-adj-changes
redistribute static subnets
distribute-list OSPF in interface ROUTED_LINK

!

!

route OUTSIDE 0.0.0.0 0.0.0.0 55.55.55.55 1

!

!

access-list OSPF standard permit 10.81.0.0 255.255.224.0
access-list OSPF standard permit 10.81.3.0 255.255.255.0
access-list OSPF standard permit 192.168.21.0 255.255.255.0
access-list OSPF standard permit 10.100.0.0 255.255.255.0
access-list OSPF standard permit 192.168.1.0 255.255.255.0
access-list OSPF standard permit 10.20.0.0 255.255.255.0
access-list OSPF standard deny any4
access-list OSPF remark control route distribution inbound

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎05-17-2019 10:33 PM

Can be possible, but where you would like to sumarise in the network ?

 

can you give us high level network view of your OSPF network.

 

example : we do have serial links coming and terminating in our WAN router, we anouce back to LAN as below (this is example for your reference only)

 

BB-WAN(config)#router ospf 10
BB-WAN(config-router)#area 0 range 10.10.0.0 255.255.0.0

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Steven Williams
Level 4
Level 4
In response to balaji.bandi

‎05-19-2019 06:21 AM

ASA --> 3650 Stack --> Core ASA --> 4500x

 

The ASA has about 7-8k IPSEC tunnels that appear in the route table on the asa. It peers OSPF with the 3650 Stack, then the 3650 Stack peers OSPF with a Core ASA, then the core ASA peers with the 4500x. There is no need for anything beyond the ASA hosting the IPSEC tunnels to know about all /30 networks. All networks reside in 10.100.0.0/16 range. So 3650s and everything downstream only need to know to get to those tunnels to go to ASA. So I would need to summarize from the ASA down, unless thats too difficult then I can summarize from the 3650s downstream. I just dont need over 7k routes in all my OSPF peers down the way. 

0 Helpful

GRANT3779
Spotlight
Spotlight

‎05-18-2019 12:04 AM

Hi Steven, 

 

You will want to look RRI (reverse route injection).

At a high level, use RRI on crypto map, create a prefix list matching the VPN routes you want to redistribute, then redistribute statics using the route-map within OSPF process . They will then be available to summarise within OSPF. 

0 Helpful

Steven Williams
Level 4
Level 4
In response to GRANT3779

‎05-19-2019 06:17 AM

Examples?
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Steven Williams

‎05-19-2019 08:09 AM

example of of rri ? here is reference

 

https://www.petenetlive.com/KB/Article/0000982

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Steven Williams

‎05-19-2019 12:39 PM

Just thinking, you may not need RRI to achieve what you are after.

I think you were initially asking how these routes were currently getting advertised?

On the ASA terminating the VPNs if you run "sh route static" you should see the /30 routes in the routing table with a V next to them. If you then do a "show route x,x,x,x" for one of the /30s you will see that the ASA sees it as a static / connected route. They will be getting redistributed by your "redistribute static subnets" command as the ASA sees them just as that, statics.

Because you are doing redistribution on the ASA, this makes it an ASBR meaning you will be able to summarize on it. I'm assuming this is all Area 0 btw.
Since this is an ASBR, under the OSPF process use the following -
summary-address 10.100.0.0 255.255.0.0
0 Helpful

Steven Williams
Level 4
Level 4
In response to GRANT3779

‎05-22-2019 10:36 AM

So after a few days of taking a break from it and coming back to it, I know remember why I hate OSPF. You cannot summarize in the same area...

 

So I have EdgeASA01 running ospf area 2 and I have EdgeASA02 running area 2, these connect to a 3650 stack also Area 2....

 

 

So no summarizing there. Now the 3650 stack has a layer 3 link to a Cisco ASA5585, the Cisco ASA5585 has Area 0,1,2....so the Core ASA5585 is my ASBR, so the summary has to happen here. Which means my 3650 stack will still have over 8,000 routes in the table just based on poor design. 

!

!

ASACORE-01/pri/act# show run router
router ospf 10
network 10.51.100.2 255.255.255.255 area 0
network 10.51.100.10 255.255.255.255 area 0
network 10.51.100.18 255.255.255.255 area 0
network 10.51.100.26 255.255.255.255 area 0
network 10.51.100.34 255.255.255.255 area 0
network 10.51.100.42 255.255.255.255 area 0
network 10.51.100.50 255.255.255.255 area 0
network 10.51.100.58 255.255.255.255 area 0
network 10.51.100.66 255.255.255.255 area 0
network 10.51.100.74 255.255.255.255 area 0
network 10.53.0.4 255.255.255.255 area 0
network 10.53.0.9 255.255.255.255 area 2
network 10.53.0.17 255.255.255.255 area 1
network 10.53.0.26 255.255.255.255 area 1
network 10.53.0.249 255.255.255.255 area 0
area 0 authentication message-digest
area 0 filter-list prefix OSPF out
area 1 authentication message-digest
area 2 authentication message-digest
neighbor 10.51.100.73 interface CNP_PROD
neighbor 10.51.100.65 interface GREEN_BP
neighbor 10.51.100.57
neighbor 10.51.100.49 interface BLUE_PROD
neighbor 10.51.100.41
neighbor 10.51.100.33
neighbor 10.51.100.25 interface BLUE_CAO
neighbor 10.51.100.17
log-adj-changes
default-information originate always
distribute-list CAO_OSPF_IN in interface CAO_ROUTED_LINK

!

!

ASACORE-01/pri/act# show ospf

Routing Process "ospf 10" with ID 172.16.42.1
Start time: 1y33w, Time elapsed: 6w2d
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
It is an area border and autonomous system boundary router
Redistributing External Routes from,
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 7552. Checksum Sum 0x25c45e28
Number of opaque AS LSA 0. Checksum Sum 0x0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 3. 3 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 100 mbps

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card