05-17-2019 03:16 PM
Let's say I am terminating tons of /30 devices via IPSEC to ASAs. Now I need to get all these Networks into my corporate network using OSPF. So rather then sending a ton of /30 networks how do you go about sending a summary of this?
I understand how to send summary address in router/switch ospf but I am not sure how VPN routes work since they are in the route table as "V".
I am trying to understand how these routes are even getting advertised out from the ASA. All /30 networks belong to 10.100.0.0/16 network.
router ospf 110
router-id 10.53.0.89
network 10.53.0.89 255.255.255.255 area 2
area 2 authentication message-digest
log-adj-changes
redistribute static subnets
distribute-list OSPF in interface ROUTED_LINK
!
!
route OUTSIDE 0.0.0.0 0.0.0.0 55.55.55.55 1
!
!
access-list OSPF standard permit 10.81.0.0 255.255.224.0
access-list OSPF standard permit 10.81.3.0 255.255.255.0
access-list OSPF standard permit 192.168.21.0 255.255.255.0
access-list OSPF standard permit 10.100.0.0 255.255.255.0
access-list OSPF standard permit 192.168.1.0 255.255.255.0
access-list OSPF standard permit 10.20.0.0 255.255.255.0
access-list OSPF standard deny any4
access-list OSPF remark control route distribution inbound
05-17-2019 10:33 PM
Can be possible, but where you would like to sumarise in the network ?
can you give us high level network view of your OSPF network.
example : we do have serial links coming and terminating in our WAN router, we anouce back to LAN as below (this is example for your reference only)
BB-WAN(config)#router ospf 10
BB-WAN(config-router)#area 0 range 10.10.0.0 255.255.0.0
05-19-2019 06:21 AM
ASA --> 3650 Stack --> Core ASA --> 4500x
The ASA has about 7-8k IPSEC tunnels that appear in the route table on the asa. It peers OSPF with the 3650 Stack, then the 3650 Stack peers OSPF with a Core ASA, then the core ASA peers with the 4500x. There is no need for anything beyond the ASA hosting the IPSEC tunnels to know about all /30 networks. All networks reside in 10.100.0.0/16 range. So 3650s and everything downstream only need to know to get to those tunnels to go to ASA. So I would need to summarize from the ASA down, unless thats too difficult then I can summarize from the 3650s downstream. I just dont need over 7k routes in all my OSPF peers down the way.
05-18-2019 12:04 AM
Hi Steven,
You will want to look RRI (reverse route injection).
At a high level, use RRI on crypto map, create a prefix list matching the VPN routes you want to redistribute, then redistribute statics using the route-map within OSPF process . They will then be available to summarise within OSPF.
05-19-2019 06:17 AM
05-19-2019 08:09 AM
example of of rri ? here is reference
05-19-2019 12:39 PM
05-22-2019 10:36 AM
So after a few days of taking a break from it and coming back to it, I know remember why I hate OSPF. You cannot summarize in the same area...
So I have EdgeASA01 running ospf area 2 and I have EdgeASA02 running area 2, these connect to a 3650 stack also Area 2....
So no summarizing there. Now the 3650 stack has a layer 3 link to a Cisco ASA5585, the Cisco ASA5585 has Area 0,1,2....so the Core ASA5585 is my ASBR, so the summary has to happen here. Which means my 3650 stack will still have over 8,000 routes in the table just based on poor design.
!
!
ASACORE-01/pri/act# show run router
router ospf 10
network 10.51.100.2 255.255.255.255 area 0
network 10.51.100.10 255.255.255.255 area 0
network 10.51.100.18 255.255.255.255 area 0
network 10.51.100.26 255.255.255.255 area 0
network 10.51.100.34 255.255.255.255 area 0
network 10.51.100.42 255.255.255.255 area 0
network 10.51.100.50 255.255.255.255 area 0
network 10.51.100.58 255.255.255.255 area 0
network 10.51.100.66 255.255.255.255 area 0
network 10.51.100.74 255.255.255.255 area 0
network 10.53.0.4 255.255.255.255 area 0
network 10.53.0.9 255.255.255.255 area 2
network 10.53.0.17 255.255.255.255 area 1
network 10.53.0.26 255.255.255.255 area 1
network 10.53.0.249 255.255.255.255 area 0
area 0 authentication message-digest
area 0 filter-list prefix OSPF out
area 1 authentication message-digest
area 2 authentication message-digest
neighbor 10.51.100.73 interface CNP_PROD
neighbor 10.51.100.65 interface GREEN_BP
neighbor 10.51.100.57
neighbor 10.51.100.49 interface BLUE_PROD
neighbor 10.51.100.41
neighbor 10.51.100.33
neighbor 10.51.100.25 interface BLUE_CAO
neighbor 10.51.100.17
log-adj-changes
default-information originate always
distribute-list CAO_OSPF_IN in interface CAO_ROUTED_LINK
!
!
ASACORE-01/pri/act# show ospf
Routing Process "ospf 10" with ID 172.16.42.1
Start time: 1y33w, Time elapsed: 6w2d
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
It is an area border and autonomous system boundary router
Redistributing External Routes from,
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 5000 msecs
Minimum hold time between two consecutive SPFs 10000 msecs
Maximum wait time between two consecutive SPFs 10000 msecs
Incremental-SPF disabled
Minimum LSA interval 5 secs
Minimum LSA arrival 1000 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
Number of external LSA 7552. Checksum Sum 0x25c45e28
Number of opaque AS LSA 0. Checksum Sum 0x0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 3. 3 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 100 mbps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide