cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1158
Views
0
Helpful
6
Replies

Cisco ASA OSPF ECMP

prnm
Level 1
Level 1

Hi There,

   Currently, I'm testing OSPF on the ASA firewall. Below is the topology I'm working on.

LAB.png

 

Both areas 1 and 2 have been set up as a stubby area. On R5 I'm able to see the OSPF ECMP 0.0.0.0/0 routes towards R2 and R3. But on the other hand, ASA is showing only one 0.0.0.0/0 towards one ABR only.

ciscoasa# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 10.10.12.2 to network 0.0.0.0

O*IA 0.0.0.0 0.0.0.0 [110/11] via 10.10.12.2, 00:01:16, uplink2
C 1.1.1.0 255.255.255.0 is directly connected, lan
L 1.1.1.1 255.255.255.255 is directly connected, lan
O 3.3.3.3 255.255.255.255 [110/11] via 10.10.13.3, 03:14:36, uplink1
C 10.10.12.0 255.255.255.0 is directly connected, uplink2
L 10.10.12.1 255.255.255.255 is directly connected, uplink2
C 10.10.13.0 255.255.255.0 is directly connected, uplink1
L 10.10.13.1 255.255.255.255 is directly connected, uplink1

ciscoasa# sh ospf database


OSPF Router with ID (10.10.10.10) (Process ID 1)

Router Link States (Area 1)

Link ID ADV Router Age Seq# Checksum Link count
2.2.2.2 2.2.2.2 1825 0x8000003d 0x5545 1
3.3.3.3 3.3.3.3 1925 0x8000003f 0xea84 2
10.10.10.10 10.10.10.10 1695 0x80000041 0xe4f6 3

Net Link States (Area 1)

Link ID ADV Router Age Seq# Checksum
10.10.12.2 2.2.2.2 1825 0x8000003a 0xb5f2
10.10.13.3 3.3.3.3 1925 0x80000016 0xecd5

Summary Net Link States (Area 1)

Link ID ADV Router Age Seq# Checksum
0.0.0.0 2.2.2.2 1825 0x80000039 0x 5f8
0.0.0.0 3.3.3.3 76 0x8000003c 0xe016
ciscoasa# sh ospf database summary


OSPF Router with ID (10.10.10.10) (Process ID 1)

Summary Net Link States (Area 1)

Routing Bit Set on this LSA
LS age: 1832
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 0.0.0.0 (summary Network Number)
Advertising Router: 2.2.2.2
LS Seq Number: 80000039
Checksum: 0x5f8
Length: 28
Network Mask:0.0.0.0
TOS: 0 Metric: 1

Routing Bit Set on this LSA
LS age: 84
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 0.0.0.0 (summary Network Number)
Advertising Router: 3.3.3.3
LS Seq Number: 8000003c
Checksum: 0xe016
Length: 28
Network Mask:0.0.0.0
TOS: 0 Metric: 1

ciscoasa#


OSPF database contains two default routes in its database. Is this an expected behavior?

Thanks in Advance

1 Accepted Solution

Accepted Solutions

9.12 must support ecmp

But there is also limitations 

The asa with non zone cannot add same destination through multi interface 

You need to add zone routing to make asa accpet igp ecmp through multiple interfaces.

Check link below for more information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/interface-zones.html#ID-2078-00000188

View solution in original post

6 Replies 6

Asa receive two ospf ecmp defualt route but it use only one in rib.

It asa limitations it dont support ecmp.

New asa ver. Support it. Which ver. Your asa?

MHM

Thank you for the response.

We are running on version 9.12(4).
May I know whether there is any document to confirm from which version this feature is supported?

9.12 must support ecmp

But there is also limitations 

The asa with non zone cannot add same destination through multi interface 

You need to add zone routing to make asa accpet igp ecmp through multiple interfaces.

Check link below for more information.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/interface-zones.html#ID-2078-00000188

Thank you @MHM Cisco World. I have enabled the zone in my lab and now I'm able to see the ECMP routes.
If we are enabling this feature in the production network , then do we need to amend the firewall rules from the interface to zone?

Zone is more than config acl'

There are many many restrictions that why it is so rare use.

Some not all restrictions 

It have restriction for  PAT 

It have restriction for VPN

And more.

Check the guide I share' do lab test  before applying in real.

Good luck freind 

MHM

Thank you @MHM Cisco World for your valuable input

Cheers

Review Cisco Networking for a $25 gift card