Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1132
Views
15
Helpful
3
Replies

OSPF not advertising routes over GRE tunnel on 9k

Go to solution
Nitesh_A
Level 1
Level 1

‎02-09-2021 07:34 PM

Hello experts,

Question:

I have WAN-R1 and WAN-R2 connected to ISP and have GRE tunnel between WAN-R1&WAN-R2 (bgp as underlay and ospf as overlay). Tunnel is up on both WAN routers, however i am not able to advertise routes from WAN-R1 to WAN-R2.

 

Topology: https://www.autodraw.com/share/DN7AZ0BXMAP3

WAN-R1(config)# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.21 FULL/ - 00:02:14 10.100.2.2Tunnel100

 

 

WAN-R2# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.11 FULL/ - 00:02:37 10.100.2.1Tunnel100

 

 

On WAN-R1 :

ip prefix-list DC_subnet seq 10 permit 10.2.2.0/28

ip prefix-list DC_subnet seq 20 permit 10.3.3.0/28

ip prefix-list DC_subnet seq 30 permit 172.16.0.0/29

ip prefix-list DC_subnet seq 40 permit 192.168.1.0/28

route-map DC permit 10

match ip address prefix-list DC_subnet

vrf context DC

ip route 10.2.2.0/28 10.100.5.2

ip route 10.3.3.0/28 10.100.5.2

address-family ipv4 unicast

!

router ospf DC

router-id 10.100.1.1

redistribute direct route-map DC (tried static keyword after redistribute also)

vrf DC

 

But don't see any routes on WAN-R2

WAN-R2# sh ip route ospf vrf DC

IP Route Table for VRF "DC"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>

WAN-R2#

 

Any suggestion would be helpful for me.

Thankyou

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎02-09-2021 10:14 PM

Hi @Nitesh_A 

Looks like the redistribution is not configured under the vrf DC section of the OSPF.

The config should look like:

router ospf DC
  router-id 10.100.1.1
  vrf DC
    redistribute static route-map DC

Cheers,

Sergiu

View solution in original post

3 Replies 3

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎02-09-2021 10:14 PM

Hi @Nitesh_A 

Looks like the redistribution is not configured under the vrf DC section of the OSPF.

The config should look like:

router ospf DC
  router-id 10.100.1.1
  vrf DC
    redistribute static route-map DC

Cheers,

Sergiu

Go to solution
Nitesh_A
Level 1
Level 1

‎02-09-2021 11:07 PM - edited ‎02-10-2021 01:20 AM

@Sergiu.Daniluk 

Thankyou for the help. It worked

WAN-R1(config-router-vrf)# sh run | sec ospf
feature ospf
ip router ospf DC
router ospf 10
router-id 10.123.10.1
router ospf DC
router-id 10.100.1.1
vrf DC
redistribute direct route-map DC
redistribute static route-map DC

 

 

 

WAN-R2# sh ip route vrf DC
IP Route Table for VRF "DC"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%<string>' in via output denotes VRF <string>

10.2.2.0/28, ubest/mbest: 1/0
*via 10.100.2.1, Tunnel100, [110/20], 00:05:07, ospf-DC, type-2
10.3.3.0/28, ubest/mbest: 1/0
*via 10.100.2.1, Tunnel100, [110/20], 00:05:07, ospf-DC, type-2
10.100.2.0/29, ubest/mbest: 1/0, attached
*via 10.100.2.2, Tunnel100, [0/0], 00:44:32, direct
10.100.2.2/32, ubest/mbest: 1/0, attached
*via 10.100.2.2, Tunnel100, [0/0], 00:44:32, local
10.100.5.0/29, ubest/mbest: 1/0
*via 10.100.2.1, Tunnel100, [110/20], 00:06:35, ospf-DC, type-2
10.100.100.1/32, ubest/mbest: 1/0
*via 10.100.2.1, Tunnel100, [110/11112], 00:44:16, ospf-DC, intra

 

WAN-R2# ping 10.100.5.2 vrf DC
PING 10.100.5.2 (10.100.5.2): 56 data bytes
64 bytes from 10.100.5.2: icmp_seq=0 ttl=253 time=26.693 ms
64 bytes from 10.100.5.2: icmp_seq=1 ttl=253 time=28.827 ms
64 bytes from 10.100.5.2: icmp_seq=2 ttl=253 time=29.641 ms
64 bytes from 10.100.5.2: icmp_seq=3 ttl=253 time=29.825 ms
64 bytes from 10.100.5.2: icmp_seq=4 ttl=253 time=29.224 ms

 

 

Can't we configure crypto map on 9k? do we require any type of license. I don't see crypto map isakmp keyword like such.

 

WAN-R2(config)# crypto ?
ca Configure certificate authority related information
cert Configure certificate maping filter settings
certificatemap Configure certificatemap filters
key Configure key pair related information

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to Nitesh_A

‎02-10-2021 01:44 AM - edited ‎02-10-2021 01:44 AM

Hi @Nitesh_A 

IPsec is not a feature supported on N9K. Remember these are DC switches, focused on data center related technologies. IPsec over GRE is not really a data center technology (debatable). So using the N9K as a wan router might not be the best solution. You should also consider the routing table scalability limits: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/93x/scalability/guide-931/b-Cisco_Nexus-9000-Series-NX-OS-Verified-Scalability-Guide-931.html

 

Cheers,

Sergiu

 

P.S. Don't forget to mark answers as correct if it solves your problem.

 

Customers Also Viewed These Support Documents