cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1453
Views
16
Helpful
15
Replies

default route practice in ospf

gdy1039
Beginner
Beginner

Hello

Hope you are all right. I think I had readed most of below link.

https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/16437-ospfdbtoc.html?referring_site=bodynav

I have some question about practice. Hope can have your advice and share experience.

In a typical environment. A head office with multi branch office.

Q1. How to design ospf area for head office and each? Head office with area 1 then edge router have area 0, all other branch similar this? or other way?

Q2. How office have ospf communicate with each other? I just put IPSEC vpn(limit by knowledge, I only know this) to confirm each office can touch each other, then ospf can work?

Q3. Should I put wan link ospf as demand-circuit to keep it on?

Q4. If I use

default-information originate

in router ospf sesction on edge router. It will originate default router to let other router use me as default gateway. This work in current area, but this type 5 lsa will lean by whole AS, include other branch office. This is not what I want, cause branch office have their wan and their self edge for gateway. Summary the question. How could I let each area know their default gateway properly and separately?

Thanks for you time.

Best Regards.

Scott

 

1 Accepted Solution

Accepted Solutions

Hello Scott,

to generate a default route that is bounded / limited to a single area you should use a stub area. With  a stub area the ABR(s) will implicitly generate an LSA type 3 O IA for 0.0.0.0/0 to be sent into the stub area. This was the solution of the old thread mentioned above. And it is also the meaning of

implicit injected routes based on area type

written by Joseph.

However, for the network scenario that you have described up to now in this thread:

a) Head Office and Branch offices each with an indipendent internet connection

b) The use of GRE/IPSec tunnels for interconnection like DMVPN with OSPF running over tunnels

Probably the best choice is to avoid to have the main office edge routers to inject a default route they should just advertise the internal networks of the main office.

The injection of a default route would be needed if you would like to have all branch offices to access the public internet via the main office. But if this is not the case your best option is likely to avoid to create a default route in OSPF.

Hope to help

Giuseppe

View solution in original post

15 Replies 15

chesterr
Beginner
Beginner

Hello,

A1: Head office with area 0 as backbone. All other area must to connect with backbone area.

A2 and A3: GRE over IPsec. You can use internet and one of solutions from cisco for example DMVPN.

A4: Here you have similar topic:
https://community.cisco.com/t5/routing/redistribute-default-route-using-ospf-multiarea-only-in-one-area/td-p/1081484

Hello Chester

I didn't understand the answer. On that example, I would like have

default-information originate 

on area 1 ABR. So how could I use

no default-information originate

on it again? And it said

no default-iinformation originate

and

no default-information originate

always". Acutally, which command I should use?

Thank you.

I think you need area0 in tunnel between Spoke  and hub, this can make you config any area in Spoke. 
for the

default route

the solution is Front-Door VRF. 
the Front-Door VRF is for tunnel source/destination  and global behind is for tunnel.  

MaxShantar
Cisco Employee
Cisco Employee

When designing an OSPF network, there are a few key considerations to keep in mind:

  1. The OSPF area design is an important factor in determining how routing information is exchanged within the network. In a typical environment, the head office might be assigned to OSPF area 1, while the branch offices are each assigned to their own OSPF areas (e.g. area 2, area 3, etc.). Edge routers, which connect the OSPF network to external networks, are typically assigned to area 0. This allows the head office and each branch office to have its own independent routing domain, while still allowing routing information to be exchanged between the different areas.

  2. In order for the different offices in your network to communicate with each other using OSPF, they need to be connected via some type of network link. This can be achieved using an IPsec VPN, as you mentioned, which will allow the offices to securely exchange OSPF routing information. Alternatively, you could use a dedicated WAN link (e.g. a leased line) to connect the offices, or even a combination of both VPN and WAN links.

  3. Whether or not you should enable OSPF on your WAN links (i.e. use demand-circuit) depends on a number of factors, such as the type of link you are using and the specific requirements of your network. In general, demand-circuit can be a useful way to conserve bandwidth on WAN links, but it may not always be the best choice depending on your network configuration. It is worth considering the potential trade-offs and deciding on the best approach for your specific environment.

  4. The

    default-information originate

    command in OSPF is used to advertise a default route to other routers in the same OSPF area. This can be useful if you want to use a specific router as the default gateway for the area. However, as you mentioned, this default route will also be propagated to other OSPF areas within the same Autonomous System (AS), which may not be desirable in your network. To avoid this, you can use a feature called

    default-information originate always

    which will prevent the default route from being propagated to other areas. This will allow each OSPF area to have its own default gateway, without affecting the routing in other areas.

"Edge routers, which connect the OSPF network to external networks, are typically assigned to area 0. This allows the head office and each branch office to have its own independent routing domain, while still allowing routing information to be exchanged between the different areas."

Yea, but what do all these edge routers, with area zero interfaces, logically connect to as adjacent area zero router(s)?  Do you want some small branch, with a very small ISR, acting as an ABR in all cases?  Possibly not.  Just as the words "always" and "never" often have "exceptions", is there really a "typical environment".  Maybe "typical" is all branches and all available circuit/connection options are not the same between sites.

#4 I recall the difference, in OSPF, between

default-information originate

and between

default-information originate always

, the former requires the router to have a default route already "known" to that router, while the latter does not.

For example, of the former, an OSPF router also running BGP, with an ISP, if receiving a BGP default route, from ISP, will generate a default route, to itself, in OSPF, but if BGP drops the default, OSPF will withdraw the OSPF default too.  I.e. OSPF default will "mirror" BGP.

However, in the latter case, "always", that router will generate a default, directly to itself, regardless of whether it "knows" of a default path out of itself.

Hello MaxShantar

Thanks for reply.

I still get default route on R3.

My question is open. I just wonder how to propagate default route within area. If best practice is process by other way, please just let me know that and forget my question.

Thanks for you time.

default-information.png

plplplp.png

you can see there are two defualt route in Spoke R2, 
why because as I mention before using FVRF or IVRF, 
this give you the option to have two default route in Spoke. 
one default route for all traffic not need to pass through tunnel, direct to internet. 
other default route for all traffic need to pass through tunnel to Hub and then to internet. 

Dear MHM

I didn't understand FVRF and IVRF. I may need to review your answer after I learn.

Thanks for your help.

Best Regards.

Joseph W. Doherty
Hall of Fame
Hall of Fame

Q1  Much of an OSPF design depends on what you need to support.  You mention "In a typical environment. A head office with multi branch office.", yea HO with branches is not uncommon, but how large a HO?  How many branches?  How large each branch?  Etc.

Q2. Via some kind of network link.  Yes, an IPSec VPN might be used, but there are many more network link kinds, although what's possible also, of course, depends on what service providers can actually provide for/at a location.

Q3. Normally, no.  Demand circuits are "down" until you bring them "up" to transmit traffic. Such circuits usually charge for actual "up" time, so when using such, you only bring them up when needed.  (BTW, most circuits are "up" all the time, although some charge for actual traffic sent on circuit.  On these, you might reduce the usage charge if configured as a demand type circuit, because, OSPF constantly sends "hellos" between adjacent routers.  [Modern network applications, often being so bandwidth demanding, reducing "hellos" often provides little cost savings.  Ditto for real demand circuit, unless used as a backup circuit.  And if active, for backup, again, suppressing just "hellos" often makes little difference in cost.])

Q4. Where and when to inject a default route, is part of an OSPF overall design.  For example, are you using a dynamically injected default route just to avoid having all internal routes everywhere, or for the "world" (e.g. to/toward Internet) or for both purposes.

What about implicit injected routes based on area type.

Hello Joseph

Thanks for reply.

I don't understand about

dynamically injected default route 

and

implicit injected routes based on area type

Could you provide some command sample help for understanding?

My question is open. I just wonder how to propagate default route within area. If best practice is process by other way, please just let me know that and forget my question.

Thanks for you time.

Best Regards.

Hello Scott,

to generate a default route that is bounded / limited to a single area you should use a stub area. With  a stub area the ABR(s) will implicitly generate an LSA type 3 O IA for 0.0.0.0/0 to be sent into the stub area. This was the solution of the old thread mentioned above. And it is also the meaning of

implicit injected routes based on area type

written by Joseph.

However, for the network scenario that you have described up to now in this thread:

a) Head Office and Branch offices each with an indipendent internet connection

b) The use of GRE/IPSec tunnels for interconnection like DMVPN with OSPF running over tunnels

Probably the best choice is to avoid to have the main office edge routers to inject a default route they should just advertise the internal networks of the main office.

The injection of a default route would be needed if you would like to have all branch offices to access the public internet via the main office. But if this is not the case your best option is likely to avoid to create a default route in OSPF.

Hope to help

Giuseppe

Dear Giuseppe

Thanks for reply. I understood default for stub or totally stub. 

I can have below option to inject default within area.

area stub block type 4 and 5 originate type 3 default route only propagate with stub
area stub no-summary block type 3,4, 5 originate type 3 default route only propagate with stub
area nssa default-information-originate block type 4 and 5 originate type 7 default route ABR will translate to type 5 default route and propagate to other area.
area nssa default-information-originate nssa-only block type 4 and 5 originate type 7 default route only propagate with NSSA
area nssa no-summary block type 3,4, 5 originate type 3 default route only propagate with NSSA

So

default-information originate 

will not be use in most of case,  only if I really want to route whole AS all traffic to one router. Am I right?

Also understood about inject default route on head office edge route. This call split tunnel in VPN. It will heavy load head office internet line and cause branch office internet access slow. I don't prefer this too.

Thank you.

 

"Also understood about inject default route on head office edge route. This call split tunnel in VPN. It will heavy load head office internet line and cause branch office internet access slow. I don't prefer this too."

Yes, generally within an IGP you use a default route to get traffic to come to the Internet edge.  Also, yes, some use the same Internet connection for general Internet traffic and VPN using the Internet.  The latter often causes all kinds of variable performance for the VPN traffic, i.e. your ". . .  cause branch office internet access slow.", but that's not really due to using a default route used by a whole AS, the problem is mixing the two kinds of Internet traffic on a shared link.

"So

default-information originate

will not be use in most of case,  only if I really want to route whole AS all traffic to one router. Am I right?"

In my experience, if you support internal traffic going to the Internet, using a default route is the way to do it.  Of course, you can setup default routes in multiple ways, the

default-information originate

is often just a nice way to do it.

As to all of an AS's traffic going to one router, that's not always the case.  Remember, the real goal of a default route is to provide a direction for traffic that does not have a match in the route table.  Further, remember, a match in the route table overrides the default.  I.e. You can use default routes in imaginative ways.

For example, your mention of having branch offices accessed via a Internet VPN.  Sure, I might use a default to pull all internal unknown destination network traffic to some point of the network, using a default route, perhaps via

default-information originate

but as some point, I "presume" you know the branch networks.  At the point, I can redirect that traffic to a different Internet link, for that purpose.  I.e. no need to split tunnel (which I personally detest) because of the performance issues (as you also note) when you mix VPN traffic and general Internet traffic on the same link.

(BTW, using specific Internet connections only for VPN, with QoS, I've often achieved network performance, on par [laugh even, rarely, sometimes better], with any private cloud technology [often at much reduced cost].)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: