The original poster has asked about why OSPF is used. To answer that we need to know a bit more about this network. Originally we were told about 2 core switches and 2 routers. Now we know about 2 firewalls. Are there any other devices in this network?

We would like to know a bit more about OSPF on the routers. Would you post the output for these commands on both routers:

show ip ospf

show ip ospf neighbor

show ip route ospf

R1#show ip ospf
Routing Process "ospf 20" with ID 10.2.52.241
Start time: 00:01:38.345, Time elapsed: 2y14w
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Link-local Signaling (LLS)
Supports area transit capability
Supports NSSA (compatible with RFC 3101)
Supports Database Exchange Summary List Optimization (RFC 5243)
Event-log enabled, Maximum number of events: 1000, Mode: cyclic
It is an autonomous system boundary router
Redistributing External Routes from,
connected, includes subnets in redistribution
static, includes subnets in redistribution
Router is not originating router-LSAs with maximum metric
Initial SPF schedule delay 50 msecs
Minimum hold time between two consecutive SPFs 200 msecs
Maximum wait time between two consecutive SPFs 5000 msecs
Incremental-SPF disabled
Initial LSA throttle delay 50 msecs
Minimum hold time for LSA throttle 200 msecs
Maximum wait time for LSA throttle 5000 msecs
Minimum LSA arrival 100 msecs
LSA group pacing timer 240 secs
Interface flood pacing timer 33 msecs
Retransmission pacing timer 66 msecs
EXCHANGE/LOADING adjacency limit: initial 300, process maximum 300
Number of external LSA 10. Checksum Sum 0x0400D1
Number of opaque AS LSA 0. Checksum Sum 0x000000
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
Number of areas transit capable is 0
External flood list length 0
IETF NSF helper support enabled
Cisco NSF helper support enabled
Reference bandwidth unit is 100 mbps
Area BACKBONE(0)
Number of interfaces in this area is 3 (1 loopback)
Area has message digest authentication
SPF algorithm last executed 1y19w ago
SPF algorithm executed 98 times
Area ranges are
Number of LSA 3. Checksum Sum 0x01D851
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0

R1#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.2.52.240 1 FULL/BDR 00:00:33 10.2.52.233 Port-channel1.15

R1#show ip route ospf

Gateway of last resort is x.x.x.x to network 0.0.0.0

O E2 y.y.y.y/30 [110/20] via 10.2.52.233, 7w0d, Port-channel1.15
O 10.2.52.240/32 [110/2] via 10.2.52.233, 7w0d, Port-channel1.15

x.x.x.x is ISP1 IP address which is connected to R1
y.y.y.y is ISP2 IP address which is connected to R2

Thanks for the additional information. There are several things in the output that I find interesting:

- OSPF has been running for over 2 years

Start time: 00:01:38.345, Time elapsed: 2y14w

- OSPF has been extremely stable. Look at the last time the SPF algorithm executed

SPF algorithm last executed 1y19w ago

- there are 3 interfaces running OSPF of which 1 is the loopback

- there is only a single OSPF neighbor which is the other router

- there are only a few external LSA

Number of external LSA 10

and only 2 OSPF learned routes in the IP routing table

O E2 y.y.y.y/30 [110/20] via 10.2.52.233, 7w0d, Port-channel1.15
O 10.2.52.240/32 [110/2] via 10.2.52.233, 7w0d, Port-channel1.15

And the OSPF learned routes are for the other router ISP address and other router OSPF router ID. I am not sure that either of these entries are particularly important.

You asked what benefit in running OSPF. At this point I think I am pretty close to being able to answer the question. I will note that there are still things about this environment that we do not know and something there might be significant and change my answer. But based on what we know so far I would say that there is very little benefit from running OSPF.

In the environment where you were using a static default route there might have been some benefit in running OSPF. With a static default route and with redistribute connected a router would have advertised its default route to its neighbor. If the neighbor experienced some problem and lost its own static default route it might have been able to use the OSPF learned route. Having said that it might be useful I will also say that its usefulness is pretty limited. To be useful a router would have to have lost its configured static default route. That would mean that its outside interface was in a down state. In a previous response I discussed the fact that a router might lose its BGP neighbor (and therefore lost its ability to forward outbound traffic) but for the outside interface to not be down. This is a much more likely scenario than having the outside interface to go completely down. The failover solution using the BGP advertised default route is a much more effective solution and the OSPF solution.

If External interface of Router 1 , R1 goes down or if there is a Problem at ISP1 ,

In both cases , BGP between R1 and ISP1 will be impacted  and traffic will flow through IBGP to Router 2 and then via ISP2 ( as explained in previous updates)

how OSPF is handling the default route ? as we cant see default route being sent over OSPF  , we can only see ISP2 IP address .

From my understanding , OSPF vlan 15 is only acting as carrier for IBGP .  

....

The story of BGP is clear and one router going down and other taking over is OK .

There is no need to use same ISP as this is not possible if one ISP link goes down ; Both are different ISPs and have different Public range.

Most of the things are clear . There is ofcourse no full proof failover as R1 and R2 are not learning default route but instead learning everything other than default route .

The only confusion left is purpose of OSPF .

FOr another time , i will post a more clear visio .

You ask this question "how OSPF is handling the default route ?" That is fairly straightforward. If you want OSPF to advertise a default route you must configure the OSPF command default-information originate. Perhaps this link will have some details that you would find helpful

https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/47868-ospfdb9.html

You have made several references to OSPF as a carrier for IBGP. If you have a pair of routers that you want to run IBGP and those routers are not directly connected (if there are some routers in between them that are not running BGP) then you might need a protocol like OSPF to provide the IP connectivity between IBGP peers. But if router 1 and router 2 are directly connected using a common subnet between them then I do not see where OSPF would be needed for IBGP.

Ok understood .

I am also attaching the visio i quickly created

and currently we are not injecting default route to OSPF as neither we are  advertising  0.0.0.0 into the OSPF domain

nor we are using default-information originate command . This is my understanding

I have gone back and read again all of the posts in this extensive discussion. And I realize that many of my posts have addressed this network in terms of how I would want it to process, and have not adequately recognized how it does currently process. So let me say some things about the current environment and then about what I would want it to be like.

Let me also say that part of the confusion has been that some things have shifted as the discussion has progressed. Originally OSPF was using vlan 11 and subnet 10.2.2.0 and in later posts OSPF is using vlan 15 and 10.2.52.0. Not sure what else might have shifted, and believe that ultimately the changes are not significant.

I believe that it might help to discuss this network design as having 2 major parts. One part is the routing logic for inside the network and the other part is the routing logic for getting outside of the network.

Routing inside of the network uses the switches (for vlan assignments and forwarding at layer 2) and the firewalls for layer 3 logic (and the routers have no role in any of this). The firewalls have knowledge of all inside subnets, have responsibility for routing between inside subnets, have responsibility for forwarding from inside subnets to outside. We have not seen any details about this but it is logical to assume that the firewalls set their default gateway for access outside to use the GLBP virtual address. 

Routing for getting outside of the network is on the routers (and the firewalls and the core switches have no role in this). In the environment at the beginning of the discussion each router had its own static default route with its BGP peer as the next hop. The forwarding logic of GLBP would decide which router received traffic from inside going outside and the router that received that traffic would forward outside using its static default route. So the failover mechanism is GLBP and static default route.

It seems to me that this architecture works ok as long as all its parts are working. But I am concerned about what happens when something is not working as intended.

1) The logic that we have seen for GLBP will choose one of the routers to be the active router. We have not seen any logic that would recognize a problem on the active router (especially loss of connectivity to its BGP peer) and shift the active router to the other router. Does that logic exist?

2) As I discussed in a previous post there are issues with a static default route, especially  the possibility that you could lose connectivity to the BGP peer but the interface not go to the down state. In that situation the default route would continue to be active, but would be trying to forward traffic to a next hop that is not reachable.

So my opinion is that is some circumstances the routers might failover (as apparently was tested at one point) if an interface was shut down or the router taken out of service. But in some other circumstances failover might not work as expected. 

In terms of how I might want to see this network operate I would prefer that the failover mechanism be based on BGP rather than GLBP and static default routes. Assuming that each ISP does advertise a default route then each router would learn a default route and if there was a problem with one of the ISP then its default route would be withdrawn and the routers would realize that they need to use the other router to get outside.

In several respects I believe that the network configuration is more complex than it needs to be and would suggest some simplification. It appears that both ISP are advertising the full BGP set of Internet routes. I do not see a reason why this organization needs to receive 2 sets of complete routes. Receiving the full Internet set of routes makes sense for an organization that wants to use both ISP in a load sharing operation where some routes are best through one ISP while other routes are best through the other ISP. But clearly this organization is operating in an active BGP/backup BGP where all traffic is sent through one ISP and the second ISP is used only for failover. Requesting each ISP to advertise just a default route would significantly reduce the processing overhead on each router and would achieve the primary/backup relationship more efficiently.

I also think the IBGP is more complex than it needs to be. For example the use of peer groups in the IBGP would be appropriate when there are more than 2 IBGP routers. But when there are only 2 I do not see much benefit from peer groups. Another example of unnecessary complexity is the use of the Loopback interface for the IBGP peer. Using loopback interface addresses makes good sense when there are more than one path to reach the peer (if the primary path fails there could be a second path to reach the IBGP peer). On these routers there are 2 vlans that connect them. But clearly vlan 14 is for only Inside traffic and vlan 11/15 is for outside traffic. If there is no alternate path then there is no advantage in using loopback interfaces for IBGP peering.

And using the vlan 11/15 interface address as the IBGP peering address would remove the need for OSPF. I have been quite slow to recognize that in the current environment that OSPF is indeed required for IBGP - because it is OSPF that lets one router know how to reach the IBGP peer address. If the IBGP peering used the vlan interface address then there is no need for OSPF.

Hello Richard ;

Thanks for the detailed explanation .

It is indeed vlan 15 (ospf) and not vlan 11   . And correct Network is 10.2.52. and not 10.2.2  . ( It was a mistake from my end).

FW is sending the traffic to GLBP VIP . Whosoever Router is holding the VIP will handle the traffic .

The point here is that From FW point of view, it can forward the traffic to active router holding the glpb VIP . But what if external Interface of the router goes down . The GLBP is not monitoring or polling (health check)the external interface . It is purely on the basis of prirotity configured on GLB config on both the routers.

The point of receieving so many routes from both ISP seems not a good decision as you mentioned and it only increases the processing power of router . I will highlight this to customer .

You are also right , there is only 1 path for both routers to reach their loopbacks 

Cant we use simply the VLAN 15 address as loopback .

I dont understand the statement you made

in the current environment that OSPF is indeed required for IBGP - because it is OSPF that lets one router know how to reach the IBGP peer address. If the IBGP peering used the vlan interface address then there is no need for OSPF.

OSPF is having two routes - the vlan 15 interface and ISP address ,  how it is helping BGP ? This is the only point not clicking to me still . I am confused as OSPF routes never say anything about default ( or so many routes sent by ISP)

Thanks @Richard Burts  . That was a long thread but people like you make things understand . I am vey much thankful to you and all othes involved .

Note : I would be interested to know the reasons may be at a  high level why loopback interface  for bgp neighbours. What are those scenarios

Onec again, thank you .