Solved: Re: Ospf between 2 routers separated by taclanes

wwwlstr0707 · ‎01-27-2025

Here’s the high level:

router1 - taclane1— wan —taclane2 - router2

Traffic leaves router1, gets encrypted by tac1, travels across an isp, to tac2 and gets decrypted and the forwarded onto router2. So the encryption process I'd think would be transparent to the routers. Or that was my hope. Here is the config, interfaces from left to right.

router1

interface loopback0

ip address 1.1.1.1 255.255.255.255

Interface gig 0/1/0

ip address 192.168.100.1 255.255.255.252

ip ospf network point-to-point
ip ospf cost 1
ip ospf retransmit-interval 1

Router ospf 1

log-adjacency-changes detail

ttl-security all-interfaces

Network 192.168.100.0 0.0.0.3 area 0

Network 1.1.1.1 0.0.0.0 area 0

Taclane1

PT 192.168.100.2/30

CT 10.0.0.1/30

Taclane2

CT 10.0.0.2/30

PT 192.168.200.2/30

Router2

interface loopback0

ip address 2.2.2.2 255.255.255.255

Interface gig 0/1/0

ip address 192.168.200.1 255.255.255.252

ip ospf network point-to-point
ip ospf cost 1
ip ospf retransmit-interval 1

Router ospf 1

log-adjacency-changes detail

ttl-security all-interfaces

Network 192.168.200.0 0.0.0.3 area 0

Network 2.2.2.2 0.0.0.0 area 0

If these routers were connected id be seeing adjacency. Is this just not going to work?

MHM Cisco World · ‎01-27-2025

It work if there is tunnel vpn

R1 AND R2 will form ospf over this tunnel

MHM

View solution in original post

Joseph W. Doherty · ‎01-28-2025

"Gre would work as well?"

It should as long as you have L3 connectivity between the two routers. I.e. if each router can ping the other router's taclane facing interface.

One possibly issue with both using a tunnel and/or possibly taclane is fragmentation and often loss of payload bandwidth.

View solution in original post

Joseph W. Doherty · ‎01-27-2025

Exactly which routers do you believe should be establishing adjacently with which routers?

If you're thinking adjacently should form between routers 1 and 2, not as they're configured.

wwwlstr0707 · ‎01-27-2025

Yes routers 1 and 2

What’s the issue

Joseph W. Doherty · ‎01-27-2025

Besides they don't share a network, as noted by @Flavio Miranda it appears your crypto devices provide a L3 connection, not L2, and adjacent OSPF neighbors need the latter

However, possibly you could connect routers 1 and 2 using a tunnel.

Flavio Miranda · ‎01-27-2025

@wwwlstr0707

Considering they would be connected by interface gig 0/1/0 on R1 and gig 0/1/0 on R2, they will not form adjacency as they are not on the same network.

It would be required either IP address 192.168.100.2 on Router 2 or 192.168.200.2 on Router1.

wwwlstr0707 · ‎01-27-2025

Awesome thank you.

MHM Cisco World · ‎01-27-2025

It work if there is tunnel vpn

R1 AND R2 will form ospf over this tunnel

MHM

wwwlstr0707 · ‎01-27-2025

Gre would work as well?

MHM Cisco World · ‎01-27-2025

Sure Yes

MHM

Joseph W. Doherty · ‎01-28-2025

"Gre would work as well?"

It should as long as you have L3 connectivity between the two routers. I.e. if each router can ping the other router's taclane facing interface.

One possibly issue with both using a tunnel and/or possibly taclane is fragmentation and often loss of payload bandwidth.

wwwlstr0707 · ‎01-28-2025

Dropped the MTU to 1476 and it came up flawlessly on a GRE....thanks as always.

Joseph W. Doherty · ‎01-28-2025

Two suggestions. . .

When you drop MTU, often much benefit to use tcp mss-adjust to drop mss by similar amount.

If you know the overhead for encryption, drop both mtu and mss to allow for it.