Solved: Re: OSPF database-filter all out question

katerina.dardoufa · ‎03-16-2011

Hello,

attached you will find a simple topology for which I have a few questions. We are running OSPF in our network and recently we have converted to MPLS with our provider. The routing protocol between our CE (our router) / CPE (providers' router) and the PEs is still OSPF with areas as shown in the diagram. All major traffic engineering is done in the providers cloud.

Because the provider has enabled max-lsa on PE-2 when the ISDN connection came up, due to the LSAs sent by the branch router towards PE-2 the OSPF adjacency (PE-s / CPE) came down. In order to overcome this problem, I thought of configuring "ip ospf database-filter all out" on the dialer on CE, so that it wouldn't send its database to the branch router, which would in turn send it towards PE-2. This seems to work fine. When the ISDN line comes up, the branch LSA database does not change. The problem is that the branch router sends its database to CE, which as I understand sends it to PE-1 (PE-1 is also configured with max-lsa, I suspect with a higher value than that of PE-2). This is not a major issue when only one branch uses its ISDN backup (the size of the LSA database increments by a value of ~= 700), but what if more branches use their ISDN backup simultaneously??? Then the adjacency between CE (core router) and PE-1 would come down!!!!

My first idea to overcome this, was to also set "database filter all out" on the branches dialer. I read in the following link "http://fengnet.com/book/Cisco.IOS.Cookbook.2nd/I_0596527225_CHP_8_SECT_3.html" that:

The "database-filter all out" does not block OSPF Hello packets, so the routers will still form full and normal adjacencies. Also, it only blocks the sending of LSA packets. The router will receive routes normally.

So I thought that the routing will still work. After configuring the "database-filter all out" I lose connectivity with the branch!!!! Why is that? Shouldn't routes be received by both ends?

Thanks in advance,

Katerina

Peter Paluch · ‎03-16-2011

Katerina,

You are suggesting that after you have used the ip ospf database-filter all out command on your interface, you lost connectivity with your branch office. That can be understandable if you consider the fact that thanks to this command, the branch router is prevented from advertising its networks to the neigbhors so they may not have a route back.

I am wondering if we are trying to do the right thing when we are searching for a workaround to a problem in fact imposed by your ISP - by having its LSA limits set too low for your needs. Is there no way to talk to the ISP and make it increase the limits? Or perhaps use a different routing protocol to communicate your networks to the PE routers, say, BGP?

On a completely different note, I was wondering if you or your relatives have roots in the Czech Republic. The name Katerina is a Czech name - a very nice one, actually

Best regards,

Peter

View solution in original post

christof32 · ‎03-16-2011

Hello Katerina,

The OSPF database filter is not your answer to the problem. It works like passive-interface command in RIPv2. The ospf neighborship comes up, the router receives LSAs, but it does not send any LSA out the spesific interface. So the other end doesn't have a route for it.

I agree with Peter that the only solution would be another protocol, but in conjuction with OSPF.

How about EIGRP just for the isdn interface while the main link would still be OSPF?

Regards,

View solution in original post

andrew.prince · ‎03-16-2011

Katerina,

The "database-filter all out" is not the solution you are really looking for. If you want to run OSPF over your Backup ISDN link - then you need to let OSPF know that is a Dial on Demand link type. This will stop the issues you are seeing and allow you to route when the MPLS is not available.

under your ISDN dailer interface @ both ends configure

ip ospf demand-circut

HTH>

katerina.dardoufa · ‎03-16-2011

Hello Andrew,

I have not any experience on "on demand circuits", but from what I read it doesn't stop the initial LSA flooding (when the adjacency first comes up), but stops periodic updates and hellos. What I want to do is stop the initial LSA flooding all together, but still have routing!!! (I don't even know if this is possible). From what I read "database-filter" does what I want, but it doesn't work both ways!!! I am begging to think that it cannot be done, but I will give it another shot, before I completly surrender to the power (and stubborness) of OSPF

Any more suggestions are welcome

Peter Paluch · ‎03-16-2011

Katerina,

You are suggesting that after you have used the ip ospf database-filter all out command on your interface, you lost connectivity with your branch office. That can be understandable if you consider the fact that thanks to this command, the branch router is prevented from advertising its networks to the neigbhors so they may not have a route back.

I am wondering if we are trying to do the right thing when we are searching for a workaround to a problem in fact imposed by your ISP - by having its LSA limits set too low for your needs. Is there no way to talk to the ISP and make it increase the limits? Or perhaps use a different routing protocol to communicate your networks to the PE routers, say, BGP?

On a completely different note, I was wondering if you or your relatives have roots in the Czech Republic. The name Katerina is a Czech name - a very nice one, actually

Best regards,

Peter

katerina.dardoufa · ‎03-16-2011

Hello Peter,

I myself would have preferred BGP for the connection to the ISP, but since I don't work alone, the company (in which I am fairly new) insisted on OSPF (hence all the problems!). So I have to work with what I got!!!!

In your answer you say "That can be understandable if you consider the fact that thanks to this command, the branch router is prevented from advertising its networks to the neigbhors so they may not have a route back." I think that I understand it now... (please correct me if I am wrong, because I have put a lot of effort into trying to find a solution!)

My branch has a floating static, in order to use the ISDN when everything else fails. When "database-filter" is only configured on the CE, the CE doesn't send the LSA-database to the branch, nor does it send any routes. The branch still sends routes to the CE, so the CE knows how to route everything back, and because of the floating static on the branch every IP in the network can be reached. When "database-filter" is also configured on the branch, no routes and no database are sent to the CE, thus the CE doesn't know how to reach anything on the branch (except for the directly connected IP!).

As far as the last part of your post, Katerina is a common name I suppose in all of the Balkan region and also in Greece, where I am from

Thanks for your answer!

andrew.prince · ‎03-16-2011

You can also consider "ip ospf flood-reduction"

christof32 · ‎03-16-2011

Hello Katerina,

The OSPF database filter is not your answer to the problem. It works like passive-interface command in RIPv2. The ospf neighborship comes up, the router receives LSAs, but it does not send any LSA out the spesific interface. So the other end doesn't have a route for it.

I agree with Peter that the only solution would be another protocol, but in conjuction with OSPF.

How about EIGRP just for the isdn interface while the main link would still be OSPF?

Regards,

katerina.dardoufa · ‎03-16-2011

Hello Christof!

Thanks to Peter and you I now understand why "database-filter" won't work. And since there is no way that the provider will increase the max-lsa value, I think what you propose is the best way to tackle the problem.

Thanks for your help,

Katerina