cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6222
Views
5
Helpful
16
Replies

OSPF Design for small network

cbse120109
Level 1
Level 1

I have a design question regarding configuring OSPF for two sites. Say, Napa and Sonoma. I

All traffic not local to Sonoma including 0.0.0.0 needs to be routed through Napa over a private wan link.

Would creating a stub area for Sonoma be the solution as it would only need a 0.0.0.0 route?

I have attached a diagram of what I think on how it should be configured.

Thinking ahead, a backup internet connection at Sonoma will be installed in case the private wan link fails.

A l2l vpn over ASAs would be configured so Sonoma could reach Napa as a backup route.

Would NSSA be needed as a new ASA in Sonoma would inject a backup route into Area1?

Any thoughts on the backup design?

2 Accepted Solutions

Accepted Solutions

Hi,

Would creating a stub area for Sonoma be the solution as it would only need a 0.0.0.0 route?

I have attached a diagram of what I think on how it should be configured.

you can actually use a TSA (totally stubby area)

Thinking ahead, a backup internet connection at Sonoma will be installed in case the private wan link fails.

A l2l vpn over ASAs would be configured so Sonoma could reach Napa as a backup route.

Would NSSA be needed as a new ASA in Sonoma would inject a backup route into Area1?

Any thoughts on the backup design?

This is where things change.

Now as you know all areas need to link to Area 0 right?  So once your private link goes down then you won't have Area 0. So, what you need to do is to run GREoIPSEC and have tunnel interfaces. The ipsec will terminate on the ASA and the GRE will terminate on the sonoma and napa routers. Now the tunnel interfaces will be in Area 0. So, we have achieved that requirement.

When you redistribute your default route into ospf from the external domain it becomes a Type 5 LSA. even NSSA dont allow that due to the "stub" nature unless the redistributing router is a NSSA ASBR which then sends the redistributed routes into the ospf domain as Type 7 LSA's which later are converted into type 5 LSA's by the ABR's.

In your case,  the default route is redistributed by the ASA and sent to Napa router as a Type 5LSA which will propagated to Sonoma router and since the default route doesnt need to go any further you can leave the Area 1 as a stub as is.

Also when you have the back up tunnel interfaces you need to change the cost on the interfaces so that the private link is primary and the tunnel interfacs are back up.

Regards,

Please rate if helpful

View solution in original post

Keep it simple

As long as in the remote site all what you need is default route

Then make the ospf area type as tottaly stubby to inject default route only

And use floating static default route point over the VPN link/next hop using higher administrative distance in the remote site higher than 110

In the firewall same idea but it has to be floating default route with AD higher than 110 point to the remote site over VPN

And cover the remote site subnet to be used as a backup

Hope this help

View solution in original post

16 Replies 16

Hi,

Would creating a stub area for Sonoma be the solution as it would only need a 0.0.0.0 route?

I have attached a diagram of what I think on how it should be configured.

you can actually use a TSA (totally stubby area)

Thinking ahead, a backup internet connection at Sonoma will be installed in case the private wan link fails.

A l2l vpn over ASAs would be configured so Sonoma could reach Napa as a backup route.

Would NSSA be needed as a new ASA in Sonoma would inject a backup route into Area1?

Any thoughts on the backup design?

This is where things change.

Now as you know all areas need to link to Area 0 right?  So once your private link goes down then you won't have Area 0. So, what you need to do is to run GREoIPSEC and have tunnel interfaces. The ipsec will terminate on the ASA and the GRE will terminate on the sonoma and napa routers. Now the tunnel interfaces will be in Area 0. So, we have achieved that requirement.

When you redistribute your default route into ospf from the external domain it becomes a Type 5 LSA. even NSSA dont allow that due to the "stub" nature unless the redistributing router is a NSSA ASBR which then sends the redistributed routes into the ospf domain as Type 7 LSA's which later are converted into type 5 LSA's by the ABR's.

In your case,  the default route is redistributed by the ASA and sent to Napa router as a Type 5LSA which will propagated to Sonoma router and since the default route doesnt need to go any further you can leave the Area 1 as a stub as is.

Also when you have the back up tunnel interfaces you need to change the cost on the interfaces so that the private link is primary and the tunnel interfacs are back up.

Regards,

Please rate if helpful

Keep it simple

As long as in the remote site all what you need is default route

Then make the ospf area type as tottaly stubby to inject default route only

And use floating static default route point over the VPN link/next hop using higher administrative distance in the remote site higher than 110

In the firewall same idea but it has to be floating default route with AD higher than 110 point to the remote site over VPN

And cover the remote site subnet to be used as a backup

Hope this help

I agree with marwan if all you need is the default route. But if you need to speak to the subnets within Napa Core then you need to implement what i suggested.

HTH

Ok, I will need to route to subnets on the napa core. If private link goes down and the floating route is used, wouldnt the sonoma Asa route to napa core over the l2l vpn?

Sent from Cisco Technical Support iPad App

The limitation you have is that you can not run routing over the VPN tunnel as you can't use gre with the firewall

If you want your routing to be fully reachable over the VPN tunnel to the firewall use the bellow static route concept

In the firewall

Static route cover the remote site network point to a next hop over the VPN with AD >110

In the napa core switch

Static route point to the firewall cover the romote sites networks with AD >110

In the napa router same static point to napa core

In the remote site use on both the router and core a floating static default route with AD >110

Hope this help

If helpful rate

marwan,

The limitation you have is that you can not run routing over the VPN tunnel as you can't use gre with the firewall

You cannot terminate a GRE tunnel on the ASA, thats why I suggested terminate it on the Napa router and just allow the GRE traffic to flow thru the ASA.

cbse,

you can use either solution what suits your network. marwan's solutinon also works.just be mindful that static routes is a lot of admin overhead and they dont scale well.

HTH

Yes you right

But only thing different here is that the firewall will only gre traffic if this is ok from security point of view then this is an easy option To go with

HTH

I definitely want to keep it simple but its becoming a pain keeping up with the static routes.

Would Unicast OSPF be the solution to run OSPF over IPsec?

While the VPN is connected, SonomaASA would redistribute the subnets available over the tunnel but would change the cost to be higher than 110. Although I guess area 1 would have to change as to allow more than just for a stub.

Well the gre will be between the two routers but has to be over the VPN

The cost is not something relate to AD so it could be 1 or 1000 but the tunnel cost has to be increased to be higher than the path over the WAN link

Also the tunnel interfaces ip address has to be advertised to the core switch, ASA and remote site as more specific route to avoid recursive lookup of the tunnel interfaces

You can make the tunnel in any area as totally stub area

Use the command area x cost and put a high cost for this new area over the gre tunnels to make any route coming through it les prefered/ backup

Hope this help

I will try to get this going in my GNS3 Lab and report back for the correct Answer.

well, all answers in this discussion are correct

its all depends how you want to do it and how you are going to configure it

each approach has differnt config and logic

good luck and if you need any more clarifications let us know

Looking at this document it seems as if running ospf over an existing ipsec vpn is supported without the need for gre between the routers.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Is that correct.

Sent from Cisco Technical Support iPad App

Yes it is correct and 5 + for this which we overlooked

the trick here is

!--- This line allows the unicast of OSPF over the IPsec tunnel.

ospf network point-to-point non-broadcast

i recommend you to test it in lab or out of working hours before go with this approach

by the way in the case the WAN link is down which Internet link the remote site will use the local one or go to the main ASA and access the Internet from there ? this is important point because the injunction of the OSPF default route might effect it

So if the wan link goes down, Sonoma would use the local internet source and if the Napa ASA or internet souce goes down i guess the internet would route out of Sonoma. That way if we lose any device we should still function albiet over unpreferred links.

Which makes me bring up the areas again.

Should all devices just be in area 0 and have both ASA's inject the default route and adjust Sonoma's metric to be the secondary way out?