cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1592
Views
39
Helpful
18
Replies
wilson_1234_2
Participant

OSPF neighbor, preferred route problem

I have the network shown in the attached file.

I have had problems with this in the past.

The default route is distributed from Verizon BGP into our Internet router OSPF domain then advertised to the rest of the network, as part of our falover scenario.

The PIX firealls are configured with OSPF, the inside networks get the default route from the PIX.

Both PIX firewalls need to have the default route in the route table because they are doing entirely different things. Both Firewall's DMZs need to get to the Internet, have inside networks access their DMZ and failover to DR Interent when HQ Internet is lost.

I am having trouble with the Edge router and Inside 6509 switch preferring the 515 firewall.

I want the Edge router to always use the routes from the 525 PIX for inside and the 6509 to always use the 525 for the default route unless it fails.

The 6509 is also using the PIX 515 as the next hop for Internet. Both PIX firewalls are directly connected to the 6509 in this drawing.

There is another 6509 downstairs that is a neighbor to the 6509 in this drawing, that is getting the default route from the 525 pix as I want.

Looking at the OSPF databases, they all are identical.

The edge router is forming adjacnetcys but isn't the higher Neighbor ID supposed to be preferred? The Internet router is using the 515 firewall.

Internet Router:

Neighbor ID Pri State Dead Time Address Interface

192.168.2.1 1 FULL/DROTHER 00:00:32 2.2.2.3 FastEthernet0/0

192.168.1.1 1 FULL/BDR 00:00:39 2.2.2.2 FastEthernet0/0

The 6509 is also:

6509-#sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

192.168.1.1 1 FULL/DROTHER 00:00:30 10.1.7.1 Vlan1

192.168.2.1 1 FULL/DROTHER 00:00:36 10.5.7.1 Vlan5

18 REPLIES 18

Hi

Ok got the requirement.As i mentioned earlier i simulated the network and was working fine with me when removing the entry 2.2.2.0 from ospf process 2.

I believe ur setup was working properly and the resetting of switch blade caused all the problem..

I know its a live setup ,but can u just try removing those entry from ospf process 2 try to reset the ospf process with the both PIX.The reason i said this was,while i was simulating your network ,once a caught up in a situation where the default entry at a router(515) was taking via (525),ie it was learning one originated via 525(ie,via ospf inside domain,process 2),but not via internet router.It may be because the ospf process 2 came first before 1.

I reseted the ospf process with " clear ip ospf process " and then was working proper for me..

I think more expert advise is also needed here to sort this out....... :)

As u mentioned the whole config went so b'cas default route not crosses the PIX.Can u just conform if this is true..???

arun

No that is not correct.

The default route does cross the PIXs (both of them).

The problerm is that the upstairs 6509 is preferring the 515 PIX and I want it to prefer the 525 ALWAYS.

I appreciate your input.

u didnt got what i mean...

I was mentioning abt what u said in one of the post that U read somewhere that running one ospf process had the problem of passing through the default route in PIX,and the tac suggested to go for two process...

If the pix can pass then isnt it better to have one process in PIX,hence one ospf domain for internal network.For 6509 just manipulate the cost via 525 to prefer it..??

arun

I see,

Yes it is better to have a single process.

I want to move to that config.

I will see if it will work for me and let you know.