Solved: Ospf on Subinterface not working

shlomoi · ‎06-08-2025

Hi,

I'm trying to set up OSPF between 2 routers with subinterfaces. Unfortunately, OSPF doesn't come up with the subinterfaces. If I set up OSPF on the main interface, everything works fine.

The connection is between different sites in the country. Could there be a problem with my infrastructure provider?

Does anyone know what the problem is?

ROUTER 1

interface gi 0/0/2
no sh

interface gi 0/0/2.60
encapsulation dot1Q 60
ip address 60.60.60.10 255.255.255.252
ip ospf cost 200

interface Tunnel 60
ip address 60.69.60.10 255.255.255.252
ip mtu 1450
ip tcp adjust-mss 1400
ip ospf cost 200
load-interval 30
keepalive 5 4
tunnel source 60.60.60.10
tunnel destination 60.60.60.9

router ospf 1
network 60.60.60.8 0.0.0.3 area 0

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ROUTER 2

interface ten 0/0/4
no shutdown

interface ten 0/0/4.60
encapsulation dot1Q 60
ip address 60.60.60.9 255.255.255.252
ip ospf cost 200

interface Tunnel 60
ip address 60.69.60.9 255.255.255.252
ip mtu 1450
ip tcp adjust-mss 1400
ip ospf cost 200
load-interval 30
keepalive 5 4
tunnel source 60.60.60.9
tunnel destination 60.60.60.10

router ospf 1
network 60.60.60.8 0.0.0.3 area 0

!!!!!!!!!!!!!!!!!!!!!

If I configure the addresses on the main interface as below, everything is fine.

interface gi 0/0/2
ip address 60.60.60.10 255.255.255.252
ip ospf cost 200

interface ten 0/0/4
ip address 60.60.60.9 255.255.255.252
ip ospf cost 200

Thanks

Jens Albrecht · ‎06-08-2025

Hello @shlomoi,

looking at your configs raises some questions as you did not explain the details of your setup.

First of all, you create a tunnel but then your OSPF network statement 'network 60.60.60.8 0.0.0.3 area 0' refers to the IP addresses on the physical/subinterface. So what is the purpose of the tunnel? I expected that you wanted to run OSPF across your tunnel...

Secondly, are the interfaces gi0/0/2 and ten0/0/4 your WAN interfaces pointing to your ISP?
Typically ISPs do not accept dot1q-tagged frames unless your agreement explicitly includes such features.
You only mentioned that OSPF is not running if you use sub-interfaces but do you have IP connectivity from site-to-site in this case?

Once we get a clearer picture of your setup we can dig deeper into this issue if necessary.

HTH!

View solution in original post

Jens Albrecht · ‎06-08-2025

Hello @shlomoi,

looking at your configs raises some questions as you did not explain the details of your setup.

First of all, you create a tunnel but then your OSPF network statement 'network 60.60.60.8 0.0.0.3 area 0' refers to the IP addresses on the physical/subinterface. So what is the purpose of the tunnel? I expected that you wanted to run OSPF across your tunnel...

Secondly, are the interfaces gi0/0/2 and ten0/0/4 your WAN interfaces pointing to your ISP?
Typically ISPs do not accept dot1q-tagged frames unless your agreement explicitly includes such features.
You only mentioned that OSPF is not running if you use sub-interfaces but do you have IP connectivity from site-to-site in this case?

Once we get a clearer picture of your setup we can dig deeper into this issue if necessary.

HTH!

Joseph W. Doherty · ‎06-08-2025

@Jens Albrecht may have identified the most likely issue, i.e. do your WAN providers support .1Q end-to-end.

BTW, took you interface and subinterface and router ospf 1 configuration, as is, and Packet Tracer forms an OSPF adjacency using the subinterfaces.

With the subinterfaces, can you ping other side, i.e. 60.60.60.9<>60.60.60.10?

Also BTW, for p2p /30, suggesting configuring the interfaces as ospf network type p2p.

Another BTW, your tunnel MTU and adjust-mss sizes are "curious". (Typical delta between MTU and MSS is 40 bytes, and a GRE tunnel's overhead is usually just 24 bytes.)

shlomoi · ‎06-09-2025

What is the recommendation for MTU and MSS
Is this ok?
ip mtu 1420
ip tcp adjust-mss 1380

Thanks

Joseph W. Doherty · ‎06-09-2025

For a GRE tunnel, usually:

ip mtu 1476 ! 1500 minus 24

ip tcp adjust-mss 1436 ! 1476 minus 40

paul driver · ‎06-09-2025

Hello

@shlomoi wrote:

The connection is between different sites in the country. Could there be a problem with my infrastructure provider?

Does anyone know what the problem is?

It possible the encapsulation dot1q tagging is negating the adjacency, try the below if applicable and test again.

int ten /x.60
encapsulation dot1Q 60 native

EDITED- Just noticed in your OP you donT even have opsf enabled on the tunnel interfaces or under the ospf process!

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎06-09-2025

As others have noted, using a GRE tunnel, as shown, is also "curious".

Logically, you have a p2p link to which you appear to want to run an unencrypted p2p tunnel between the same end points. For what's shown, all the tunnel provides is needless consumption of CPU and bandwidth.

Further, as also noted, you don't show any explicit routing integration for the tunnel. BTW, if you were thinking of having both the physical interfaces and the tunnel in the same OSPF AS, you can easily run into recursive routing issues.

I also notice you have keepalives enabled for the tunnel, which can be useful to "down" a tunnel interface when the tunnel loses end-to-end connectivity (including even when dynamic routing across a tunnel when the IGP loses connectivity to its neighbor/peer, and you want a NMS to notice the break without it having to analyze the IGP).

As @Jens Albrecht initially asked, if you could provide more contextual information, you'll likely get better suggestions.

sidshas03 · ‎06-09-2025

From the setup and behaviour, it appears that the WAN provider might not be supporting 802.1Q tagged frames. Subinterfaces with VLAN tagging will only work if both ends and the intermediate network support and preserve VLAN tags. One option to try is adding the native keyword in the encapsulation command, like encapsulation dot1Q 60 native, if the link is expecting untagged frames.

Also, it looks like OSPF is not enabled on the tunnel interfaces. If the intention is to run OSPF over the GRE tunnel, then include the tunnel subnet in the network statement or use the ip ospf 1 area 0 command directly under the tunnel interfaces. Additionally, if you're not using encryption or doing anything specific with the tunnel, it may not be necessary at all. Try configuring OSPF directly on the subinterface (if VLAN is supported by your ISP) or consider using the physical interface with proper OSPF settings if subinterfaces are causing issues.