Re: OSPF path selection

paul amaral · ‎09-28-2021

Hi, I have an OSPF situation I can’t seem to figure out. I have 3 DMVPN tunnels to a router (router 1), Tunnel 0 (primary path), Tunnel 1 (secondary path) and tunnel 600 (tertiary path).

If I have all tunnels turned up, Tunnel 0 is the default path and primary connection. O*E1 0.0.0.0/0 [110/3] via 10.2.2.1, 15:22:31, Tunnel0

If I turn off Tunnel 0 (area 0) and leave on Tunnel 1 (area 10) and Tunnel 600 (area 60 NSSA) up, Tunnel 600 becomes the primary default path. Tunnel 600 has a higher cost locally on the router then tunnel 1, tunnel 600 is also in and NSSA area where tunnel 10 .

Router 1 config:

interface Tunnel0

ip address 10.2.2.9 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp map multicast 172.17.3.1

ip nhrp map multicast 172.17.3.2

ip nhrp map 10.2.2.1 172.17.3.1

ip nhrp map 10.2.2.2 172.17.3.2

ip nhrp network-id 1

ip nhrp nhs 10.2.2.1

ip nhrp nhs 10.2.2.2

zone-member security LAN

ip tcp adjust-mss 1360

ip ospf network broadcast

ip ospf priority 0

ip ospf mtu-ignore

ip ospf 1 area 0

tunnel source GigabitEthernet0/0/0

tunnel mode gre multipoint

tunnel key 1

tunnel path-mtu-discovery

tunnel protection ipsec profile ENS_ipsec_profile shared

end

interface Tunnel1

ip address 10.3.3.9 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp map multicast 50.xxx

ip nhrp map 10.3.3.2 50.xxx

ip nhrp network-id 3

ip nhrp nhs 10.3.3.2

zone-member security LAN

ip tcp adjust-mss 1360

ip ospf network broadcast

ip ospf priority 0

ip ospf mtu-ignore

ip ospf 1 area 10

ip ospf cost 24

load-interval 30

tunnel source GigabitEthernet0/0/1

tunnel mode gre multipoint

tunnel key 3

tunnel path-mtu-discovery

tunnel protection ipsec profile internet_ipsec_vpn_protection shared

interface Tunnel600

ip address 10.6.0.9 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp map 10.6.0.1 209.xxx

ip nhrp map multicast 209.xxxxx

ip nhrp network-id 60

ip nhrp nhs 10.6.0.1

zone-member security LAN

ip tcp adjust-mss 1360

ip ospf network broadcast

ip ospf priority 0

ip ospf mtu-ignore

ip ospf 1 area 60

ip ospf cost 26

load-interval 30

tunnel source Cellular0/2/0

tunnel mode gre multipoint

tunnel key 60

tunnel path-mtu-discovery

tunnel protection ipsec profile Cell_interface_ipsec_profile shared

end

Router 1:

router ospf 1

router-id 172.17.3.9

priority 0

area 60 nssa

redistribute connected route-map redist_connected

redistribute static route-map redist_ospf ß denies 0.0.0.0/0 out

passive-interface default

no passive-interface Tunnel0

no passive-interface Tunnel1

no passive-interface Tunnel 600

network 10.2.2.0 0.0.0.0 area 0

network 10.3.3.0 0.0.0.255 area 10

network 10.6.0.0 0.0.0.0 area 60

distribute-list prefix nhrp_ospf_block in <- allows only default 0.0.0.0/0 in

Again, if I turn off tunnel 0 tunnel 600 becomes the primary path over tunnel 1,

Routing entry for 0.0.0.0/0, supernet

Known via "ospf 1", distance 110, metric 27, candidate default path, type inter area

Last update from 10.6.0.1 on Tunnel600, 00:05:19 ago

Routing Descriptor Blocks:

* 10.6.0.1, from 172.17.3.1, 00:05:19 ago, via Tunnel600

Route metric is 27, traffic share count is 1

O*IA 0.0.0.0/0 [110/29] via 10.6.0.1, 00:00:05, Tunnel600

If I turn of Tunnel 600 then the last remaining tunnel, tunnel 1 becomes the primary

Tunnel 1

Routing entry for 0.0.0.0/0, supernet

Known via "ospf 1", distance 110, metric 26, candidate default path

Tag 1, type extern 1

Last update from 10.3.3.2 on Tunnel1, 00:03:24 ago

Routing Descriptor Blocks:

* 10.3.3.2, from 172.17.3.1, 00:03:24 ago, via Tunnel1

Route metric is 26, traffic share count is 1

Route tag 1

O*E1 0.0.0.0/0 [110/26] via 10.3.3.2, 00:01:01, Tunnel1

Note that the cost of tunnel 600 is higher than tun 1 so how is this possible,

I read that IA routes will beat E1 and thus be preferred but when tunnel 0 is active it will be chosen over tunnel 600 and its and E1 route. O*E1 0.0.0.0/0 [110/3] via 10.2.2.1, 15:22:31, Tunnel0

I’m not understanding why Tunnel0 will be chosen over tunnel 600 but tunnel 1 will not be chosen over tunnel 600.

Below is the config for both routers that pass the default routes to router 1

Primary DMVPN ROUTER:

router ospf 1

router-id 172.17.3.1

log-adjacency-changes detail

limit retransmissions non-dc disable

area 60 nssa no-redistribution default-information-originate no-summary

redistribute connected

redistribute static route-map Lan-static-RM

passive-interface default

no passive-interface Tunnel0

no passive-interface Tunnel600

network 10.2.2.0 0.0.0.0 area 0

network 10.6.0.0 0.0.0.0 area 60

default-information originate metric 1 metric-type 1 <- I am setting this as a E1

Secondary DMVP router:

router ospf 1

router-id 172.17.3.2

log-adjacency-changes detail

limit retransmissions non-dc disable

area 5 nssa no-redistribution default-information-originate no-summary

summary-address 50.xxxx

redistribute connected

redistribute static route-map Lan-static-RM

passive-interface default

no passive-interface Tunnel0

no passive-interface Tunnel1

network 10.2.2.0 0.0.0.0 area 0

network 10.3.3.0 0.0.0.0 area 10

default-information originate metric 21 ß I did try making this an E1 route and nothing changed

If anyone can help me, I would appreciate it.

TIA, Paul

Cisco IOS Software [Amsterdam], ISR Software (ARMV8EL_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.3, RELEASE SOFTWARE (fc7)

Giuseppe Larosa · ‎09-28-2021

Hello @paul amaral ,

I agree that the default route coming from tunnel600 should be tje primary route regardless of cost for the fact it is an O IA and the other two are O E1 routes but we have to consider the internal path to the ASBR node.

The reference document should be RFC2328 defining OSPFv2

https://datatracker.ietf.org/doc/html/rfc2328

In order to better understand what is happening I would suggest to provide the following show commands

On Spoke R1:

show ip ospf border-routers

! here we need to look at listed ASBR nodes and theri best paths. This may be the key point.

show ip ospf database external 0.0.0.0

! this should show two LSAs

show ip ospf database summary 0.0.0.0

! this one should one LSA learned via tunnel 600

There is something related to the fact the first tunnel is in backbone area 0. If the ASBR generating the default route in the OSPF domain is also in area 0 this may explain what you see

Hope to help

Giuseppe

paul amaral · ‎09-29-2021

Giuseppe,

are you saying that a router generating a E1 default route that is in area 0 will beat a NSSA IA route? Is this the reason that when Tunnel 0 is up along with tunnel 600 NSSA area that the default is route chosen is through tunnel 0, because its in area 0?

When I turn off tunnel 0 and just have tunnel 10 area 10 and tunnel 600 area 60 NSSA that the NSSA IA route will beat area 10's O*E1 since its not in the backbone area 0?

If the above is true then I think i know what is going on, since everything is connected to area 0 and area 0 has two routers distributing the default route 0.0.0.0/0, one being E1 and the other E2. The only reason the E1 route was preferred was because it was from a ASBR in area 0, tunnel 0. Turning off tunnel 0 left us with Tunnel 10 in area 10 and tunnel 600 NSSA. Tunnel 600 IA beats E1 or E2 and is preferred. Turning off tunnel 600, then tunnel 10 will prefer the route in area 0 that is E1 over E2.

I guess my question now is if I wanted to make tunnel 600 which is an NSSA in area 60 the least preferred, how can I make that happen. I wanted tunnel 0, tunnel 10 and tunnel 600 in that order. Is there a way to manipulate NSSA IA routes to be less preferred? I think was confused me in the beginning was just assuming the OSPF cost would set the preference for the chosen default route.

Heres the info you requested, as always thank you!

Paul

OSPF Router with ID (172.17.3.9) (Process ID 1)

Base Topology (MTID 0)

Internal Router Routing Table

Codes: i - Intra-area route, I - Inter-area route

i 172.17.3.1 [26] via 10.6.0.1, Tunnel600, ABR/ASBR, Area 60, SPF 215

i 172.17.3.1 [2] via 10.2.2.1, Tunnel0, ABR/ASBR, Area 0, SPF 65

i 172.17.3.2 [24] via 10.3.3.2, Tunnel1, ABR/ASBR, Area 10, SPF 114

i 172.17.3.2 [2] via 10.2.2.2, Tunnel0, ABR/ASBR, Area 0, SPF 65

sh ip ospf database external 0.0.0.0

OSPF Router with ID (172.17.3.9) (Process ID 1)

Type-5 AS External Link States

LS age: 85
Options: (No TOS-capability, DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 172.17.3.1
LS Seq Number: 800006F5
Checksum: 0x670
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
MTID: 0
Metric: 1
Forward Address: 0.0.0.0
External Route Tag: 1

LS age: 1433
Options: (No TOS-capability, DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: 172.17.3.2
LS Seq Number: 8000037B
Checksum: 0x4A14
Length: 36
Network Mask: /0
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 21
Forward Address: 0.0.0.0
External Route Tag: 1

sh ip ospf database summ 0.0.0.0

OSPF Router with ID (172.17.3.9) (Process ID 1)

Summary Net Link States (Area 60)

LS age: 1390
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 0.0.0.0 (summary Network Number)
Advertising Router: 172.17.3.1
LS Seq Number: 80000719
Checksum: 0x3E17
Length: 28
Network Mask: /0
MTID: 0 Metric: 1