OSPF + Tag

Jerome C. · ‎06-15-2020

Hello

I have a router connected on the network provider router. Behind my router, I have a firewall and a switch. My router (Ge0/0/0) is connected on the provider network with OSPF configured between both routers. The interface G0/0/1 of my router is connected to my firewall. My firewall is configured with differents local networks (10.1.0.0/24 for users, 10.2.0.0/24 for servers, 10.3.0.0/24 for ToIP)

How I can configure my router to publish my local network address (10.1.0.0/24, 10.2.0.0/24, 10.3.0.0/24) to the WAN via OSPF and to apply a Tag 1000 to my network ? The provider network is configured to accept only from my router, routes with a tag value = 1000.

Do you have an exemple of configuration to be implemented on my router ?

BR

Giuseppe Larosa · ‎06-15-2020

Hello @Jerome C.

if all the internal routes are configured as static routes with a next-hop = FW interface IP address

Edit:

so the first requirement is a common subnet to be used between the internal LAN interface of the router and the external interface of the firewall. For example 10.5.0.0/24.

ip route 10.1.0.0 255.255.255.0 10.5.0.2

ip route 10.2.0.0 255.255.255.0 10.5.0.2

ip route 10.3.0.0 255.255.255.0 10.5.0.2

Then :

you can use a route-map to set the route tag in redistribution to the desired value:

route-map STATIC-INTO-OSPF permit 10

set tag 1000

( or set route-tag 1000 check in yout router)

router ospf 10

redistribute static subnets route-map STATIC-INTO-OSPF

You can use a prefix list as a match parameter to describe/list the internal subnets.

Hope to help

Giuseppe

Jerome C. · ‎06-23-2020

Thank's for your help

It's working for static route but I have always an issue about a connected route. How I can redistribute in OSPF a connected route with a tag 1000?

BR

Giuseppe Larosa · ‎06-23-2020

Hello @Jerome C. ,

you can use redistribute connected subnets route-map CONN-INTO-OSPF

ip prefix-list SELECTED permit 10.7.100.0/24

route-map CONN-INTO-OSPF permit 10

match ip address prefix SELECTED

set tag 1000

router ospf 10

redistribute connected subnets route-map CONN-INTO-OSPF

Please note that in order to redistribute a connected route into OSPF no network in command in OSPF for the subnet must exist otherwise the router will advertise the route as an internal route without a route tag.

So review your OSPF configuration for these aspects.

Final note : the network between the router and the firewall must be covered by a network in OSPF , static routes must have a next-hop that is covered by an internal route in order to be able to redistribute static routes into OSPF.

So this is the only connected route that must be kept in a network command in addition to the link to the provider.

Hope to help

Giuseppe

Jerome C. · ‎06-23-2020

Thanks.

you will find in attach file our design. I need to redistribute 10.241.74.192/29. My current confirugation on my router (ro-mun-par-wan-a) is :

interface GigabitEthernet0/1.624
description LAN-IF
encapsulation dot1Q 624
ip address 10.241.74.196 255.255.255.248
no ip redirects
no ip proxy-arp
ip ospf message-digest-key 1 md5 7 080A4D6A214B1118470D2C
ip ospf cost 10
!
router ospf 1
router-id 10.241.74.49
log-adjacency-changes detail
area 0 authentication message-digest
redistribute static subnets route-map STATIC-INTO-OSPF
passive-interface default
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1.624
network 10.241.74.49 0.0.0.0 area 0
network 10.241.74.120 0.0.0.7 area 0
network 10.241.74.192 0.0.0.7 area 0

!

ip route 10.241.64.0 255.255.255.128 10.241.74.193
ip route 10.241.64.128 255.255.255.128 10.241.74.193
ip route 10.241.65.0 255.255.255.128 10.241.74.193
ip route 10.241.67.0 255.255.255.192 10.241.74.193
ip route 10.241.67.64 255.255.255.192 10.241.74.193
ip route 10.241.67.240 255.255.255.240 10.241.74.193
ip route 10.241.73.176 255.255.255.240 10.241.74.193

!

route-map STATIC-INTO-OSPF permit 10
set tag 1000

It's working fine for all route execpt 10.241.74.192/29.. :(

Giuseppe Larosa · ‎06-23-2020

Hello @Jerome C. ,

from the network diagram we see that this subnet 10.241.74.192/29 is the one used to reach the firewall and to provide the next-hop for static routes that is 10.241.74.193.

So you cannot remove this from OSPF or the static routes redistribution will fail.

However, you can do something like the following:

add a static route for a prefix less specific that includes the subnet for example:

ip route 10.241.74.128 255.255.255.128.0 10.241.74.193.

This static route should be redistributed with the desired tag and it should be accepted by the CPE

Hope to help

Giuseppe

Jerome C. · ‎06-23-2020

I can't provide a network like 10.241.74.128 255.255.255.128 because, between 74.128 and before 74.192, the ohter address are used on other sites...

I can't change my router configuration with this :

router ospf 1
router-id 10.241.74.49
log-adjacency-changes detail
area 0 authentication message-digest
redistribute static subnets route-map STATIC-INTO-OSPF

redistribute connected subnets route-map CONN-INTO-OSPF
passive-interface default
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1.624
network 10.241.74.49 0.0.0.0 area 0
network 10.241.74.120 0.0.0.7 area 0
network 10.241.74.193 0.0.0.0 area 0 --> Replace the network address by the IP of the firewall

!

ip route 10.241.64.0 255.255.255.128 10.241.74.193
ip route 10.241.64.128 255.255.255.128 10.241.74.193
ip route 10.241.65.0 255.255.255.128 10.241.74.193
ip route 10.241.67.0 255.255.255.192 10.241.74.193
ip route 10.241.67.64 255.255.255.192 10.241.74.193
ip route 10.241.67.240 255.255.255.240 10.241.74.193
ip route 10.241.73.176 255.255.255.240 10.241.74.193

!

route-map STATIC-INTO-OSPF permit 10
set tag 1000

!

ip prefix-list SELECTED permit 10.241.74.192/29

!

route-map CONN-INTO-OSPF permit 10

match ip address prefix SELECTED

set tag 1000

!

BR

Giuseppe Larosa · ‎06-23-2020

Hello @Jerome C. ,

if you cannot use a larger prefix with the static route there is no way to tag the route for this subnet in OSPF.

>> network 10.241.74.193 0.0.0.0 area 0 --> Replace the network address by the IP of the firewall

this will not work because the network command is used to find an interface on the local router that should take part in OSPF and 10.214.74.193 is not the IP address of the router but that of the firewall.

If you do this the next-hop of static routes will be an external route and no static route is injected in OSPF.because there is a consistency check on the next-hop that must be learned via an internal OSPF route.

in other words you can get the connected route advertised but you will lose all the static routes!

I am afraid you should stay with current setup.

Hope to help

Giuseppe

Jerome C. · ‎06-23-2020

And if I try this :

ip prefix-list SELECTED permit 10.241.74.198/32

ip prefix-list SELECTED2 permit 10.241.74.195/32

route-map CONN-INTO-OSPF permit 10

match ip address prefix SELECTED

set tag 1000

match ip address prefix SELECTED2

set tag 1000

router ospf 10

redistribute connected subnets route-map CONN-INTO-OSPF

BR

Giuseppe Larosa · ‎06-23-2020

Hello @Jerome C. ,

it cannot work for two reasons:

a) the connected subnet is 10.241.74.192/29 and not a collection of hosts /32.

b) the connnected subnet needs to be advertised as an internal route and will be in order to advertise the static routes.

Hope to help

Giuseppe