Solved: Redistribute Static options

saquib.tandel · ‎05-25-2012

Hi

I got remote offices connected to our DataCenter some via MPLS and some via VPN terminated on Cisco ASA. I am running OSPF on LAN and BGP for MPLS sites. To have reachability to VPN remote offices I added 'redistribute static in OSPF' and to have rechability to sites connected via metro link i added 'redistribute connected'

router ospf 1

network 10.10.0.0 0.0.0.255.255 area 0

redistribute connected

redistribute static

ip route 0.0.0.0 0.0.0.0 ASA

ip route 10.10.150.0 255.255.255.0 MPLS

ip route10.10.155.0 255.255.255.0 WAN_RTR

Ip route 10.10.157.0 255.255.255.0 ASA

ip route 192.168.12.0 255.255.255.0 ASA

Are there better ways of doing the config then above.

I also need restrictive access to Training Center i.e some remote office passing MPLS cloud can access Training Center site and some remote vpn office passing ASA can access Training Center site

Thanks

ST

NickNac79 · ‎05-25-2012

Hi ST,

You haven't said where your OSPF neighbors are, are the ASA, WAN router or MPLS routers OSPF neighbors, and are they under your control?

Assuming that your OSPF neighbors are connected only to your Core switch (and not shown in the diagram) I would do it this way:

router ospf 1

network 10.10.0.0 0.0.0.255.255 area 0

default-information originate

passive-interface default

no passive-interface (repeat as necessary)

redistribute static subnets metric-type 1

ip route 0.0.0.0 0.0.0.0 ASA

ip route 10.10.150.0 255.255.255.0 MPLS

ip route10.10.155.0 255.255.255.0 WAN_RTR

ip route 10.10.157.0 255.255.255.0 ASA

ip route 192.168.12.0 255.255.255.0 ASA

Nick

View solution in original post

NickNac79 · ‎05-25-2012

Hi ST,

You haven't said where your OSPF neighbors are, are the ASA, WAN router or MPLS routers OSPF neighbors, and are they under your control?

Assuming that your OSPF neighbors are connected only to your Core switch (and not shown in the diagram) I would do it this way:

router ospf 1

network 10.10.0.0 0.0.0.255.255 area 0

default-information originate

passive-interface default

no passive-interface (repeat as necessary)

redistribute static subnets metric-type 1

ip route 0.0.0.0 0.0.0.0 ASA

ip route 10.10.150.0 255.255.255.0 MPLS

ip route10.10.155.0 255.255.255.0 WAN_RTR

ip route 10.10.157.0 255.255.255.0 ASA

ip route 192.168.12.0 255.255.255.0 ASA

Nick

saquib.tandel · ‎05-25-2012

Hi Nick

I got 15 offices in the same building of DataCenter some are uplinks and some are trunk ports, those sites are part of ospf

Looking at the above config not sure if I will be still able to restrict one remote office behind mpls to reach training_center site as per above topology

thanks

ST

Kishore Chennupati · ‎05-25-2012

you can restrict user access by using ACL's, prefix-lists etc..depends on how your configuration is setup etc. but in short , its doable

saquib.tandel · ‎05-25-2012

Kishore can you give example as per your post. my sample config you can view above in the post

NickNac79 · ‎05-25-2012

Hi ST,

You just need a basic ACL on your Core Switch interface facing the MPLS router... e.g.

ip access-list extended ACL_MPLS_IN

deny ip 10.10.150.0 0.0.0.255 10.10.155.0 0.0.0.255

permit ip any any

int g0/0

ip access-group ACL_MPLS_IN in

This is just a very simple example - you can find more information here

Hope that helps,

Please rate any posts you find helpful.

Nick