cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1769
Views
70
Helpful
27
Replies

understanding OSPF

wilson_1234_2
Level 3
Level 3

We have the OSPF network shown in the drawing and I am trying to understand what OSPF should be doing.

When the HQ internet is lost, the higher AD of the MPLS edge router flips the gateway to that side for DR internet. That works.

The 525 and 515 PIX firewalls should be getting the default route from the edge router and distributing this to the inside Network.

The 525 firewall is working and distributing the default to the inside network.

The 515 sees the default advertised from the edge router, but uses the default it is getting from the 6509 switch (which is getting it's default from the 525 PIX, gotten from the edge router).

I am trying to understand what OPSF is doing with the two processes in the PIXs and why the 515 prefers the inside to the outside.

I realize the PIX may be confused with the 525 default information originate, which is telling everything on the inside to use it as the default route, while the edge router is also telling the 515 it has the default route.

So, the 6509 is advertising the 525 to everyone internally as the default correct?

But why wouldn't it just as equally use the edge router if it is advertising as a gateway?

Is there a guide to understanding the ospf database and how a device prefers a particular route with that database?

27 Replies 27

Edison Ortiz
Hall of Fame
Hall of Fame

Check the Router-ID from the 6509 and the internet router.

From your GIF file, the internet router's RID is 2.2.2.1. If the 6509's RID is higher, that route will be the preferred route.

You design is a bit odd with the introduction of multiple OSPF processes. Can you elaborate on that design ?

Thanks for the reply.

Internet router ID is higher than 6509 router ID

A CCIE designed this and is not availabe to ask questions.

Apparently during the design, there was some difficulty in getting the adjacentcy to form on the PIX firewalls to the internet router.

TAC suggested the second process, it was implemented and the notes say the desired goal was achieved.

Problems still exist in the design, because there is a static default route to the internet router for Internet connectivity in the 515 PIX.

When that is removed, the PIX routes to the inside for the gateway route.

So the RID determines the prefered route when more than one path is taken?

Can you explain, or point me to a better understanding?

Why would the 525 PIX work as expected by prefering the internet router?

Are there any documents that show how to decipher a database, or why a device is choosing a particular route?

I duplicated your environment and I don't see a problem with the OSPF default route.

Keep in mind, I use IOS routers instead of PIXes.

I can't find any document on understanding the OSPF database. The best book in the subject is "Routing TCP/IP Volume I by Jeff Doyle".

In the meantime, let's verify the 515 has actually a neighbor relationship with the internet router.

show ip os nei

show ip os data | i 0.0.0.0

from the 4 devices in question will help .

I have verified the neighbor relationship with the internet router and both pixes.

The internet router shows:

pix525 as full/dr

pix515 as full/bdr

Pix 515 shows:

internet router as full/drother

pix525 as full/dr

6509 as full/dr

Pix 515 shows:

Link ID ADV Router Age Seq# Checksum Tag

0.0.0.0 2.2.2.1 (internet router) 63 0x800000ae 0x18a4 1

What about default-information-originate?

How would that be affecting the process here?

_______

Pix 515 shows:

Link ID ADV Router Age Seq# Checksum Tag

0.0.0.0 2.2.2.1 (internet router) 63 0x800000ae 0x18a4 1

_______

This output is contradicting what you stated in the initial post. The PIX 515 sees the default route from the internet router via OSPF. It's not showing another 0.0.0.0 from the 6509 in the OSPF database so perhaps you have a static or dynamic route injecting the 0.0.0.0 into the 515 ?

The default-information originate will advertise a default route to its neighbors.

Currently, you have a default-information originate from the internet router back to the PIXes (good design), then you created multiple OSPF processes in the PIXes (not such a good design). On the second process, you have a default-information originate in the 525 towards the 6509. The 6509 only knows to get out to the internet via the 525, what's the use for the 515 ? No internet traffic is leaving thru there.

You are also advertising the DMZ subnet into the internal network (OSPF 2) but the DMZ subnet does not know how to get to the internal network.

I feel like I'm missing something without seeing the actual outputs that I requested.

The PIX is showing the internet router as source of the default route, oh, I see as I am writing this.

The PIX 515 does indeed have a static route to the internet router. I guess that is why it is in the database?, if I remove it, it will point to the 6509 for the default route.

I will try and get the actual outputs while the static route to edge router is removed.

The 515 is actually holding a seperate server for customer Internet transactions. This server belongs to a different department.

Also internal users get to the server off of the 515.

Additionally, when there is an Internet circuit failure in the HQ site, outside customers will get to the server from the DR Internet. This traffic will travel across the inside network the the DMZ on the 515.

The 525 is holding another web server for customer access. I do not know why they were seperated.

So, when a route is a static route on the PIX515, it will show up in the OSPF database on that PIX515?

Does the default-information-originate advertise the default route to everyone in the OSPF process or just the neighbors?

Why did you say the DMZ does not know how to get to internal network?

Something else I wondered, the internal routes are showing up on the edge router, which I think is not such a good idea, should they be filtered from the edge router? If the PIX outside interfaces were passive, wouldn't they still receive the default route from the router, just not advertise the internal routes to it?

I edited the real ip addresses and was reluctant to post them here, the reason for not showing the real outputs, is there some other way for me to get them to you to take a look?

A static default route won't be shown in the OSPF database, this route is learned from the default-information originate from the internet router.

Checking your config once again, I see how the DMZ Server is able to connect to internal users. You have the DMZ interface from the PIX on both OSPF domains, ouch this is too messy.

The default-information originate will advertise the default route to every single OSPF router running in the same OSPF domain. Since you have two domains, it's more complex.

If you change the outside interface on the PIX to passive, they won't become neighbor.

Ideally, you should run one OSPF domain between the internet router, the 2 PIXes and the 6509 switch. You can throw in your MPLS router as well.

Only one default-information originate should be issue and it should come from the internet router. The MPLS router can remain with its default-information originate (weighted higher than the current one).

I appreciate the replys.

So that brings up the question (since the default from the internet router is in the pix515 database), why does the 515 use the 6509 as a preferred path to the internet router?

Or or maybe how is it possible?

On the pix DMZs, they are seperate DMZs, I may have pasted one to the other, but that is all working ok.

I will like to see the OSPF database when that takes place. Currently, there is only one default route in the OSPF database and it's pointing to the internet router.

The config you posted may have missing information, and that missing information may be the cause of the problem. Sanitize your config by changing the IPs but keep the logic in the config, post it again...

Are you talking about missing information in the ospf config?

I can email them to you, or post the entire config here and just delete it as soon as you have had a chance to look at it.

It is perplexing why the 515 is not using the edge router as the default gateway and why the 6509 is not showing up in the database.

I have noticed on the both PIXs, the the 525 (working) shows only one process as active.

The non working is showing both processes as active.

I am wondering if the working PIX actually only has one process that is working ok (both processes have the outside subnet configured in them).

The non working PIX has two active processes, but one process is not distributing the outside subnet into the second process.

This pix does not have the ouside subnet configured in the inside process closest to the 6509 switch.

I have attached this showing the real ip addreses

Yes, I'm talking about missing information in the OSPF config.

Please post the sanitized config so it can be of value for other members of the forum.

It is perplexing what we are seeing here and if it's affecting your network, I suggest you get someone onsite or open a TAC case.

They will be able to get the whole picture, Layer1 thru Layer7.

Based on your latest attached file, it seems the 525 shouldn't be working at all !

On the sanitized config, they are pretty extensive, what should I remove?

On the ospf components, I gave you everything.

Usually this forum is more valuable to me than TAC.

I opened two cases with TAC.

I didn't get anywhere with the PIX engineers.

Basically one told me to duplicate the config from the working pix to the non working pix including the "default-information-originate"

The other one told me to upgrade the 525 image becase of a bug with the failover components.

posted is the ospf from both PIXs

I was thinking the 515 did not have the edge subnet in both processes, but i guess it does.

No glaring problems in your last attached file.

Let's see a complete output from these commands on both PIXes:

show ip os nei

show ip os data

show ip os

Thanks

here are the requested outputs

Review Cisco Networking for a $25 gift card