cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1775
Views
70
Helpful
27
Replies

understanding OSPF

wilson_1234_2
Level 3
Level 3

We have the OSPF network shown in the drawing and I am trying to understand what OSPF should be doing.

When the HQ internet is lost, the higher AD of the MPLS edge router flips the gateway to that side for DR internet. That works.

The 525 and 515 PIX firewalls should be getting the default route from the edge router and distributing this to the inside Network.

The 525 firewall is working and distributing the default to the inside network.

The 515 sees the default advertised from the edge router, but uses the default it is getting from the 6509 switch (which is getting it's default from the 525 PIX, gotten from the edge router).

I am trying to understand what OPSF is doing with the two processes in the PIXs and why the 515 prefers the inside to the outside.

I realize the PIX may be confused with the 525 default information originate, which is telling everything on the inside to use it as the default route, while the edge router is also telling the 515 it has the default route.

So, the 6509 is advertising the 525 to everyone internally as the default correct?

But why wouldn't it just as equally use the edge router if it is advertising as a gateway?

Is there a guide to understanding the ospf database and how a device prefers a particular route with that database?

27 Replies 27

Ok, here is the deal.

1) Your OSPF database is in bad shape. It can be a combination of using multiple OSPF processes in addition to a bug within the PIX.

2) The 525 OSPF database only shows LSAs in OSPF Process 2. OSPF Process 1, and this is the important one, only shows one LSA - itself.

3) To add insult to injury, 525 is the DR for that segment so any OSPF communication between the 515 and the internet router needs to go via this PIX. It's strange the 515 and Internet Router OSPF Process 1 database contains the correct LSAs.

Here is my suggestion, move the DR over to the internet router. You can do this by changing the Router-ID in the internet router to a value greater than the 2 PIXes. Use Router-ID 255.255.255.255 for instance.

If you can afford the downtime, reboot the 525.

All this while, you were thinking the problem was the 515, but it was the 525.

This setup is ideal for a CCIE Lab but never for a production environment :)

wow thanks a ton for this information.

sorry for this but

what tells you that:

The ospf database is in bad shape?

Why is process 1 on the 525 the "important one"?

What tells you the 515 and internet router contain the correct LSA's?

How do you know they are correct?

Why do you think this is strange?

The 525 has a failover pair and if I reboot it, it will failover to the standby. Is this what you are talking about, or reboot both of them?

Just compare the OSPF database on the 515 and 525, they are different. Also, compare the OSPF Process 1 on the 515 and the internet router, they are picture perfect.

The 525 does not have the same database on OSPF Process 1.

I consider this Process important because you are bringing the external and default route via this process. I highly suggest you consider consolidating your OSPF database into one process. This is too complex without any need.

I suggest reboot both 525s and make sure to move the DR over to the internet router.

However, I still feel the only way to fix this for good is by consolidating OSPF into one process.

I really appreicate the time you have spent in helping me understand this.

On the ospf provess change, is all that is needed is to remove on of the processes and make sure all needed interfaces are in the single process?

I guess I do not know what you mean by picture perfect.

Are you saying that because they are the same on the 515 and router?

And the 525 is showing one process with no activity?

Also, by rebooting the 525s, this will cause the DR to move to the newly reconfigured RID on the internet router and nothing else needs to be done?

Picture perfect means both databases are identical and that's good.

The 525 is only showing LSAs in OSPF Process 2. I believe it has do to with the fact that you have the external interface enabled on both processes. This may be creating the routing problem and will be remedied if you go with one OSPF process.

What's strange is that you have a similar configuration in the 515, yet is behaving as it should. It can be a bug in the 525, not sure since I don't deal with PIX much.

How do you feel about changing this configuration ?

As for the rebooting question, once the DR goes down, a new election takes place and the router with the highest RID will become the DR. Make sure to have the highest RID in the internet router before rebooting the 525.

I am all for changing it since it is a problem and it could contribute to other problems down the road.

I believe the setup in this company has been overly complicated for some reason.

There have been other issues that have been corrected already.

For example, when I first got here about four months ago, the dynamic failover did not work at all, one of the issues was that all devices that had OSPF configured (including the 6509 siwtches) had the "default information originate" in the ospf config.

I do not think the CCIE did that, but the guy working here before I came did it. There were also static default routes in 6509s to the 525 pix.

I have some of the design notes and the CCIE engineer said he could not get the adjacentcys to form with one process, called TAC and they suggested it, maybe the pix TAC guys do not have too much experience with ospf.

But I want it to be designed correctly, one reason for my persistant seemingly never ending and annoying questions.

I do not have the expertise you guys have to figure all of this out on my own, and I want to understand why things are doing what they do.

I have a PIX 515 I can test some of this on.

I really appreciate all of the help and your patience. I hope you know how valuable I think this forum is and how much I have learned from it.

I got started late in life, so just about the time I get so that I know something, it will be time to retire.

One more thing, should the inside routes be filtered from the ouside network ?

If so, what would be the best way to do it?

The DMZ network, as we referred the outside network, needs to be able to reach the inside network so the routes are needed in that space.

The internet router also have the routes but they aren't advertised to the internet since you aren't redistributing OSPF into BGP.

Ideally, you would setup a NAT on the PIX so routes from the inside network aren't advertised to the DMZ.

Thanks again.

Are you saying the LSAs should all match in all devices running ospf?

For example ,I should see the same number of LSAs and checksum should match on all of them?

And how did you know the process 2 on the 525 showed the LSA as itself?

Start time: 00:00:57.329, Time elapsed: 2w0d

Supports only single TOS(TOS0) routes

Supports opaque LSA

Supports Link-local Signaling (LLS)

Supports area transit capability

It is an autonomous system boundary router

Redistributing External Routes from,

bgp 7046

Router is not originating router-LSAs with maximum metric

Initial SPF schedule delay 5000 msecs

Minimum hold time between two consecutive SPFs 10000 msecs

Maximum wait time between two consecutive SPFs 10000 msecs

Incremental-SPF disabled

Minimum LSA interval 5 secs

Minimum LSA arrival 1000 msecs

LSA group pacing timer 240 secs

Interface flood pacing timer 33 msecs

Retransmission pacing timer 66 msecs

Number of external LSA 74. Checksum Sum 0x2932C7

Number of opaque AS LSA 0. Checksum Sum 0x000000

Number of DCbitless external and opaque AS LSA 0

Number of DoNotAge external and opaque AS LSA 0

Number of areas in this router is 1. 1 normal 0 stub 0 nssa

Number of areas transit capable is 0

External flood list length 0

IETF NSF helper support enabled

Cisco NSF helper support enabled

Area BACKBONE(0)

Number of interfaces in this area is 7 (5 loopback)

Area has no authentication

SPF algorithm last executed 1w4d ago

SPF algorithm executed 7 times

Area ranges are

Number of LSA 18. Checksum Sum 0x0B1038

Number of opaque link LSA 0. Checksum Sum 0x000000

Number of DCbitless LSA 0

Number of indication LSA 0

Number of DoNotAge LSA 0

Flood list length 0

OSPF speaking routers participating in the same area must have an identical view of the network. That's what makes OSPF a link state protocol, it keeps track of all links via its database.

If you look in the 'show ip os data' from the 525 under OSPF Process 2, it only shows one LSA. That LSA is type 1 (router link) and the IP is the 525's (itself).

Edit: Correction, the 525 Process ID 1 is the one showing only one LSA. Process ID 2 is working as it should.

One last thing on this:

The RID can be any ip address, it doesn't have to be an active interface on the router?

And who do you want the DR to be in the OSPF process?

It can be any IP address and it doesn't have to be an IP address on the router. If you don't manually enter the RID, the router will select the highest loopback address. If the loopback address is missing, it will select the highest ip address from any of the physical interfaces.

Ideally, the internet router should be the DR.

wow Edison, don't you ever rest?

One last question and I will leave you alone:

Does the lsa hold the ospf database?

if so, is that all it does?

I'm resting now, you should see when I'm really working :)

LSAs are link-state advertisements that describe the OSPF topology. LSAs are stored in the OSPF database and there are several types:

LSA Type 1 is the Router LSA. This LSA informs other OSPF speaking routers about its existence

LSA Type 2 is the Network LSA. This LSA informs other OSPF speaking routers about the existence of a DR (Designated Router).

LSA Type 3 is the Summary LSA. This LSA comes from an ABR and it informs other OSPF speaking routers about links located in other areas.

LSA Type 4 is the ASBR Summary LSA. This LSA informs other OSPF speaking routers about the existence of an ASBR. It's needed for reachability to external routes.

LSA Type 5 is the External LSA. This LSA informs other OSPF speaking routers about routes being redistributed into OSPF.

Last but not least, LSA Type 7. This is the NSSA LSA and you only get to see this LSA when you configure not-so-stubby areas.

There are other LSAs but not supported by the Cisco IOS.

Based on the OSPF database you posted, your network only has LSA Type 1 (Router Links), Type 2 (You have DR/BDR) and Type 5 (You have a redistribution into OSPF from BGP and other OSPF Process ID).

HTH,

Review Cisco Networking for a $25 gift card