Solved: VPN VTI and OSPF

searchoptics_2011 · ‎06-18-2012

So I have 4 sites total, two with dual routers off of them.

We currently have a single ospf area (everyone belongs to area 0)

I would like to split each site into it's own area.

However admitidly my ospf knowledge is limited. This was much easier when it was RIP, the problem with RIP being I was unable to weight links. Let me use an example.

From our San Diego office to our Detroit office we have a VTI link.

The detroit office has 2 routers running HSRP between a cable link and t1 (the cable is primary). Both of these routers use a VTI into our single San Diego router. I used ip ospf cost to specify which link is to be used on the San Diego side.

Anyway. For area 0 which is our main site, the tunnel config looks like.

interface Tunnel0

description tunnel to AIS San Diego

ip address 172.28.42.2 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination 64.87.xxx

tunnel protection ipsec profile VTI

!

interface Tunnel1

description tunnel to detroit office

ip address 172.28.41.1 255.255.255.0

ip ospf network broadcast

ip ospf cost 100

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination 69.14.xxxx

tunnel protection ipsec profile VTI

!

interface Tunnel2

description tunnel to Detroit Data Center

ip address 172.28.49.1 255.255.255.0

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination 199.16.xxxx

tunnel protection ipsec profile VTI

!

interface Tunnel3

description tunnel to Detroit t1 router

ip address 172.28.50.1 255.255.255.0

ip ospf network broadcast

ip ospf cost 200

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination 204.232.xxxx

tunnel protection ipsec profile VTI

!

router ospf 42

log-adjacency-changes

passive-interface GigabitEthernet0

network 172.28.41.0 0.0.0.255 area 0

network 172.28.42.0 0.0.0.255 area 0

network 172.28.49.0 0.0.0.255 area 0

network 172.28.50.0 0.0.0.255 area 0

network 192.168.1.0 0.0.0.255 area 0

!

In this example if I want the Detroit Site to be area 1, then these links connecting San Diego to Detroit also have to be in area 1 ?

Does anyone have a guide or examples/a refernce they could point me to ?

With 4 sites and dual routers in some of them, it is getting confusing

smehrnia · ‎06-21-2012

Prefixes mean Networks, we also call a Network ID or a Subnet ID a prefix. ex: 172.28.x.x. when i say how many prefixes, i mean how many subnets or network destinations.

Physical Distance doesnt matter at all, as long as you links are good and there is not a lot of routing info to be exchanged.

keep using ONLY Area 0, with ospf network type broadcast, so you have a DR and BDR. then you can manipulate DR/BDR selection.

plz Rate if it helped,

Soroush.

Hope it Helps!

Soroush.

View solution in original post

smehrnia · ‎06-18-2012

Hi there,

With OSPF area's you have to do it according to ur network physical and logical design, which at this point i dont know about it, but i can give u a few guide lines.

* I suggest you make these WAN links a part of Area 1 rather than area 0 to have better performance.

* when you create multiple areas, area 0 would be ur core network, and every routing update has to go through Area 0.

this means, even if you have ur area 1 directly connected to area 2, still everything goes through Area 0.

so, all you area's MUST be connected to Area 0, physically or through Virtual links.

there is this good piece of reference u might find useful:

http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080094e9e.shtml

finally, try to keep it as simple as possible. 4 sites and dual routers don't need to have a complicated routing mechanism. to be honest, One OSPF Area (0) is more than enough to have this network up and running

plz Rate if it helped.

Soroush.

Hope it Helps!

Soroush.

searchoptics_2011 · ‎06-18-2012

I've attached a basic diagram of our current network set up.

The links I am referring to are strictly private/VPN.

It works pretty well now, I haven't bothered to wireshark the links and see how much bandwidth is eaten up by LSA's but we don't have a performance issue at all.

Our main traffic center is the AIS San Diego Router, all of our infrastructure is housed there. Waveform is a DNS fail over location (we're not quite ready for BGP yet). I was hoping by using area's id move routing updates and work off the data center routers, as they need to route public connections more than anything.

We will be adding 2 more sites (Atlanta and one in Canada) and I am open to design suggestions as this is my first OSPF network.

Thanks again man!

smehrnia · ‎06-19-2012

Hey John

how many prefixes do you expect to be in ur routing table at the end? Because if your routing table is not that large, you dont need to keep them speparated by OSPF Areas.

once your network is converged by ospf, there wouldnt be a lot of LSA travelling through ur network, just a buncha hello packets n stuff, unless you have an unstable network.

How far your sites are located from eachother doesnt mean that you have to devide your network, its is how big an busy your routing process could get.

you have good links, private, with back ups. you r good to go... a single area, i'd suggest. if ur company did a merger with another Co, then keep their Net in another area or sth

cheerZ,

Soroush.

Hope it Helps!

Soroush.

searchoptics_2011 · ‎06-20-2012

So the 172 networks are just for the tunnels, we don't use those for anything else.

In terms of prexix's ? I am not sure I understand that term

At the end of the day we have about 12 private networks linked together behind these routers.

The distance between San Diego and Detroit is fairly large, but we have high speed links between all sites (the slowest being 10m fiber)

handoko wiyanto · ‎06-21-2012

hi John,

are you having any issues with current configuration?

if no, then i would very agree with Soroush, keep it simple, and for network like this im gonna use only area 0.

regards,

smehrnia · ‎06-21-2012

Prefixes mean Networks, we also call a Network ID or a Subnet ID a prefix. ex: 172.28.x.x. when i say how many prefixes, i mean how many subnets or network destinations.

Physical Distance doesnt matter at all, as long as you links are good and there is not a lot of routing info to be exchanged.

keep using ONLY Area 0, with ospf network type broadcast, so you have a DR and BDR. then you can manipulate DR/BDR selection.

plz Rate if it helped,

Soroush.

Hope it Helps!

Soroush.

searchoptics_2011 · ‎06-22-2012

I appreciate all the help guys, I am going to leave everything in Area 0 after reading ya'll's comments.

To answer a previous questions, we don't have any problems with the current setup. We do seem to have one tunnel that flaps more than it should (while all the others are rock solid), but I think thats a seperate issue.

Cheers, thanks for all the help!