Solved: ASA 9.x OSPFv2 neighbor cost command?

hypnotoad · ‎12-04-2013

Does this exist?

Example: "neighbor 1.1.1.1 cost 100"

I have a pair of ASA 9.1x firewalls. They are connected to a pair of Cisco IOS routers. One router is the primary path to my MPLS network. The other is a router on my DMVPN backup network. There is a layer 2 switch between the ASA's and the two WAN routers. I need to ASA to make a route decision on two identical prefixes coming from each of the WAN routers. I can do this is IOS. How to I do this with an ASA?

I'm concidering changing the ASA to trasperant mode and neighbouring to my L3 core switches. The problem with that is that it will break ScanSafe.

Any ideas?

Sorry if I posted to the wrong forum. I wasn't sure if this was WAN, LAN, or security. It is a bit of all three.

--Patrick

Jon Marshall · ‎12-04-2013

Didn't we have a discussion about this on a more general level a while ago ?

Are you still using OSPF to OSPF redistribution on the DMVPN link or using redistribute connected.. If so just make those type 2s (the default) but redistribute the BGP to OSPF routes as type 1s. Type 1s are preferred over type 2s in the OSPF path selection.

Perhaps it's not as simple as that though.

Jon

View solution in original post

Jon Marshall · ‎12-04-2013

Patrick

Do the ASAs receive any routes from the WAN routers and if so are they OSPF <-- ignore this, you have already said.

Are the WAN routers receiving OSPF routes from the MPLS WAN or are they BGP and being redistributed into OSPF ?

Jon

Jon Marshall · ‎12-04-2013

Forgot to ask. Are the ASAs in active/standby mode.

Jon

hypnotoad · ‎12-04-2013

ASA's are active standby.

The ASA's also recieve OSPF routes from each of the WAN routers. One of the WAN routers is running BGP and OSPF and doing two way redistribution.

--Patrick

Jon Marshall · ‎12-04-2013

Okay so this might be a bit complicated.

The main router is redsitributing BGP into OSPF so the OSPF routes are seen as external type 2 (or 1) depending if you have changed it.

The DMPVN routes are presumably intra or inter area routes ?

So the DMVPN routes will be preferred if this is the case. Can you confirm ?

Jon

Jon Marshall · ‎12-04-2013

Didn't we have a discussion about this on a more general level a while ago ?

Are you still using OSPF to OSPF redistribution on the DMVPN link or using redistribute connected.. If so just make those type 2s (the default) but redistribute the BGP to OSPF routes as type 1s. Type 1s are preferred over type 2s in the OSPF path selection.

Perhaps it's not as simple as that though.

Jon

hypnotoad · ‎12-04-2013

The OSPF routers are all coming into the ASA and external type 2. My DMVPN network is actually running as a seperate OSPF process ID and I'm doing OSPF to OSPF redistribution.

I'm just trying to work out this last little bit as the ASA. The OSPF feature isn't as fully basek as that of IOS. I'm starting to think that I need to run then in transperent mode and neighbor the WAN routers to the 3850 core.

hypnotoad · ‎12-04-2013

I'll play around with the type 1 vs type 2 thing. I've done that in the past. I can set my MPLS routes as type 1 and DMVPN routes as type 2.

Jon Marshall · ‎12-04-2013

If it works that is certainly going to be easier than having to change your ASAs from routed to transparent mode.

Jon

hypnotoad · ‎12-05-2013

Thanks Jon. The type 1 vs type 2 ospf routes will do the trick.