Thanks, Julio. For simplicity picture a pair of ASBRs that are receiving the def rte via BGP from their respective ISPs and originating the def route into OSPF as indicated below. (each of these ASBRs are in different locations) The internal router, RTR-HTX is the router that I want to prefer the internet path with the 200 tag. As you can see OSPF prefers the lower metric and does not present the E1 that is tagged 200 for consideration.

What I am trying to accomplish here is have some locations simply follow the preferred path,  ISP1, and only fail-over to ISP2 if ISP1 fails. The other sites will only and always use ISP2. (Internal IT policies dictate this) Unfortunately costing will not work in this type of scheme due to our flat/L2 ELAN OSPF broadcast WAN topology. (Additionally, the location that houses ISP2 has dual providers/ASBRs so redundancy is covered)

My alternative, if I cannot get this to work, is to use static routes tethered to BFD.

Configs and show outputs--->

For ASBR#1 (ISP1) (RTR-580)
router ospf 1
router-id 10.10.1.1
network 10.0.0.0 0.255.255.255 area 0
default-information originate route-map INJECT_DR
!

ip access-list standard ISP_580
permit 192.168.50.2
!

ip prefix-list default_present seq 10 permit 0.0.0.0/0
!
route-map INJECT_DR permit 10
match ip address prefix-list default_present
match ip next-hop ISP_580
set metric 50
set metric-type type-1
set tag 580
============================================================
For ASBR#2: (ISP2) (RTR-UNJ)
router ospf 1
router-id 10.10.1.1
network 10.0.0.0 0.255.255.255 area 0
default-information originate route-map INJECT_DR

!

ip access-list standard ISP_UNJ
permit 192.168.40.2
!
ip prefix-list default_present seq 10 permit 0.0.0.0/0
!
route-map INJECT_DR permit 10
match ip address prefix-list default_present
match ip next-hop ISP_UNJ
set metric 100
set metric-type type-1
set tag 200
============================================================
For router that I want to perform the RIB manipulation: (RTR-HTX)

router ospf 1
router-id 10.10.3.3
network 10.10.0.0 0.0.255.255 area 0
network 192.168.10.0 0.0.0.255 area 0
distribute-list route-map BLOCKTAG580 in

!
route-map BLOCKTAG580 deny 10
match tag 580
!
route-map BLOCKTAG580 permit 20
!
Output and config for remote site--->

RTR-HTX#sho ip o d e

OSPF Router with ID (10.10.3.3) (Process ID 1)

Type-5 AS External Link States

LS age: 1276
Options: (No TOS-capability, DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: RTR-580
LS Seq Number: 80000039
Checksum: 0x5816
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
MTID: 0
Metric: 50
Forward Address: 0.0.0.0
External Route Tag: 580

LS age: 139
Options: (No TOS-capability, DC, Upward)
LS Type: AS External Link
Link State ID: 0.0.0.0 (External Network Number )
Advertising Router: RTR-UNJ
LS Seq Number: 800000B0
Checksum: 0x81BE
Length: 36
Network Mask: /0
Metric Type: 1 (Comparable directly to link state metric)
MTID: 0
Metric: 100
Forward Address: 0.0.0.0
External Route Tag: 200

RTR-HTX#sho ip route 0.0.0.0
% Network not in table
RTR-HTX#sho ip ospf route | in 0.0.0.0
* 0.0.0.0/0, Ext1, cost 250, fwd cost 200, tag 580

If I remove the distribute list in statement the default route is successfully inserted into the RIB.

Thanks,

Josh...

Hi Josh

Are all the branches passing through the Internal Router  RTR-HTX? Have you tried to manipulate the traffic from the origin "from those networks to use ISP2"? I mean force the traffic using route-maps and next hop settings for those LAN's whom will be using ISP2 only and leave the rest with the normal flow?

This manipulation should be configured on RTR-HTX router. It could be an option.

Happy new year!

:-)

Thanks for your reply.

In this case RTR-HTX represents a branch router. The routers RTR-UNJ1 and RTR-580 represent ASBRs in data centers. (This is actually part of a lab that is simulating this as a PoC prior to deployment) So simply think of the UNJ1 and 580 routers as seed routers for the default route into the enterprise. Other branches will simply follow the preferred path via cost and will fail over to UNJ1 if the BGP session to the provider at 580 goes down. The requirement that I have is for a branch like HTX to exclusively use the UNJ data center for internet access. Another point, from an architecture perspective as previously mentioned, is that the branch wan is comprised of a pair of L2 ELAN networks which makes it impossible for me to adjust OSPF costs on a site by site basis. (I have considered nailing up tunnels to emulate leased lines/point to point links or going with statics with BFD in a site like HTX with statics (no black holing).

Regards,

Josh...

Just read your previous  post again. Are you suggestion PBR?

Hi

That is correct, you can force specific LAN's to go to ISP2 and the rest of the traffic will follow the normal path through ISP1 and if it fails the traffic will be moved to ISP2 automatically. 

It could be a simple method.

:-)

Example:

Internal router. 

ip access-list extended TO-ISP2

deny ip any 10.0.0.0 0.255.255.255

deny ip any 172.16.0.0 0.15.255.255

deny ip any 192.168.0.0 0.0.255.255

permit <your LAN> any 

route-map TO-ISP2 permit 5

match ip address TO-ISP2

set ip next-hop 2.2.2.2   <---- your router connected to ISP2

route-map TO-ISP2 permit 100

interface Gx/x

description >>>LINK TO MY INTERNAL NETWORK<<<

ip policy route-map TO-ISP2