Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
5
Helpful
12
Replies

How do I concurrently use 2 default routes in my network with OSPF?

Go to solution
Mark Mattix
Level 2
Level 2

‎03-16-2015 08:01 AM - edited ‎03-07-2019 11:06 PM

I'm probably overlooking an easy fix for this but how can i use 2 links to the internet for different parts of my network? My network kinf od looks like this:

(SW)--(R1)--(R2)--(R3)--(SW)--(FW)

Right now the Firewall (FW) has OSPF running and redistributing it's default router throughout my entire network, all devices are in area 0. What I would like to do it add another FW and internet link to R! and everyone on the R1 LAN will use that internet link and everyone in R3 will continue to use the default route provided by the FW.

I've read about using 2 default routes and adjusting the metric on 1 route but I don't believe that will answer my question as i want specific parts of my network to use particular internet links based on their location. Thanks a lot for the help!  -Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Mattix

‎03-16-2015 10:58 AM

IP SLA would be your best be here ie. track the static route you are adding.

If you track the new firewall's inside interface then no problems.

If you track an IP on the internet then R1 will use the new firewall because of it's static route but if the track fails it will remove the static route and then use the existing OSPF default route.

If the ping you are using with your IP SLA then works via the existing firewall R1 will try and reinstall the static route.

So there are a couple of ways around this -

1) pick an IP within the ISP cloud assuming these are different ISPs. Although this may not be foolproof if the IP is pingable from the general internet.

You would need to talk to ISP

2) use local policy routing to make sure the ping goes via your connected firewall. This only works if the firewall is not directly connected to the router ie. there is a switch in between.

3) don't allow ping through on your existing firewall to the internet IP you are using in your track

up to you but all of them should work.

It's not worth advertising both defaults and filtering because the routers behind R1 only have a single path to get to either firewall.

Jon

 

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-16-2015 08:05 AM

Mark

You may need PBR but you may not.

It's difficult to tell from your diagram but if everyone on the R1 LAN should use a different firewall can you not just add a static route on that router pointing to the new firewall and that would override the OSPF route.

Or do other users on different LANs need to go via R1 to get to your existing firewall ?

Jon

0 Helpful

Go to solution
Mark Mattix
Level 2
Level 2
In response to Jon Marshall

‎03-16-2015 08:07 AM

Yeah, there's other lans connected to R1 that would need to use this new link to the internet. Is there a method to redistribute the static from R1 only in a specific direction so that R2 and R3 wouldn't know about it?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Mattix

‎03-16-2015 08:13 AM

Yeah, there's other lans connected to R1 that would need to use this new link to the internet

If all the LANs connected to R1 need to use the new link then just use a static.

Not sure why you need to redistribute it.

Basically if all LANs needing to use the new link have interfaces on R1 and no LANs that have to go through R1 need to use the existing link then you are fine.

If there are LANs that route on some other device but then go via R1 and need the new link this may be different.

It's not clear who should use what :-)

Jon

0 Helpful

Go to solution
Mark Mattix
Level 2
Level 2
In response to Jon Marshall

‎03-16-2015 08:23 AM

Sorry, by more LANs I meant there were more routers connected to R1 with LANs configured, the full topology looks like this:

(R6)--(R5)--(R0)--(SW)--(R1)--(R2)--(R3)--(SW)--(FW)

R6, R5 and R0 would all need the route to R1's new default gateway. I want all internet traffic from R6, R5, R0 and R1 to go out the new interface at R1. Other traffic from all routers will still need to traverse across R3 and into a LAN.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Mattix

‎03-16-2015 08:28 AM

The easiest solution is to just configure a static on R1 pointing to the new firewall but don't redistribute it.

As all your routers are in the same area they will all receive the same LSAs including the default route from the firewall.

So the routers behind R1 would use the OSPF default route to get to R1 but then R1's statically configured route would send the traffic to the new firewall.

It's not the most elegant of solutions but it should work.

Because of your topology playing with costs is difficult and you would to need to do filtering if you also redistributed R1s static route.

Jon

 

0 Helpful

Go to solution
Mark Mattix
Level 2
Level 2
In response to Jon Marshall

‎03-16-2015 09:18 AM

Thanks for the advice Jon. I'm just wondering now, if i do use a static on R1, if R1 ever goes down I'd have to remove the static in order to allow the other routers to use the route provided by OSPF. I guess filtering would make it more redundant? Or perhaps I could setup an SLA to remove the static route when it notices that the default isn't working?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Mattix

‎03-16-2015 09:22 AM

Based on your topology if R1 ever goes down the other routers behind it can't get to the existing firewall anyway.

Not sure what you mean ?

Jon

0 Helpful

Go to solution
Mark Mattix
Level 2
Level 2
In response to Jon Marshall

‎03-16-2015 09:27 AM

Yes if the firewall/Internet connection went down.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Mattix

‎03-16-2015 09:51 AM

Mark

Just as a possible alternative, you can always just use PBR and don't configure a static route but you would still need to use IP SLA to track the next hop availability.

And if you do use PBR then you need to make sure your acl allows traffic between internal subnets before sending any unknown IP ie. internet off to the firewall.

Again there are always multiple ways of doing things it's just that because your routers behind R1 have to go to R1 anyway I'm not sure PBR is really needed.

But it is an option.

Jon

Go to solution
Mark Mattix
Level 2
Level 2
In response to Jon Marshall

‎03-16-2015 01:27 PM

Thanks a lot for your help and all the advice! I kind of like the SLA tracking and static route option. 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Mattix

‎03-16-2015 10:58 AM

IP SLA would be your best be here ie. track the static route you are adding.

If you track the new firewall's inside interface then no problems.

If you track an IP on the internet then R1 will use the new firewall because of it's static route but if the track fails it will remove the static route and then use the existing OSPF default route.

If the ping you are using with your IP SLA then works via the existing firewall R1 will try and reinstall the static route.

So there are a couple of ways around this -

1) pick an IP within the ISP cloud assuming these are different ISPs. Although this may not be foolproof if the IP is pingable from the general internet.

You would need to talk to ISP

2) use local policy routing to make sure the ping goes via your connected firewall. This only works if the firewall is not directly connected to the router ie. there is a switch in between.

3) don't allow ping through on your existing firewall to the internet IP you are using in your track

up to you but all of them should work.

It's not worth advertising both defaults and filtering because the routers behind R1 only have a single path to get to either firewall.

Jon

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Mark Mattix

‎03-16-2015 11:06 AM

Mark

Just to clarify with option 2) in the below.

If the firewall is directly connected ie. no switch in between it wouldn't work because if the firewall interface goes down PBR knows the next hop is unavailable and so uses the routing table.

If there is a switch in between (more likely) then it would work because PBR thinks the next hop is still up so uses it.

Obviously you don't track the next hop for the PBR part.

Hope that makes sense and hope it goes alright.

Jon

0 Helpful
Customers Also Viewed These Support Documents