Hi,

Thank you for confirming can you please point me to a document I can refer to. I can check if there would be special area's of concern that I would look into.

Best

I found this dialogue which might help but haven't found any cisco documentation discussing the matter.  Someone else may have more luck. 

As long as you are not interested in putting the two OSPF processes on a single link you should be good.

This design guide is one Cisco source which verifies that you can run multiple OSPF processes on one router:

http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/7039-1.html#t10

And here is another official Cisco document that discusses redistribution issues with multiple OSPF processes which might be helpful

http://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/4170-ospfprocesses.html

HTH

Rick

Thank you Rick.

Much appreciate it.

You are quite welcome. There are some interesting aspects of running multiple OSPF processes on a single router. The only requirement that you mention is that one OSPF process should use MD5 authentication and the other OSPF process should not use authentication. That is certainly possible.

There are a few things about multiple OSPF processes that you might want to consider:

- while there is a single IP routing table for the router (which will contain routes learned by the multiple OSPF processes) each OSPF process maintains its own separate Link State data base (which will contain its own local subnets and subnets learned from its OSPF neighbor routers).

- an interface on the router can participate in only one OSPF process (at a time). So as the other responder has pointed out you can not have two OSPF processes on a single link.

- what each OSPF process will advertise to its neighbors is based on its own Link State Data Base and not on the main IP routing table for the router.

- which means that you can not advertise to one OSPF neighbor routes learned by the other OSPF process unless you configure redistribution between the OSPF processes.

HTH

Rick

Hello Rick,

I can give you the precise situation. I have a pair of Nexus 7k’s @ the core where 1 OSPF process is already running and on the north of the Nexus 7K is a checkpoint FW and on its north is the edge router to the internet.

At present there are static routes for different networks coming from the edge router all the way through the Nexus 7K core. I would want to introduce dynamic routing in that route from Edge Routter->FW and then redistribute from the FW to the Nexus as there is dynamic routing (OSPF with no auth) for everything under the 7Ks.

The catch is due to some constraints we will have to introduce a new OSPF process with authentication from Edge router -> FW and redistribute the routes from the FW down to Nexus7k.

Thanks for the additional information. So basically you want to replace existing static routes (for resources reached via the Checkpoint firewall and the edge router) with dynamic routing OSPF between Nexus and Checkpoint. (the routing relationship between Checkpoint firewall and the edge router is a separate question)

So let's think about how it would work and what questions need to be resolved:

- assuming that the Checkpoint firewall knows the routing information for these resources it should be possible to run OSPF on the firewall, have that OSPF use MD5 authentication, and have that OSPF advertise those routes to the Nexus (the details of how to accomplish this are outside the scope of this discussion).

- the Nexus will learn the routes from the Checkpoint firewall and place them into the main IP routing table, which eliminates the need for the static routes.

- this raises the question of whether there is anything downstream from the Nexus that needs to learn those routes. If so there is a need to redistribute from the new Checkpoint OSPF to the existing OSPF.

- there is also a question of whether there are any routes that the Checkpoint OSPF needs to learn from the existing Nexus OSPF. If so there may be a need to redistribute from the existing Nexus OSPF to the Checkpoint OSPF.

HTH

Rick 

Hello Rick

Thats exactly what I am trying to do but to give you more insights right.

The static routes are originating from the edge routers southbound to the FW onto the Nexus core and finally changed to dynamic routing over there.

We need to eliminate those static routing from edge to the core and use dynamic routing OSPF in this case as we have been discussing.

1. We will introduce a new OSPF (with authentication) process at the edge router FW and redistribute it from FW to nexus core.

2. We will redistribute the old OSPF to the new one from Nexus core back to the FW.

Cheers

-Rushabh

Rushabh

Running OSPF between the Checkpoint firewall and the Nexus and having the Checkpoint advertise in OSPF what are currently static routes would remove the need for the static routes on the Nexus. And running OSPF between the Checkpoint firewall and the edge router would allow the edge router to advertise the routes to the Checkpoint.

On the Nexus you would redistribute routes from the original OSPF (no authentication) into the new OSPF and that would advertise the routes to the Checkpoint firewall (and from the firewall to the edge router).

HTH

Rick 

I forgot to post the link...

http://www.learnios.com/viewtopic.php?f=8&t=19647

Richard's sources are better.