OSPF process 10 in VRF red has a route map filtering inbound, so any other peering ospf process from another set of switches doesnt drop its routes in VRF red cause the route map only allows inbound default route. So the other switches are not giving default route so its filtering everything inbound that it needs to learn.

I have read your explanation and do not really follow the logic. But in terms of the original question about whether multiple OSPF processes are allowed in a single VRF I do not see any reason why multiple OSPF processes in VRF Red would not work.

HTH

Rick

Ya sorry its a bit complex. Its because of PCI compliance. We have a 4500X that runs 9 ospf processes and 9 VRFs and all processes peer with a single process upstream to an ASA, due to ASA limitation on OSPF processes. But to prevent vrfs on the 4500 seeing all routes in other vrfs we had to create a route map per 4500 ospf process that would only be allowed to learn about the ASA being the default route. this is so all traffic would go upstream and hit the firewall for inspection. The reason to create another ospf process in a vrf is to avoid the route map since its applied to the whole ospf process on inbound routes even from other devices beside the ASA. 

Sometimes PCI compliance does make things get complicated. I still am not quite clear on this environment. You have a 4500X with 9 VRF and each VRF has an OSPF process. And all 9 OSPF processes peer with an OSPF process on the ASA? Does the ASA have all 9 peers in the same area or is each peer in a separate OSPF area? So am I understanding correctly that the ASA would advertise the same routes to its peers in the 9 VRFs? And that the only route that you really want to use is the default route? Have you considered the possibility of configuring the OSPF in the 9 VRFs to be totally stubby?

Another aspect that I have questions about is how you expect the second OSPF process to work. The first OSPF peers with the ASA. Would the second OSPF process peer with other devices that are connected in that VRF?

HTH

Rick

ASA is area 0 to the 4500 and area 1 to an upstream layer to edge ASAs.

Neighbor ID Pri State Dead Time Address Interface
10.51.100.57 0 FULL/ - 0:00:32 10.51.100.57 GREEN_PROD
10.51.100.49 0 FULL/ - 0:00:30 10.51.100.49 BLUE_PROD
10.51.100.41 0 FULL/ - 0:00:34 10.51.100.41 YELLOW_PROD
10.51.100.33 0 FULL/ - 0:00:33 10.51.100.33 GRAY_MGMT
10.51.100.25 0 FULL/ - 0:00:36 10.51.100.25 BLUE_CAO
10.51.100.17 0 FULL/ - 0:00:32 10.51.100.17 YELLOW_CAO
10.53.0.11 1 FULL/DR 0:00:37 10.53.0.11 CAO_ROUTED_LINK
192.168.115.1 1 FULL/DR 0:00:35 10.53.0.28 PINRM_ROUTED_LINK
192.168.13.1 1 FULL/BDR 0:00:32 10.53.0.19 LAB_ROUTED_LINK
192.168.101.1 1 FULL/BDR 0:00:39 10.53.0.2 PROD_ROUTED_LINK
BNA-ASACORE-01/pri/act#

And yes that would be the idea of the two OSPF process so that the process that peers with the other devices isnt restricted by the route map.

I see no reason why a second OSPF process should not work as long as it establishes its peer relationships on different interfaces from the one that connects to the ASA. Would you want the routes learned by the second process to be advertised to the ASA? Do you want the default route learned by the first process to be advertised to the peers of the second process?

HTH

Rick

The ASA does need to know about the remote location subnets for other traffic that hits the firewall from another down stream vrf. I would want the remote site to learn the default route as well. The 4500 needs to know about the remote routes as well so it can route within the same vrf back and forth. 

So traffic flow would be remote side to HQ drops on the vrf red on the 4500, any destination in the same vrf red would route right there without hitting ASA. Any network not in vrf would hit a default route up to the ASA and either go downstream to another vrf or out to the internet. remote site uses HQ for internet so I would need to know about default route.

The easy part of what you describe is the 4500 being able to route to all destinations within a particular VRF. The VRF forwarding table of the 4500 will have all of the required routes (default pointing to ASA and routes for remote sites) and so will make appropriate forwarding decisions.

If you want to advertise the default route to the remote sites of the VRF then you will need to redistribute the default route (and only the default route) from the first OSPF process to the second OSPF process. And if you want to advertise the remote subnets to the ASA then you will need to redistribute the remote subnets (and only the remote subnets) from the second OSPF process to the first OSPF process.

HTH

Rick

I guess this will still be an issue because if I kick up another ospf process in vrf red, and dont apply the route map to allow only the default route from the ASA i will see all the routes from other vrfs again...

Based on your requirements there certainly is an issue. Lets take a look at what happens one step at a time and see where the issues are. Lets assume that OSPF 10 peers with the ASA and learns routes from the ASA. Lets assume that OSPF 20 peers with the remote sites on interfaces different from what OSPF 10 uses but still in the same VRF.

If you look in the IP forwarding table of the 4500 its knows the default route from the ASA and it knows the subnets from the remote sites in the VRF. So the 4500 can route to any destination reachable in that VRF. But if you look in the OSPF database you find that 10 and 20 are separate. OSPF 20  does not know the default route from the ASA and will not advertise it to the remotes. And OSPF 10 does not know the subnets from the remotes and will not advertise them to the ASA.

But your requirement is that the remotes need to learn the default route and the ASA needs to learn the remote subnets. To solve this you need to configure redistribution between the OSPF processes. When you redistribute from OSPF 10 into 20 you will need to use a route map to control the redistribution so that it redistributes only the default route. When you redistribute from OSPF 20 to 10 you might or might not need a route map to control the redistribution but I would configure it just to be safe.

HTH

Rick

OSPF is only learning default route from the ASA, ASA is set for default originate. Yes the remote site WAN IP on the 4500 would have to be in a different OSPF process that doesnt have the "allow only 0.0.0.0 inbound from ASA"

so OSPF 10 would learn the default route from ASA sitting in VRF RED.

OSPF 20 would learn remote site subnets in VRF RED....

so at this point all these routes should be in VRF RED routing table correct? so why the redistribute?

I thought that I had explained this. But perhaps it was not clear to you. So let me try again in a slightly different way.

You told me that one of the requirements was that the ASA should learn the remote subnets. So lets work with that. In VRF RED OSPF 20 will learn the remote subnets. Without redistribution OSPF 10 will not know the remote subnets. So how will the remote subnets be advertised to the ASA without redistribution?

HTH

Rick

Ah ok. So here was my thinking. Ospf 10 area 0 on remote site peers with ospf 100 on 4500. Ospf 200 area 0 peers with asa ospf 50. So since ospf 100 and 200 residing on 4500 both same vrf and area should see each other over broadcast no?