09-02-2017 09:40 AM - edited 03-08-2019 11:54 AM
Some of the information is sensitive, so I will briefly describe the problem I am having.
Below is an example of network topology:
Router <-> Switch <-> Encryptor-><-Encryptor <-> Switch
Currently, the network is running OSPF through IPSec tunneling. The management IP address that directly connects all these devices together cannot be joined in OSPF, due to recursive routing. All IPs that are being advertised via OSPF can reach the router. The management IP cannot reach the router, except on the switch next to the router. The Gateway of Last resort is learned via OSPF.
This network cannot go down, but this issue must be resolved as it affects several users but not the whole network.
There are several things I want to try, but I don't know if it'll take users down. Can someone let me know if these solutions seem viable and if they have the possibility of taking down the current working users?
Proposed solution #1:
Add an ip route statement 0.0.0.0 0.0.0.0 router . Will this statement make my other network lose their gateway of last resort if they learn it via from the router?
Proposed solution #2:
Could I use a route-map to block the management IP address on the switch next to the router for the static route statement that points it back to the encryptors? for an example: access-list 1 deny 1.1.1.0 0.0.0.255 / route-map MYMAP deny 10 / match ip address 1 / route ospf 10 / redistribute static route-map 10
09-02-2017 12:09 PM
Hello,
my first thought is: why not resolve the recursive routing problem by adding a static route just for the management IP (address space), with the physical (and not the tunnel) interface being the next hop ?
09-06-2017 04:18 PM
Georg,
The issue is not in the fact on the end switches, which this is doable. The issue lies on the core switch connecting to the router. We are wanting to move away from static routing every route because it will turn out to be over 120 static routes and every time we would need to re-add a new static route for each new device. Trying to move away from this.
09-07-2017 07:54 AM
Hello
Can you elaborate a bit more on your topology.
You mention router, core switchs and ipsec tunnels, OSPF, if this a DMVPN topology?
res
Paul
09-07-2017 09:00 AM
Paul,
No, this is not quite a DMVPN topology. I can explain as much as possible.
The router is controlled by an outside source. The swith connected to the router is the starting point of our connection of what I control. We are using OSPF via GRE tunnelling to go out to all of our sites, except the current site that is having an issue. Everything that isn't on the management IP address can communicate back with the router. Everything that isn't being advertised by OSPF cannot reach the router. The problem at the end device for this situation, we cannot establish OSPF, due to other reasons (yes it is possible, but the customer is refusing to do it).
09-07-2017 10:31 AM
Hello,
can you post the full configs of two devices that cannot reach each other's management IP address (as that is the problem as far as I understand) ?
09-07-2017 12:39 PM
Georg,
I am sorry. I cannot post these configurations. I can only describe the situation to a certain state.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide