cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1145
Views
0
Helpful
7
Replies
Highlighted
Beginner

OSPF Design

Hello,

I'm in the process of designing a new solution for some of our clients that are using Kilostream connections.  I have attached a topology diagram so hope this helps understand what I'm trying to do.

We have a number of clients that have servers that need to target some hosted services we have in our data centre. Due to the nature of the traffic and data involved clients have a choice of connectivity option and one of them is using kilostream. These client install the circuit and we manage the routing and security.

The clients do not need to talk to each other just to our data centre and our data centre also need to target the systems at client sites. Most client choose to have a single connection but we have a few that have multiple links for backup at present we have to manually connect the other circuit if it fails. (The existing setup I inherited when I started her a few years ago)

So my first question is should each client use a different area 1, 2, 3, etc or should they all stay in area 0.  We do not share routing information with any of the clients.

My second question is if I assign a loopback interface with an IP Address out of the allocated subnet used for NAT on the router can I advertise this in OSPF?

And my third question is when we have a client with two link being used as an active backup type connection is OSPF the best solution to be using along with HSRP on the internal interfaces?

Any help and comments will be much appreciated.

Cheers

Mark.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Mark

No need to apologise, my fault for not explaining it very well. What i was getting at was that if you use static routes then you need to take account of -

1) traffic from client site to central site. Where you had a site with multiple links HSRP with tracking would take care of that.

2) traffic from central site to client site. This could be where it gets a a bit more complex because if the client end fails then how does the central site know that it should then use the backup link. You can use IP SLA for this to check remote end and make sure it is still up.

However if you run a dynamic routing protocol you don't face this issue. So assuming you go with OSPF ie. EIGRP is not an option, then i would say as you are only using one subnet per site (NAT subnet) and one subnet for the hosting site the that is not a lot of individual routing entries (assuming we are not talking about 1000s of sites) so having them all in area 0 would be fine.

However, it is important to note that all router within the same area must have the same OSPF database and hence must exchange all LSAs. What this means is that -

a) there is no opportunity for inter-area summarisation. This may not be an issue because you are only using one subnet per site so any summarisation has minimal benefit but it is a consideration.

b) all client routers must have the same LSAs as stated above. This means if client A goes down then all clients must be updated and any relevant OSPF calculations will need to be done on each router

c) again, because all client routers must have the same LSA dbase then you cannot filter routes within the same area. This means client A would have a route to client B via the central site. If you had an area per client then you can filter at the central site so that client A only has routes to the central site subnet and none of the other clients.

Note that you could filter the traffic with acls at the central site and this would achieve the same thing but in quite a different way.

With areas you limit each client to only sharing routes between itself and the central routers. You can implement inter-area filtering on the central routers to stop other clients receiving non-central routes. And you limit the intra-area LSAs updates on a a failed client link to just the client itself and the central site.

So it's a tradeoff. As you control both ends then it is really up to you. Either would work although from the info you have given it would seem areas are a cleaner implementation but don't worry too much.

Loopbacks and using NAT address. Not entirely sure i follow. You can certainly advertise a loopback through OSPF. OSPF by default advertises loopbacks as /32s so if you want it to advertise the actual subnet then you would do -

int loopback 10

ip address x.x.x.x 255.255.255.224

ip ospf network point-to-point

and then

router ospf 10

network x.x.x.x 0.0.0.31 area

HSRP for clients with multiple links. Yes and as mentioned before you will need to use HSRP tracking on the WAN interfaces of the client routers.

Jon

View solution in original post

Highlighted

Mark

It depends.

I wasn't really thinking about running HSRP at the central site at all, only at the clients. Does the firewall at the central point to an HSRP address on the 2 WAN routers at the central site ?

It all really depends on whether you are happy to use either link to the same client. If you are then HSRP tracking should only be used at client end. Think of like this -

client A has 2 links to central site. Client A is advertising it's Natted subnet to both central site routers via it's 2 links. I'm assuming both central site routers are exchanging OSPF LSAs between each other.  Lets also assume for arguments sake that cdl-cmc-rt01 is the HSRP active router for the central firewall.

If the link on rt01 to client A goes down there is no need to failover the router. Actually that would be a really bad thing to do because if there were clients with only a single link to the central site and this link was on rt01 then you have effectively stopped them working because of an issue with another client. So you really don't want to do this.

What would happen instead is that if the link went down rt01 would stop receiving an OSPF advertisement via it's WAN link to client A. But it would still have a route via rt02 and so it would simply send the packet to rt02. rt01 is still HSRP active.

Jon

View solution in original post

7 REPLIES 7
Highlighted
Hall of Fame Guru

Mark

The obvious question is if you don't share routing information with these clients then why run OSPF.

If you simply assign a small subnet for NAT and you NAT your hosted servers then how are you proposing to do it without a dynamic routing protocol ?  static routes would be the obvious answer although that would represent a slight issue if the client has multiple links ie. you may need to run IP SLA if the link failed over.

From the clients perspective the failover would work fine if using 2 separate router by using HSRP together with the track option to track the WAN interfaces.

Jon

Highlighted

Hi Jon,

Thanks for your reply.

As we own and manage all the routers in the topology diagram I thought using something like OSPF would make the routing bit easier than have static routes everywhere.

I don't understand what you mean here sorry:

If you simply assign a small subnet for NAT and you NAT your hosted  servers then how are you proposing to do it without a dynamic routing  protocol ?  static routes would be the obvious answer although that  would represent a slight issue if the client has multiple links ie. you  may need to run IP SLA if the link failed over.

The clients with multiple links must be able to target the same IP Address at our data centre and vice versa from us to the server at the client site.  To make things easy for our support teams client A will target the same IP Address as Client B to access our hosted service. Altogether we are hosting around 40-50 servers running different kinds of services for these clients.

Cheers

Mark.

Highlighted

Mark

No need to apologise, my fault for not explaining it very well. What i was getting at was that if you use static routes then you need to take account of -

1) traffic from client site to central site. Where you had a site with multiple links HSRP with tracking would take care of that.

2) traffic from central site to client site. This could be where it gets a a bit more complex because if the client end fails then how does the central site know that it should then use the backup link. You can use IP SLA for this to check remote end and make sure it is still up.

However if you run a dynamic routing protocol you don't face this issue. So assuming you go with OSPF ie. EIGRP is not an option, then i would say as you are only using one subnet per site (NAT subnet) and one subnet for the hosting site the that is not a lot of individual routing entries (assuming we are not talking about 1000s of sites) so having them all in area 0 would be fine.

However, it is important to note that all router within the same area must have the same OSPF database and hence must exchange all LSAs. What this means is that -

a) there is no opportunity for inter-area summarisation. This may not be an issue because you are only using one subnet per site so any summarisation has minimal benefit but it is a consideration.

b) all client routers must have the same LSAs as stated above. This means if client A goes down then all clients must be updated and any relevant OSPF calculations will need to be done on each router

c) again, because all client routers must have the same LSA dbase then you cannot filter routes within the same area. This means client A would have a route to client B via the central site. If you had an area per client then you can filter at the central site so that client A only has routes to the central site subnet and none of the other clients.

Note that you could filter the traffic with acls at the central site and this would achieve the same thing but in quite a different way.

With areas you limit each client to only sharing routes between itself and the central routers. You can implement inter-area filtering on the central routers to stop other clients receiving non-central routes. And you limit the intra-area LSAs updates on a a failed client link to just the client itself and the central site.

So it's a tradeoff. As you control both ends then it is really up to you. Either would work although from the info you have given it would seem areas are a cleaner implementation but don't worry too much.

Loopbacks and using NAT address. Not entirely sure i follow. You can certainly advertise a loopback through OSPF. OSPF by default advertises loopbacks as /32s so if you want it to advertise the actual subnet then you would do -

int loopback 10

ip address x.x.x.x 255.255.255.224

ip ospf network point-to-point

and then

router ospf 10

network x.x.x.x 0.0.0.31 area

HSRP for clients with multiple links. Yes and as mentioned before you will need to use HSRP tracking on the WAN interfaces of the client routers.

Jon

View solution in original post

Highlighted

Hi Jon,

That makes a lot more sense now.  Only downside with the HSRP until you mentioned tracking is if on the central router we are tracking say serial 0/1/0 thats goes to a client with multiple circuit then the HSRP will flip to the other central router is that circuit went down and which will no doubt momently interrupt traffic to all of our other clients.

I'm not aware of any other way around this so I assume this will be something the business need to make a decision on.

Cheers

Mark.

Highlighted

Mark

It depends.

I wasn't really thinking about running HSRP at the central site at all, only at the clients. Does the firewall at the central point to an HSRP address on the 2 WAN routers at the central site ?

It all really depends on whether you are happy to use either link to the same client. If you are then HSRP tracking should only be used at client end. Think of like this -

client A has 2 links to central site. Client A is advertising it's Natted subnet to both central site routers via it's 2 links. I'm assuming both central site routers are exchanging OSPF LSAs between each other.  Lets also assume for arguments sake that cdl-cmc-rt01 is the HSRP active router for the central firewall.

If the link on rt01 to client A goes down there is no need to failover the router. Actually that would be a really bad thing to do because if there were clients with only a single link to the central site and this link was on rt01 then you have effectively stopped them working because of an issue with another client. So you really don't want to do this.

What would happen instead is that if the link went down rt01 would stop receiving an OSPF advertisement via it's WAN link to client A. But it would still have a route via rt02 and so it would simply send the packet to rt02. rt01 is still HSRP active.

Jon

View solution in original post

Highlighted

Jon I'm hoping you might see this post and be able to help.

You helped me a while back with this and the work got  postponed but is now back on and we're in the final stages and are just  trying to get the failover working correctly.

I'm  struggling with the routing when one of the internal interfaces on the  routers fail. for example, one of the clients/remote routers internal  interfaces becomes disconnected from the LAN.  HSRP kicks in fine no  problem but the central office doesn't know about this issue and  continues to use the primary route even though the remote route can't do  anything with the traffic as its got no connection to the LAN.

I've  been playing with IP SLA, I have a icmp monitor to the internal  interface and I was trying to get the router to install a route when the  icmp fails and I want to the route to send the traffic via the  secondary central router.

Is this something that can be done or am I looking at the wrong thing here.

Any help would be much appreciated.

Mark

Highlighted

I've managed to get this working now by using IPSLA and a tracked route.

Mark.

Content for Community-Ad