Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
192
Views
4
Helpful
8
Replies

Can OSPF Be Used Instead of Static Routes for VTI VPN Tunnel Interface

Go to solution
elkabeermg
Level 1
Level 1

‎12-30-2024 05:40 AM - edited ‎12-30-2024 05:44 AM

Network Toplogy.pngI am currently working on a network setup involving two branches connected via a VTI VPN tunnel, as displayed in the attached topology. In the current configuration, static routes are used to facilitate connectivity between the branches.

I’m considering replacing the static routes with OSPF to enable dynamic routing and improve scalability. However, I want to ensure that OSPF can be effectively implemented in this scenario without causing issues for the VPN setup.

Here are some details:

  • The VPN is configured using Virtual Tunnel Interfaces (VTI).
  • Branch routers (BR_1 and Edge_R in the diagram) are responsible for establishing the VPN tunnel.
  • I aim to exchange routes dynamically over the tunnel interface while maintaining high reliability and network efficiency.

My questions are:

  1. Is it feasible to use OSPF instead of static routes for VTI-based VPN tunnels?
  2. Are there any special considerations or challenges I need to be aware of when configuring OSPF over the VPN tunnel?
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to elkabeermg

‎12-30-2024 08:55 AM

You will need enabled OPSF on the tunnel interfaces and advertise the local/remote networks to ensure full reachability. The HQ edge router will need to redistribute the statics for VLAN 10, 20 and 30 into OSPF so the branch router can route to it over the VPN.

If you are already using EIGRP, why not use EIGRP on ALL devices, i.e., Core, Edge etc and over the tunnel instead of OSPF? This woiuld be much simplier.

View solution in original post

8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎12-30-2024 05:50 AM

Sure you can use ospf in VTI there is no problem' and what is better is use bgp.

Using bgp give you more control of prefix advertise between two peer.

MHM

Go to solution
Rob Ingram
VIP
VIP

‎12-30-2024 05:51 AM - edited ‎12-30-2024 05:51 AM

@elkabeermg Using any dynamic routing protocol is the more scalable solution than using static routes, in a large dynamic environment. If it's just a static VTI with a couple of routes and unlikely to change, then statics would suffice.

You don't say whether you are using ASA, FTD or IOS-XE router, but they do all support OSPF with a VTI (static and dynamic). However Cisco recommend BGP https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/BRKSEC-3058.pdf

RobIngram_0-1735566537637.png

 

Go to solution
elkabeermg
Level 1
Level 1
In response to Rob Ingram

‎12-30-2024 08:43 AM - edited ‎12-30-2024 08:47 AM

Topology Overview:

1. EIGRP is used between the Core Switch, DS_1, and DS_2.

2. The Core Switch has a default route to the Edge Router, and static routes are redistributed into EIGRP.

3. The Edge Router has static routes to reach VLAN 10, VLAN 20, and VLAN 30.

4. The Edge Router has a default route to ISP_1 for external connectivity.

5. A tunnel interface is configured on both the Edge Router and the Branch Router (BR_1) to establish the VPN.

6. The current setup relies on static routes at both routers to route traffic through the tunnel interface.

7. I use IOS XE

 

Considerations for OSPF:

If I replace static routes with OSPF:

On the Branch Router (BR_1), I will advertise the following networks:

172.18.1.0/24 (local subnet)

172.16.1.0/24 (LAN network behind BR_1)

On the Edge Router, my question is:

1. Which networks should I advertise in OSPF to ensure proper reachability of VLAN 10, VLAN 20, and VLAN 30 through the tunnel interface?

2. Should I include all the internal VLANs (10, 20, 30) and the tunnel network, or will advertising only the tunnel endpoint subnet suffice?

3. Are there any additional configuration steps or challenges I should consider when transitioning to OSPF in this scenario?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to elkabeermg

‎12-30-2024 08:55 AM

You will need enabled OPSF on the tunnel interfaces and advertise the local/remote networks to ensure full reachability. The HQ edge router will need to redistribute the statics for VLAN 10, 20 and 30 into OSPF so the branch router can route to it over the VPN.

If you are already using EIGRP, why not use EIGRP on ALL devices, i.e., Core, Edge etc and over the tunnel instead of OSPF? This woiuld be much simplier.

Go to solution
elkabeermg
Level 1
Level 1
In response to Rob Ingram

‎12-30-2024 10:52 PM

thanks

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to elkabeermg

‎12-30-2024 10:46 AM

No need OSPF use BGP, keep isolation EIGRP in each site and run BGP between 
this will prevent one site effect by any issue in eigrp in other site.

make your config optimal 

MHM

0 Helpful

Go to solution
elkabeermg
Level 1
Level 1
In response to MHM Cisco World

‎12-30-2024 12:17 PM - edited ‎12-30-2024 10:52 PM

yes i will upgrade to BGP , thanks

0 Helpful
Customers Also Viewed These Support Documents