www.unix.org.ua

[sweigle]

Hello,

Here is the setup: router0 -> CiscoASA -> router1

The Cisco ASA is in Multi-context mode and is using 7.2.4 firmware (Cannot use dynamic routing due to limitation of multi-context mode). Router 0 is a linux based router that uses quagga 0.99. Quagga is a fully function routing suite for Linux that utilizes the OSPFd on Linux. The CLI is based on Cisco's CLI. Router1 is a Cisco 1841 AdvIPservices 12.4(9) T5.

My question is, since the Cisco ASA cannot perform dynamic routing because of multi-context mode, how can I set up a virtual OSPF link between router0 and router1? I've tried adding static routes in in both routers pointing to the firewall as a path for their router-ids. I then redistributed static routes in OSPF. I have been monitoring the ASA and do not see either router trying to send ospf packets.

router1 (1841) config:

Code: Select all

interface FastEthernet0/1.121
description ospf test
encapsulation dot1Q 121
ip address 10.8.255.1 255.255.255.0
!
interface FastEthernet0/1.122
encapsulation dot1Q 122
ip address 10.8.128.1 255.255.255.0

router ospf 1
router-id 10.8.255.1
log-adjacency-changes
area 0.0.0.1 virtual-link 10.8.127.194
redistribute static metric 10 subnets
network 10.8.128.0 0.0.0.255 area 10.8.128.0
network 10.8.255.0 0.0.0.255 area 0.0.0.1


ip route 10.8.127.194 255.255.255.255 10.8.255.232

Router 0 (Linux Quagga)

Code: Select all

router ospf
ospf router-id 10.8.127.194
redistribute kernel metric 10
network 10.8.127.0/24 area 0.0.0.1
network 192.168.0.0/24 area 0.0.0.0
area 0.0.0.1 virtual-link 10.8.255.1


eth1      Link encap:Ethernet  HWaddr 00:30:18:AE:6D:E9
          inet addr:10.8.127.194  Bcast:10.8.127.255  Mask:255.255.255.0
          inet6 addr: fe80::230:18ff:feae:6de9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:862 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4059 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:78171 (76.3 KiB)  TX bytes:369107 (360.4 KiB)
          Interrupt:19 Base address:0xc000


eth2      Link encap:Ethernet  HWaddr 00:30:18:AE:6D:EA
          inet addr:192.168.0.52  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::230:18ff:feae:6dea/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81499 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11347 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24937313 (23.7 MiB)  TX bytes:820748 (801.5 KiB)
          Interrupt:16


Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.8.255.1      10.8.127.232    255.255.255.255 UGH       0 0          0 eth1
192.168.192.0   192.168.0.252   255.255.255.0   UG        0 0          0 eth2
192.168.129.0   192.168.0.252   255.255.255.0   UG        0 0          0 eth2
192.168.5.0     192.168.0.252   255.255.255.0   UG        0 0          0 eth2
192.168.4.0     192.168.0.252   255.255.255.0   UG        0 0          0 eth2
172.31.254.0    192.168.0.252   255.255.255.0   UG        0 0          0 eth2
192.168.64.0    192.168.0.252   255.255.255.0   UG        0 0          0 eth2
192.168.1.0     192.168.0.252   255.255.255.0   UG        0 0          0 eth2
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth2
10.8.127.0      0.0.0.0         255.255.255.0   U         0 0          0 eth1
10.10.10.0      192.168.0.252   255.255.255.0   UG        0 0          0 eth2
192.168.9.0     192.168.0.252   255.255.255.0   UG        0 0          0 eth2
192.168.8.0     192.168.0.252   255.255.255.0   UG        0 0          0 eth2
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth2

Quagga sees:

Code: Select all

sho ip route
Codes: K - kernel route, C - connected, S - static, R - RIP, O - OSPF,
       I - ISIS, B - BGP, > - selected route, * - FIB route

K>* 0.0.0.0/0 via 192.168.0.1, eth2
O   10.8.127.0/24 [110/10] is directly connected, eth1, 03:02:45
C>* 10.8.127.0/24 is directly connected, eth1
K>* 10.8.255.1/32 via 10.8.127.232, eth1
O>* 10.10.10.0/24 [110/10] via 192.168.0.252, eth2, 00:04:28
C>* 127.0.0.0/8 is directly connected, lo
O>* 172.31.254.0/24 [110/11121] via 192.168.0.252, eth2, 00:04:29
O   192.168.0.0/24 [110/10] is directly connected, eth2, 00:04:35
C>* 192.168.0.0/24 is directly connected, eth2
O>* 192.168.1.0/24 [110/11] via 192.168.0.252, eth2, 00:04:29
O>* 192.168.4.0/24 [110/11] via 192.168.0.252, eth2, 00:04:29
O>* 192.168.5.0/24 [110/11] via 192.168.0.252, eth2, 00:04:29
O>* 192.168.8.0/24 [110/11] via 192.168.0.252, eth2, 00:04:29
O>* 192.168.9.0/24 [110/11] via 192.168.0.252, eth2, 00:04:29
O>* 192.168.64.0/24 [110/10] via 192.168.0.252, eth2, 00:04:28
O>* 192.168.129.0/24 [110/10] via 192.168.0.252, eth2, 00:04:28
O>* 192.168.192.0/24 [110/10] via 192.168.0.252, eth2, 00:04:28

My guess is that since the static routes are redistributed into ospf that it cannot use this as a path for a virtual link. I see that these static routes are Type-5 AS External in the OSPF processes. A virtual link's path must be learned through OSPF? If this is the case I cannot use virtual links and would have to use a GRE tunnel to accomplish this.

any thoughts?


thanks,
Scott

[Julian Simon]

Hi

In your example, router0 and router1 becomes ASBR.
The OSPF virtual link searches for the reachability of the OSPF virtual neigbhours within the OSPF area.
Hence OSPF virtual Link is not possible between router0 and router1.


Julian

[giuslar]

Hello Scott,

in your scenario the right tool to use is a GRE point to point tunnel that would allow to build an OSPF adjacency between the two routers.
OSPF hellos will be exchanged over the tunnel that are encapsulated in an external envelope that is protocol GRE with specific source address and destination address
For the ASA is enough to allow the GRE flow in both directions between specific IP addresses to make it to work
OSPF virtual-link might be used inside an OSPF domain but only in rare scenarios


Hope to help
Giuseppe

[sweigle]

Thanks.. I thought GRE was the only solution for this. I just did not want to encapsulate.

[Sheadacrata]

I am trying to leak routes from my VRFs to the global instance of OSPF. I have BGP routing traffic between two local VRFs but am unable to leak the routes out to my main OSPF table. Any guidance would be greatly appreciated.

Thanks,
Приехали в столицу? Высокооплачиваемая Работа в Москве ждет вас