OSPF design

FREDARCE
FREDARCE used Ask the Experts™
on
I am looking to implement OSPF to manage dynamic routing in our internal environment, however, also include dynamic routing to other company networks and locaitions.
Currently all internal routing is handled via static routes between our core and firewalls.
We are in the process of building new infrastructure to run in parralel with what's in place.
The new infrastructure comprises of two 6509-e swtiches which will be the core/distribution and another two 6509-e switches to handle the access layer.  We will also be using a pair of asa 5500 firewalls with connections to the internet and 3rd party vendors.  We will be using a totally new IP scheme on this new infrastructure.
I will also need to have dynamic routing to 9 additional sites spread accross the region with various links either layer 2 or vpn tunnel etc..

I would like the core 6509 to be the OSPF backbone of the network but don't know if I should have the other locations be a part of Area 0 or should I have every other physical location be in their own area?  Some of the other locations are poorly managed and there is a good chance that non-scheduled events will occur during productions hours that could trigger route convergence.  What can I do from a design/implementation standpoint to protect this new main core infrastructure from major route convergence?  For example,  I don't want a power outage in one of our smaller locations to effect or cause disruption to all routing in the network.  But at the same time I still need redundancy to any failed link/hardware to take place in a resonable amount of time.  How or what kind of precautions can I make before hand to prevent such repercussions as well as maintain proper routing convergence throughout?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
John MeggersNetwork Architect

Commented:
How big is the entire network?  It sounds like you have a central site and nine remote sites, plus routes for the VPNs to vendors.  Are your remote sites connected to each other or does everything single-home back to the central site?  

For the relatively small number of sites you seem to have, you shouldn't have a problem if everything is in area 0.  If the remote sites connect to each other so there's a mesh-like topology, I would put everything in area 0.  If the remote sites single-home back to central, you could make the argument that it's better to put them in different area, but for the size of network you seem to be talking about, i don't really think that's necessary.

Hopefully if this is a new topology you're able to design your subnet for aggregation points on proper subnet boundaries, that will help.

The VPNs should be redistributed through RRI so IIRC that will make them a different LSA type so they'd be considered outside of area 0 anyway.
Top Expert 2010

Commented:
I would plan to have each site their own area; designing all sites with one area (Area 0) is not a scalable solution, you need to plan for upgrades, mergers, and growth.

Here is a good design guide from Cisco:

http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080094e9e.shtml

As far as the VPN is concerened, here are some OSPF Examples with OSPF:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804acfea.shtml

Good Luck,

Billy

Commented:
Hello,

 Make the core area 0. Use different areas for each site and just advertize the sites in ospf. The sites that you do not want to converge with the core, create those sites as stub areas. In this case, they will only receive default from the core but will not send. Create static route in the core with higher admin distance as backup routes to all the sites.
Amazon Web Services

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

John MeggersNetwork Architect

Commented:
I agree with each site having its own area as long as the sites don't interconnect directly with each other, e.g. over a multi-access MPLS cloud.  If they do, and you create separate areas for each site, you're going to have to create a bunch of virtual links to connect through Area 0, which is not a scaleable approach.

Commented:
That is not true. You do not need to create virtual links to connect different areas to area 0. Between the various sites, will be handled by BGP. If you don't create different areas for each site, you are likely to run into assymmetrical routing. All you will have to do is to so one way redistribution. Redistribute BGP into ospf and in each site, advertise the LAN subnets in BGP. You can create access-list, prefix-list or route-maps to filter subnets if you need to tighten what should be advertized to each site.
Top Expert 2010

Commented:
If you design the network from a best practices perspective, you will not have to create virtual links; in most cases, virtual links should only be used as a bandaide. There are exceptions to this;virtual links could be added for redundancy in case some router failure causes the backbone to be split into two, in this case the virtual link would be created on the ABR to traverse the non area 0 back bone through a normal area, from one ABR to another. I would avoid using virtual links at all cost unless it is absolutely neccessary. You should only consider OSPF for PtP links and loopbacks if utilizing BGP. Additionally, do not plan for any redistribution from one routing protocol to another, there is no need for it if you design the network correctly from the get go. You will find life much simpler with this in mind. To be honest, there should be no reason to implement BGP unless you plan to multihome your network to other networks that have BGP connectivity to each other. From what you describe, a single IGP should suffice; additionally, if you are using all Cisco devices then you should not complicate the network with OSPF and utilize a protocol such as EIGRP. It really depends on your design criteria and routing policies if any exist. It appears that you have OSPF already in mind as the primary protocol and would recommend that you read up on the link that was provided as it will give much insight on the next steps for you to take.

Good Luck
Billy

Commented:
rfc1180: Please do not discourage him from carrying out his network desigh/plan. I have done a similar design before and things worked perfectly well. There are differences between mine and his and the differences are as follows:
1. I used MPLS as primary connections to all the sites via bgp. No ISP offers OSPF in the cloud by default as you are suggesting. You only need to run OSPF in your ISP cloud ( called SHAM links) if you are trying to avoid virtual links in a badly designed and existing network. This is brand new network so there is no need for running OSPF between sites. Apart from BGP, he will have to configure static routes to send traffic from one site to another and as the network grows, it becomes complicated. If he uses BGP between the sites, he cannot send traffic from one site to another without redistribution. This is the only way to carry traffic from either OSPF or EIGRP to BGP of vice versa. The other way is to use static routes.
2. I used VPN as backup to connect to the various sites. In this case, you can use dynamic multipoint VPN with OSPF or EIGRP. Either will work, but I used OSPF because I like it. In this case, you will create tunnels between the sites and there will be no need to use BGP. This will need only internal routing protocol.
3. I did not use layer 2 to connect to the various sites, but this can be done via Ethernet Virtual Private Line (EVPL) EVPL uses point-to-point Ethernet virtual connections (EVCs) to define site-to-site connections. I am not sure if you really want to do this because it is not straight forward, though possible.
rfc1180: I see a couple of contradictions in your statements and it appears you are quoting from books. It is good to do that, but this person needs practical ideas.
Top Expert 2010

Commented:
I am merely just providing points to statements; there is an OSPF design guide that Cisco has that will outline everything that I have covered; not sure how and am "discouraging" him. The points that are outlined are very strong points to consider, nothing more nothing less. Interesting you think I am quoting from books, not sure how you got that impression, but whatever! What the author wants is a very simple design, why complex the network with BGP, no where in the author's question does it mention BGP. There is nothing wrong with providing solutions with other protocols, I am only providing details about the pros and cons of each. My experience comes from working in a mult-national data center with a very complex backbone, my statements come from experience, both with OSPF and BGP. Additionally, the experience gained is also with complex customer manage networks. His concept of utilizing OSPF is a great start, but designing an OSPF network can be complex if one has never designed one. Furthermore,  your statement "No ISP offers OSPF in the cloud by default as you are suggesting" is a bit flawed, no where did he mention he was bound by the ISP not offering OSPF in the "cloud", he has already stated he has layer 2 links (Assuming Metro-E) and VPN links (This would managed by his equipment, another assumption), which in both cases would be transparent to the SP anyway.

Author

Commented:
Thank you all for the feedback.  I am not against using BGP as well as OSPF.  But I would like to keep it as clean and neat as possible.  Based on the feedback it sounds like I should place the remote sites in different areas.  The use of stub areas for the poorly manages sites sounds interesting and I would like to look into this.   So with a stub area in place,  failure of the primary link would result in the use of the static route with higher AD in order to route traffic over the backup link.  Is that correct?  Does that mean I have to carry the static route for the backup scenario on all the routers used for the connections to the remote site?

Commented:
This is correct, but it is not compulsory. If you will need help with BGP with OSPF design, you can open another question. I do this all the time for my customers. If you have multiple sites, it is easier to use BGP to communicate with your remote sites. BGP  removes dealing with static routes. It is cleaner and moreover, all you have to do is to do one way redistribution. Cisco does not discourage redistribution. I am CCIE and I know what I am talking about.
You do static routes in the core as a back door to your remote sites. However, bear in mind that if you lose your ISP, the static routes don't mean anything. You can look into bacup link synario where you can use VPN as backup to your remote sites.
Top Expert 2010

Commented:
Do you have a network diagram that depicts your setup; this would allow us to give you a solid, stable, and efficient solution. I am not against utilizing OSPF and BGP; however, certain designs require both and others that don't. You also have to conider convergence times, BGP doesn't handle failures or recovery in the same fashion the IGPs do, BGP is much slower. Additionally, it is best practice to utilize one routing protocol for your network; the use of additional routing protocols is some cases will require redistribution, and the use of redistribution can cause networks to become complex and in some cases unstable due to the possiblitlity of routing loops to occur if mutal redistibution is use, and this typically is control utilizing route maps.

Additionally, can you please elaborate on your comment "however, also include dynamic routing to other company networks and locaitions" Do you mean to other businesses (Vendors) that you interact with? I was under the impression you meant other company networks such as Engineering, sales, manufacturing, etc.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial