Link to home
Start Free TrialLog in
Avatar of hell_angel
hell_angelFlag for Malaysia

asked on

ospf network advertising

Hi...


i have a cisco ASA firewall configure with OSPF for MPLS routing.
behind my firewall is given subnet 192.168.1.0/24 and it subnetted to /26 for 4 VLAN at datacenter

after configured, i can PING my VLAN1 which is connected with firewall.
from end users core switch, they can see my VLAN 1 subnet /26 appear at their routing table.
But, they can't reach other tree.

found that there is not ruoting table for other 3 subnets.

how i can force the advertising for remaining 3..? can i just publish /26 for 4 VLAN  or i can do in /24?

pls advise.
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

If the other 3 /26 networks are routed via the same router you can advertise the /24.

The router at the DC should be routing all 4 /26 networks, right?  So in OSPF on the DC router you need something like...

router ospf 1
 network 192.168.1.0 0.0.0.255 area 0
Avatar of hell_angel

ASKER

sorry... may device for OSPF is Cisco ASA firewall.
how should i do that?

or should i configure my core switch as OSPF as well, so it will publish all connected vlan subnet to my ASA?
Does your ASA have a default route?
got. it goest to internet

my firewall has 3 interface.

eth0-inside (server farm)

eth1 - inside (mpls users at outside datacenter

eth2 - outside (internet)
So can you show the routing table for the ASA, and the OSPF config you already have?
do you want to have my routing table?
Yes - the ASA has a routing table.  Can I see it, and the OSPF config from the ASA?
there is alot confidential information that i not convenience to post here. any specific part that you want me to extract?
Yes just the routing table (excluding any public IP addresses) and the OSPF configuration commands.
Hi... below is the routing table that related to my case. the actual used ip is 10.32.60.0/24 is my inside which subnetted to /26

------------------------------------------------------------------------------------------
S    10.32.60.0 255.255.255.192 [1/0] via 10.32.60.193, Inside
C    10.32.30.40 255.255.255.248 is directly connected, Inside-MPLS
                               [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.104 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.132 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside
O E2 10.18.14.136 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.196 255.255.255.252
C    10.32.60.192 255.255.255.192 is directly connected, Inside
S    10.32.60.64 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside
----------------------------------------------------------------------------------------------
My OSPF configuration as below..

------------------------------------------------------
router ospf 313
router-id 10.32.30.46
network 10.32.30.40 255.255.255.248 area 100
network 10.32.60.0 255.255.255.192 area 100
network 10.32.60.64 255.255.255.192 area 100
network 10.32.60.128 255.255.255.192 area 100
network 10.32.60.192 255.255.255.192 area 100
network 10.32.60.0 255.255.255.0 area 100
area 100 authentication
------------------------------------------------

i had a static route at ASA for return route to my inside VLANs.
Tried to use redistribut connected, no help.

thanks
I'm wondering why if this is a branch (or stub) you have this...

S    10.32.60.0 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60
S    10.32.60.64 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside.193, Inside


Surely you should get to the other 3 sites via the MPLS?
the remote is BGP.
from show IP route, it only appear that subnet belongs to my ASA inside subnet..
So why are the above routes reachable via the inside interface, and not the MPLS interface?
those are to have return route back to my core switch for those vlans.
Ok can you give a diagram of how all sites are connected and show subnets for each site?
hi craigbeck,

sorry for the late response as stuck with some other issue.
I will attach the diagram soonest possible.

thanks again
appologize for the late reply...
attached is the diagram for the infra.
issue.jpg
Your diagram doesn't match the OP...

Anyhow, you need a static route for the 192.168 networks pointing to the IP of the L3 switch, then you need to redistribute static routes into OSPF on the ASA.
sorry... cant catch it... can you explain more on this "you need a static route for the 192.168 networks pointing to the IP of the L3 switch"

at firewall OSPF, I should redistribute the subnet in custom net mask right
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
route Inside 192.168.30.0 255.255.255.0 <IPOFL3SWITCH>
route Inside 192.168.40.0 255.255.255.0 <IPOFL3SWITCH>
route Inside 192.168.50.0 255.255.255.0 <IPOFL3SWITCH>

this the layer 3 mentioned is at users end or server end?

i will draft you a new diagram again.
Server end.
Hi Craigbeck

pls refer to updated diagram. can i say that  i should add below to my firewall OSPF route?

route Inside 10.32.60.0 255.255.255.192 10.32.60.1
route Inside 10.32.60.32 255.255.255.192 10.32.60.1
route Inside 10.32.60.64 255.255.255.192 10.32.60.1

does it meant from my end users core switch, they will see those subnet published to their core switch?
the command is already configured at the ASA to provide return route traffic to core switch


thanks
issue.jpg
hi.. we already have a default route to ASA interface.
the subnet we assigned is any.

do you meant we still need to assign..?
ip route 172.16.10.0 255.255.0.0 <IPOFASAINSIDE>
ip route 172.16.20.0 255.255.0.0 <IPOFASAINSIDE>