Avatar of hell_angel
hell_angelFlag for Malaysia asked on

ospf network advertising

Hi...


i have a cisco ASA firewall configure with OSPF for MPLS routing.
behind my firewall is given subnet 192.168.1.0/24 and it subnetted to /26 for 4 VLAN at datacenter

after configured, i can PING my VLAN1 which is connected with firewall.
from end users core switch, they can see my VLAN 1 subnet /26 appear at their routing table.
But, they can't reach other tree.

found that there is not ruoting table for other 3 subnets.

how i can force the advertising for remaining 3..? can i just publish /26 for 4 VLAN  or i can do in /24?

pls advise.
Networking ProtocolsNetworking Hardware-OtherNetworking

Avatar of undefined
Last Comment
hell_angel

8/22/2022 - Mon
Craig Beck

If the other 3 /26 networks are routed via the same router you can advertise the /24.

The router at the DC should be routing all 4 /26 networks, right?  So in OSPF on the DC router you need something like...

router ospf 1
 network 192.168.1.0 0.0.0.255 area 0
ASKER
hell_angel

sorry... may device for OSPF is Cisco ASA firewall.
how should i do that?

or should i configure my core switch as OSPF as well, so it will publish all connected vlan subnet to my ASA?
Craig Beck

Does your ASA have a default route?
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
hell_angel

got. it goest to internet

my firewall has 3 interface.

eth0-inside (server farm)

eth1 - inside (mpls users at outside datacenter

eth2 - outside (internet)
Craig Beck

So can you show the routing table for the ASA, and the OSPF config you already have?
ASKER
hell_angel

do you want to have my routing table?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Craig Beck

Yes - the ASA has a routing table.  Can I see it, and the OSPF config from the ASA?
ASKER
hell_angel

there is alot confidential information that i not convenience to post here. any specific part that you want me to extract?
Craig Beck

Yes just the routing table (excluding any public IP addresses) and the OSPF configuration commands.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
hell_angel

Hi... below is the routing table that related to my case. the actual used ip is 10.32.60.0/24 is my inside which subnetted to /26

------------------------------------------------------------------------------------------
S    10.32.60.0 255.255.255.192 [1/0] via 10.32.60.193, Inside
C    10.32.30.40 255.255.255.248 is directly connected, Inside-MPLS
                               [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.104 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.132 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside
O E2 10.18.14.136 255.255.255.252
           [110/1] via 10.32.30.41, 2:20:44, Inside-MPLS
           [110/1] via 10.32.30.42, 2:20:44, Inside-MPLS
O E2 10.18.14.196 255.255.255.252
C    10.32.60.192 255.255.255.192 is directly connected, Inside
S    10.32.60.64 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside
----------------------------------------------------------------------------------------------
My OSPF configuration as below..

------------------------------------------------------
router ospf 313
router-id 10.32.30.46
network 10.32.30.40 255.255.255.248 area 100
network 10.32.60.0 255.255.255.192 area 100
network 10.32.60.64 255.255.255.192 area 100
network 10.32.60.128 255.255.255.192 area 100
network 10.32.60.192 255.255.255.192 area 100
network 10.32.60.0 255.255.255.0 area 100
area 100 authentication
------------------------------------------------

i had a static route at ASA for return route to my inside VLANs.
Tried to use redistribut connected, no help.

thanks
Craig Beck

I'm wondering why if this is a branch (or stub) you have this...

S    10.32.60.0 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60
S    10.32.60.64 255.255.255.192 [1/0] via 10.32.60.193, Inside
S    10.32.60.128 255.255.255.192 [1/0] via 10.32.60.193, Inside.193, Inside


Surely you should get to the other 3 sites via the MPLS?
ASKER
hell_angel

the remote is BGP.
from show IP route, it only appear that subnet belongs to my ASA inside subnet..
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Craig Beck

So why are the above routes reachable via the inside interface, and not the MPLS interface?
ASKER
hell_angel

those are to have return route back to my core switch for those vlans.
Craig Beck

Ok can you give a diagram of how all sites are connected and show subnets for each site?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
hell_angel

hi craigbeck,

sorry for the late response as stuck with some other issue.
I will attach the diagram soonest possible.

thanks again
ASKER
hell_angel

appologize for the late reply...
attached is the diagram for the infra.
issue.jpg
Craig Beck

Your diagram doesn't match the OP...

Anyhow, you need a static route for the 192.168 networks pointing to the IP of the L3 switch, then you need to redistribute static routes into OSPF on the ASA.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
hell_angel

sorry... cant catch it... can you explain more on this "you need a static route for the 192.168 networks pointing to the IP of the L3 switch"

at firewall OSPF, I should redistribute the subnet in custom net mask right
ASKER CERTIFIED SOLUTION
Craig Beck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
hell_angel

route Inside 192.168.30.0 255.255.255.0 <IPOFL3SWITCH>
route Inside 192.168.40.0 255.255.255.0 <IPOFL3SWITCH>
route Inside 192.168.50.0 255.255.255.0 <IPOFL3SWITCH>

this the layer 3 mentioned is at users end or server end?

i will draft you a new diagram again.
Craig Beck

Server end.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER
hell_angel

Hi Craigbeck

pls refer to updated diagram. can i say that  i should add below to my firewall OSPF route?

route Inside 10.32.60.0 255.255.255.192 10.32.60.1
route Inside 10.32.60.32 255.255.255.192 10.32.60.1
route Inside 10.32.60.64 255.255.255.192 10.32.60.1

does it meant from my end users core switch, they will see those subnet published to their core switch?
the command is already configured at the ASA to provide return route traffic to core switch


thanks
issue.jpg
ASKER
hell_angel

hi.. we already have a default route to ASA interface.
the subnet we assigned is any.

do you meant we still need to assign..?
ip route 172.16.10.0 255.255.0.0 <IPOFASAINSIDE>
ip route 172.16.20.0 255.255.0.0 <IPOFASAINSIDE>