Backup to multilink in ospf

A multilink group having only one serial line as amember is configured on RouterA and similar on RouterB. Both routers hace PRI lines as backup having loopback address. OSPF is running on these multilink interfaces and it forms neighbor relationship with each other. So far it seems ok. As a backup to this multilink interface ( serial interface ) can one of the channel from PRI be configured to dial other router and also form a neighbor relationship.
Fro example :
RouterA and RouterB are neighbors on multilink interface. and using their loopbackl address. If serial link fails can RouterA diales to RouterB on PRI line and forms the neighbor relationship. Loopback address is already published in ospf process.
Thanks in advance
Any link on Cisco.com

bapat
I see no reason why you could not have a channel from the PRI establish a connection. If you are interested in that I think you should consider using the OSPF demand-circuit feature on the dialer. This link should give you information to get started with that:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094a8f.shtml
HTH
Rick

Similar Messages

Best-practice to redistribute NAT entries into OSPF

I have several different subnets that are all either NAT'd or accessible via a VPN. There's no actual route on the ASA to the addresses, and they're not directly connected, eliminating the usual redistribution commands.
What is the best-practice for redistributing such entries into an OSPF area? In the past, I've had static entries on the upstream firewall, allowing the rest of the network to see this. I'm trying to get rid of as many static routes as possible (or at least make them a floating route so as to provide backup should something in OSPF fail), but am having difficulty figuring out how to redistribute these into the OSPF area.
I can't use a summary-address command as there's no external routes that are being redistributed. The area range command is out as I don't have a separate area that routes are being redistributed from.
One thought I've had is to create a static null route for each subnet (allowing me to redistribute static, and have the static entries only on the originating box), but I imagine rather than NAT'ng or open the site-to-site VPN, it would discard traffic (as the destination is null).
Any ideas on what to do when you have "imaginary" addresses that don't exist anywhere but in NAT entries or that's defined as interesting traffic for a site-to-site VPN?
Thanks in advance.

I have the code working without use of config files. I am just disappointed that it is not working using the configuration files. That was one of the primary intents of my code re-factoring.
Katherine
Xiong , If you are proposing this as an answer then does this imply that Microsoft's stance is not to use configuration files with SSIS?? Please answer.
SM

Multihoming Primary/Backup PE MPLS VPN

Hi there,
I kind of stuck of implementing and configuring Primary/Backup scenario for MPLS VPN enviroment.
Currently, only singe CE router connected to 2 PE router, Primary PE and Backup PE in the same POP.
PE-CE IGP is running OSPF. On CE router prespective, how do I achieve primary/backup scenario and on other remote PE, how does MPLS VPN cloud noticed that there is Primary and Backup PE towords this CE router?
Any configuration or sample out there? Appreciate for the help.
regards,
maher

Hello Maher,
I would try to set the interface metric to a higher value for the backup PE. With OSPF->BGP redistribution you should then get a higher MED in BGP making the path less preferable. Example:
interface Serial0/0
description to primary PE
ip ospf cost 100
interface Serial0/1
description to backup PE
ip ospf cost 1000
Alternatively you could modify the MED while redistributiing into BGP:
router bgp 65000
address-family ipv4 vrf VRFname
redistribute ospf 123 vrf VRFname match internal external route-map OSPF2BGP
route-map OSPF2BGP permit 10
set metric 10000
Hope this helps! Please rate all posts.
Regards, Martin

ZBFW Intra zone traffic not working

I am having an issue on one of our 2811 routers where I can't get traffic between interfaces within the same zone to flow. I know this should happen by default and that's why it is so confusing.
One of the interfaces is fastethernet0/0.1 which is internal LAN And the others are tunnel interfaces using IPSEC tunnel protection back to the main datacenter. By design one tunnel is preferred over the other by using OSPF costing. Due to this there doesn't seem to be any asymmetric routing.
I inter zone traffic working just fine by defining the policy and zone pair. It is just when I enable another zone on our internal LAN interfaces it stops passing traffic. Just to note I do have this working on our LAB 2811 router running the same IOS version.
Any recommendations would be helpful. I have a case open with TAC but they aren't figuring it out. So now I'm calling the experts.
Thanks in advance. Elton
Sent from Cisco Technical Support iPhone App

Here is the sanitized configuration. The zone that I am trying to apply is "LAN".
I would like to apply it to all of the tunnel interfaces along with the fastethernet0/0.1 interface. This is working on another 2811 router.
Thanks again for the assistance.
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname ****************
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 16384 informational
enable secret 5 ******************************
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa session-id common
clock timezone est -5
clock summer-time SummerTime recurring
dot11 syslog
ip source-route
ip traffic-export profile CAPTURE mode capture
bidirectional
incoming access-list CAPTURE_IN
outgoing access-list CAPTURE_OUT
length 512
ip cef
ip dhcp excluded-address 192.168.43.33 192.168.43.37
ip dhcp pool CREDIT_CARD_SCANNERS
   network 192.168.43.32 255.255.255.224
   default-router 192.168.43.33
   dns-server 4.2.2.2 8.8.4.4
   lease 2
no ip domain lookup
ip multicast-routing
ip inspect log drop-pkt
ip inspect name incoming tcp router-traffic
ip inspect name incoming udp router-traffic
login on-failure log every 3
no ipv6 cef
ntp server 10.69.16.1
multilink bundle-name authenticated
isdn switch-type basic-ni
voice-card 0
crypto pki trustpoint TP-self-signed-218647659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-218647659
revocation-check none
rsakeypair TP-self-signed-218647659
crypto pki certificate chain TP-self-signed-218647659
certificate self-signed 03
30820242 308201AB A0030201 02020103 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313836 34373635 39301E17 0D313130 36303831 38303833
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3231 38363437
36353930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
F9FF373A F00F58CF F4C6E6B1 C7676D6E EBD0D2D1 E239FAAA 42BD4335 B779D873
A2D654FA 04F47F90 CCC79596 B3D5B719 D3994E6E 43B05D4D 4419D92C F8EC6149
5094F9AB 7CB11EFA 5E72B723 A04D2999 BB43A8B8 11314E45 CA26BA77 909A63AA
64A95D75 411C5141 026AA11A EA27724F A6832EBF A0C5DD7B A1E48803 4B8C0585
02030100 01A36C30 6A300F06 03551D13 0101FF04 05300301 01FF3017 0603551D
11041030 0E820C42 524B2D43 32383131 2D543130 1F060355 1D230418 30168014
CA02D9F0 3B1772EE BECCFD40 888CD35B 4BF00440 301D0603 551D0E04 160414CA
02D9F03B 1772EEBE CCFD4088 8CD35B4B F0044030 0D06092A 864886F7 0D010104
05000381 810077C0 3260CF10 8652CE8D 6B0DE3F8 9BD87870 51087020 E00CC56B
F01EBC1C F6DE78D9 D309E3D6 B63B713C 80FEE77B CEA7AD0D 3CA587B3 26912CC8
EADA52D9 74698936 B8196FE0 120071EA B9F4CF3C 14D9E67C 34A0EA61 192BF856
F77B5034 D45834CE D38D241A B1B08694 C786FAAF 9833D6DD DDF00562 F4839A51
7ECEE3C1 BC06
        quit
username ************************** privilege 15 secret 5 ***********************************
archive
log config
hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ***************** address *****************
crypto isakmp key **************** address *********************
crypto isakmp key ************* address **********************
crypto isakmp key ******************* address *********************
crypto isakmp keepalive 120 periodic
crypto ipsec transform-set TRANSFORM-AES esp-aes esp-sha-hmac
crypto ipsec transform-set TRANSFORM-AES-TRAN esp-aes esp-sha-hmac
mode transport require
crypto ipsec profile PROFILE-DMVPN
set transform-set TRANSFORM-AES
crypto ipsec profile PROFILE-DMVPN-TRAN
set transform-set TRANSFORM-AES-TRAN
track 1 ip sla 1 reachability
track 10 interface FastEthernet0/1 line-protocol
class-map type inspect match-any CC_SCAN_TRAFFIC_CLASS
match access-group name CC_SCAN_OUT
class-map type inspect match-all BBDBU-CMAP
match access-group name BBDBU
policy-map type inspect CC_SCAN_TRAFFIC_POLICY
class type inspect CC_SCAN_TRAFFIC_CLASS
inspect
class class-default
drop log
policy-map type inspect BBDBU-PMAP
class type inspect BBDBU-CMAP
pass
class class-default
drop log
zone security internet
zone security CC_SCAN_LAN
zone security LAN
zone-pair security self-to-internet source self destination internet
service-policy type inspect BBDBU-PMAP
zone-pair security internet-to-self source internet destination self
service-policy type inspect BBDBU-PMAP
zone-pair security CC_SCAN-TO-INTERNET source CC_SCAN_LAN destination internet
service-policy type inspect CC_SCAN_TRAFFIC_POLICY
interface Tunnel1
description Broadband backup circuit
bandwidth 256
ip address 10.69.7.111 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication ****************
ip nhrp map 10.69.7.1 *********************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.7.1
ip nhrp server-only
ip ospf authentication-key 7 *******************
ip ospf network broadcast
ip ospf cost 130
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination ********************
tunnel key ********************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel2
description Backup Tunne2
bandwidth 512
ip address 10.69.10.111 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication **************
ip nhrp map 10.69.10.1 ********************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.10.1
ip nhrp server-only
ip ospf authentication-key 7 ********************
ip ospf network broadcast
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination ********************
tunnel key *********************
tunnel path-mtu-discovery
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel16
description mGRE TUNNEL FOR NYe0008981
bandwidth 1500
ip address 10.69.4.111 255.255.255.0
ip mtu 1400
ip flow ingress
ip pim sparse-mode
ip nat outside
ip nhrp authentication ****************
ip nhrp map 10.69.4.1 *********************
ip nhrp network-id ***************
ip nhrp holdtime 300
ip nhrp nhs 10.69.4.1
ip nhrp server-only
ip virtual-reassembly
ip ospf network broadcast
ip ospf cost 120
ip ospf priority 0
tunnel source Serial0/0/0
tunnel destination ******************
tunnel key ******************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel17
description mGRE TUNNEL FOR NYe0008981
bandwidth 1450
ip address 10.69.8.111 255.255.255.0
ip mtu 1400
ip flow ingress
ip pim sparse-mode
ip nhrp authentication *******************
ip nhrp map 10.69.8.1 ****************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.8.1
ip nhrp server-only
ip ospf network broadcast
ip ospf cost 125
ip ospf priority 0
tunnel source Serial0/0/0
tunnel destination *****************
tunnel key ****************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface FastEthernet0/0
description PARENT INTERFACE
no ip address
ip flow ingress
ip traffic-export apply CAPTURE size 10000000
duplex auto
speed auto
interface FastEthernet0/0.1
description DEFAULT VLAN
encapsulation dot1Q 1 native
ip address 10.27.19.1 255.255.255.0
ip helper-address 10.69.16.7
ip pim sparse-mode
ip tcp adjust-mss 1344
ip traffic-export apply CAPTURE size 10000000
ip policy route-map PBR
ip ospf priority 0
interface FastEthernet0/0.10
description INITIAL VLAN
encapsulation dot1Q 10
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.20
description AUTH-FAIL VLAN
encapsulation dot1Q 20
ip traffic-export apply CAPTURE size 10000000
shutdown
interface FastEthernet0/0.43
description CREDIT_CARD_SCANNERS
encapsulation dot1Q 43
ip address 192.168.43.33 255.255.255.224
ip nat inside
ip virtual-reassembly
zone-member security CC_SCAN_LAN
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.98
description Remediation Vlan
encapsulation dot1Q 98
ip address 10.69.243.1 255.255.255.248
ip access-group Remediation in
ip helper-address 10.69.252.7
ip inspect incoming out
ip traffic-export apply CAPTURE size 10000000
ip ospf priority 0
interface FastEthernet0/0.99
description GUEST VLAN
encapsulation dot1Q 99
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.666
description VENDOR VLAN
encapsulation dot1Q 666
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/1
mtu 1492
ip address 192.168.1.47 255.255.255.0 secondary
ip address ************************** ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security internet
duplex auto
speed auto
interface Serial0/0/0
ip address **************************
ip flow ingress
encapsulation ppp
no fair-queue
service-module t1 remote-alarm-enable
service-module t1 fdl both
no cdp enable
interface BRI0/2/0
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-ni
isdn point-to-point-setup
isdn spid1 71878317920101 7831792
isdn spid2 71878340300101 7834030
no cdp enable
interface Async0/1/0
no ip address
encapsulation slip
interface Dialer1
description T-1 Site ISDN Backup
ip address 192.168.103.38 255.255.255.0
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer idle-timeout 120 either
dialer load-threshold 32 either
dialer-group 1
no peer default ip address
no cdp enable
ppp multilink
router ospf 1
router-id 10.27.19.1
log-adjacency-changes
area 48 stub
network 10.27.19.0 0.0.0.255 area 48
network 10.69.4.0 0.0.0.255 area 48
network 10.69.7.0 0.0.0.255 area 48
network 10.69.8.0 0.0.0.255 area 48
network 10.69.10.0 0.0.0.255 area 48
network 10.69.243.0 0.0.0.7 area 48
ip forward-protocol nd
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp bootpc
ip route 198.203.191.83 255.255.255.255 ******************** track 1
ip route 198.203.192.245 255.255.255.255 *************** track 1
ip route 198.203.192.20 255.255.255.255 ****************** track 1
ip route 8.8.4.4 255.255.255.255 ***************** track 1
ip route 4.2.2.2 255.255.255.255 ******************* track 1
ip route 8.8.8.8 255.255.255.255 ********************** track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 10.48.9.254 255.255.255.255 *****************
ip route 10.48.32.101 255.255.255.255 *****************
ip route 10.48.32.102 255.255.255.255 *****************
ip route 161.11.124.78 255.255.255.255 ******************
ip route 173.226.250.130 255.255.255.255 **************
ip route 204.89.170.126 255.255.255.255 ****************
no ip http server
no ip http secure-server
ip pim rp-address 10.69.31.1
ip nat pool CC_DMV_POOL 10.27.19.253 10.27.19.253 prefix-length 24
ip nat inside source route-map CC_BB_NAT interface FastEthernet0/1 overload
ip nat inside source route-map CC_DMV_NAT pool CC_DMV_POOL overload
ip tacacs source-interface FastEthernet0/0.1
ip access-list extended BBDBU
permit esp host *****************************
permit udp host **************************
permit gre host *******************************
permit udp host ****************************
permit gre host **************************
permit esp host ***********************
permit ip host **************************
permit ip host *****************************
permit icmp any host 8.8.8.8 echo
permit icmp host 8.8.8.8 any echo-reply
ip access-list extended BRK
permit ip 10.27.19.0 0.0.0.255 host 10.69.31.128
ip access-list extended CAPTURE_IN
permit ip host 10.27.19.10 host 10.69.66.108
ip access-list extended CAPTURE_OUT
permit ip host 10.69.66.108 host 10.27.19.10
ip access-list extended CC_SCAN_OUT
permit icmp 192.168.43.32 0.0.0.31 host 8.8.8.8
permit udp 192.168.43.32 0.0.0.31 host 8.8.8.8 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 8.8.8.8 eq domain
permit tcp 192.168.43.32 0.0.0.31 host *************************
permit tcp 192.168.43.32 0.0.0.31 host **************************
permit tcp 192.168.43.32 0.0.0.31 host **************************
permit udp 192.168.43.32 0.0.0.31 host 4.2.2.2 eq domain
permit udp 192.168.43.32 0.0.0.31 host 8.8.4.4 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 4.2.2.2 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 8.8.4.4 eq domain
ip access-list extended Remediation
permit ip 10.69.240.0 0.0.15.255 host 10.69.252.7 log
permit icmp 10.69.240.0 0.0.15.255 10.69.66.0 0.0.0.255 log
permit tcp any host 10.69.16.182 eq 443 log
permit tcp any host 10.69.17.38 eq 8444 log
permit udp any any eq bootps
deny   ip any any
ip access-list extended VTY
permit tcp 10.69.66.0 0.0.0.255 any eq telnet log
permit tcp 10.69.66.0 0.0.0.255 any eq 22 log
permit tcp 10.69.31.0 0.0.0.255 any eq 22 log
permit tcp 10.69.31.0 0.0.0.255 any eq telnet log
permit tcp 10.48.32.96 0.0.0.7 any eq telnet log
permit tcp 10.48.32.96 0.0.0.7 any eq 22 log
permit tcp 1.11.1.0 0.0.0.255 any eq telnet log
permit tcp 1.11.1.0 0.0.0.255 any eq 22 log
deny   ip any any
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/1
timeout 7000
threshold 7000
frequency 10
ip sla schedule 1 life forever start-time now
logging 10.69.27.129
access-list 1 permit 10.69.66.11
access-list 1 remark SNMP Managers
access-list 1 permit 10.69.31.97
access-list 1 permit 10.69.31.100
access-list 1 permit 10.69.31.101
access-list 1 permit 10.69.66.59
access-list 1 permit 10.69.66.108
access-list 1 permit 10.69.16.223
access-list 1 permit 10.69.30.242
access-list 1 permit 10.69.16.250
access-list 1 permit 10.69.19.229
access-list 1 permit 10.69.16.150
access-list 1 permit 10.69.27.129
access-list 4 permit 10.69.31.148
access-list 4 permit 10.69.31.149
access-list 4 permit 10.69.31.150
access-list 4 permit 10.69.31.151
access-list 101 deny   ospf any any
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
route-map CC_DMV_NAT permit 10
match ip address CC_SCAN_OUT
match interface Tunnel16
route-map PBR permit 10
description BRK
match ip address BRK
set ip next-hop 10.69.7.1
route-map CC_BB_NAT permit 10
match ip address CC_SCAN_OUT
match interface FastEthernet0/1
snmp-server community ******************
snmp-server community *****************
snmp-server community ******************
snmp-server location **********************
snmp-server enable traps snmp coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon
snmp-server enable traps config
snmp-server enable traps syslog
tacacs-server host 10.69.31.18 timeout 10
tacacs-server host 10.69.31.17
tacacs-server directed-request
tacacs-server key 7 ********************
control-plane
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
banner login ^C************************************
Unauthorized Entry To This Device Is
        STRICTLY PROHIBITED
************************************^C
line con 0
exec-timeout 30 0
logging synchronous
line aux 0
line 0/1/0
exec-timeout 60 0
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
access-class VTY in
exec-timeout 30 0
password 7 *********************
logging synchronous
transport input ssh
scheduler allocate 20000 1000
end

Design Help with MPLS/BGP and Point to Point VPNs using OSPF as backup

I need some advice on the configuration I want to implement. Basically we have a MPLS cloud using BGP. We are using OSPF for internal routing. Everything is working fine. Now we want to add a Point to Point VPN using new Cisco ASA's for a backup path at all of our remote locations. We want it to be on standby. I want to use OSPF for this. Miami and LA are datacenters. I want the VPN's to go into both datacenters if possible running OSPF for backups. I have a feeling this will be very tricky. I also wanted to use floating routes. Now I know I get the VPN's up and running using OSPF with no problem. Here are my questions:
But being that I am using different areas, will OSPF through the VPN work correctly? I have the Cisco PDF on setting this up but it looks like they are using the same, AREA0, in the example.
Can I get both VPN's to work with no problems? Or will it be too much of a pain?
What would you guys suggest?
Thanks.

We are implementing the same solution, and was only able to make this work using HSRP one router for the MPLS connection and one for the VPN tunnel. I opened a TAC case and the tech couldn't get it to work either. I was able to establish the Lan-2-lan tunnel but triggering the route update was the problem. We ended up pulling our ASA5505's out and putting in 1841 routers.

How can I implement a backup 6500 that broadcasts the same OSPF networks?

I feel as though the answer for this is extremely simple, but my routing experience is very minimal. We have a 6500 switch that shares about 10 OSPF networks, which is behind out 7200 router; and we have a spare 6500 we would like to put into place at our second location as a failover. Can I add the same OSPF networks to this second 6500, or will this cause issues since two switches will be broadcasting the same network.
In the case that our core 6500 goes down, i would need the other 6500 to continue broadcasting these networks.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Yes, it's possible for two locations to advertize the same networks, but this implies that both locations can (normally) reach all the hosts on those networks (at either location). Also, if there's some kind of failure, some hosts (like one location's hosts) often can no longer be reached. That's normally ok, but what's normally not okay is for hosts on the same network to be partitioned.
Also, when you start to have networks across locations, sometimes there's requirements for hosts to logically migrate to the site that still is advertizing the host's network.
It can all get rather complicated depending on what exactly you're trying to accomplish.

Load balancing in ospf

Hi,
We are having two links 4 mbps and 2 mbps, and we are running OSPF on these lines. How do we load balance on these lines ? As per bandwidth . That is 75 % of data should flow on 4 mb line and 25 5 should flow on 2 mb line. Is such balancing possible on OSPF process.
Thanks in advance
Subodh

Hi Subodh
I don't think you will be able to do that (75% & 25% load on the links) with normal ospf config.
But you can try out configuring Multilink by bundling both the links so that you can expect even load balancing on the bundled links.
If you are having ethernet drop on your 4 Mbps then you wont be able to bundle the links..
Also if you are having 4 Mbps as ethernet drop then you can try doing backup interface and backup load command which will point your 2 Mbps link as your secondary and also forward traffic onto the secondary link once you have 75% utilizations on the primary link..
regds

How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?

Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
56128's where my static routes are:
ip route 192.168.101.0/24 192.168.30.77 name firewall 250
router eigrp 65100
redistribute static route-map Static-To-Eigrp
route-map Static-To-Eigrp permit 10
match ip address prefix-list Static2Eigrp
ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
Edge device:
router eigrp 65100
network 172.18.0.5 0.0.0.0
network 172.18.0.32 0.0.0.3
network 172.18.0.36 0.0.0.3
redistribute ospf 65100 metric 2000000 0 255 1 1500
redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
passive-interface default
no passive-interface Port-channel11
no passive-interface Port-channel12
eigrp router-id 172.18.0.5
router ospf 65100
router-id 172.18.0.5
log-adjacency-changes
redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
passive-interface default
no passive-interface GigabitEthernet1/0/1
no passive-interface GigabitEthernet1/0/2
no passive-interface GigabitEthernet2/0/1
no passive-interface GigabitEthernet2/0/2
network 172.18.0.0 0.0.255.255 area 0
ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
route-map EIGRP_INTO_OSPF permit 10
match ip address prefix-list EIGRP_INTO_OSPF

So in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have.

OSPF link update-Basic Query

I am new to OSPF. I have 2 basic querys on OSPF link update.
1. How does one router communicates with every router in the OSPF area. Is it that each router communicates only with its directly connected neighbours? example.
ROUTERA-------ROUTERB-----ROUTERC-----ROUTERD----ROUTERE
Lets say link on RouterB connected to ROUTERA goes down. How does "ROUTERE" get to know about this? Is the communication is from RouterB to ROUTERC then to ROUTERD and then to ROUTERE?
2. How does router handle(forward) multicast packets?
Thanks

Hello Avil,
the way OSPF communicates depends on how your network is set up. In your case, it looks like all routers are connected back-to-back with point-to-point links. OSPF uses the concept of adjacencies: an OSPF router has an adjacency with a connected router, which means that they have the exact same view of the entire network. If you do a 'show ip ospf neighbor' on your RouterA and your RouterE, it tells you the adjacencies these routers have with other connected routers. Now let's say the link between RouterA and RouterB goes down. RouterC notifies RouterD, and RouterD notifies RouterE immediately by exchanging link-state packets.
Keep in mind that on a multiaccess segment (where multiple OSPF routers are directly connected on the same segment), the concept of DR (Designated Router) and BDR (Backup Designated Router) comes into play: on a multiaccess segment, a DR and a BDR are elected, and all other routers have full adjacencies only with the DR and the BDR.
Regarding the multicast traffic: it is handled just as unicast traffic (unless you specifically block it).
Does that make sense ? If you are just starting with OSPF, have a look at the link below, which contains a pretty good introduction of the basic concepts.
OSPF Design Guide
http://www.cisco.com/warp/public/104/2.html#4.0
HTH,
GNT

OSPF design for branch offices across MPLS

Hello fellow networking engineers,
I want to implement OSPF in our network. We have multiple branch offices, all linked to an MPLS backbone.
I know that in order to get linked areas, I would need to setup GRE tunnels between them, but I want to avoid static/manual configurations as much as possible. With multiple sites, it would become cumbersome to create a mesh real fast.
Is running OSPF independent areas at each site, and simply redistributing over eBGP a valid solution? This will host voice and data, and will failover to VPN connection (Cisco ASAs) if the MPLS goes down.
For the VPN backup links, I thought of two options. Either simply using the default route to send everything to the ASA in case of MPLS "death", or inject routes using IP SLA...
Any input would be appreciated.

Marc
You don't GRE tunnels to link your areas if that is what you want to do.
If the SP supports it then you can exchange your OSPF routes between areas and they will still be seen as inter area routes rather than OSPF externals which they would if you simply treated each area as isolated from each other.
In effect the MPLS network becomes an OSPF super backbone area and your main site would also be part of the backbone area with all your other sites having an area each.
You still redistribute your OSPF routes into BGP but with some extra configuration on both your CEs and the SP PE devices.
Like I say you would need to check with your SP but it is possible.
Whether or not you need or want it I don't know.
Your other option is as you have proposed to treat each OSPF area as an isolated one and simply redistribute into OSPF at each CE. Then within each site all non local routes would be seen as OSPF external routes.
Either way in terms of backup I would keep it simple and use a default route at each site pointing to the ASA device. I can't see what you gain from IP SLA because if the main MPLS link goes down at any site the only other path they have out is via the ASA so there is nothing really worth tracking.
The only other thing I would mention is remote site to remote site traffic. If there is any then presumably with your VPN tunnels you would be doing a sort of hub and spoke where the hub is the main site so you may need to think about traffic coming in from one VPN tunnel and going out to another VPN tunnel on the main site ASA.
This would only really be needed if two or more sites had to use their backup links at the same time.
In terms of which is better ie. OSPF inter area across the MPLS cloud or OSPF externals I can't really say to be honest. With the MPLS networks i have worked on we ran EIGRP and simply treated each remote site as an isolated AS.
If you are already running OSPF then you may want to preserve your existing areas so it would make sense to go with the inter area option.
If it is a new setup then I don't really know the pros and cons of either so can't really comment.
Perhaps others may add to the thread with their thoughts.
Jon

MPLS Network Backup

We have a MPLS network between Head office & varios branch office located across the globe. Can you suggest me the best possible backup(automatic) for this MPLS? as we are facing lot of breaks/cuts in the MPLS Network.

This is to give a fair idea.
Pls modify the conifg to suit your setup.
router ospf x
router-id x.x.x.x
network 192.168.1.0 0.0.0.255 area 1
network 192.168.2.0 0.0.0.255 area 1
network 192.168.3.0 0.0.0.255 area 1
Assumption that you have Area 0 at your MPLS CE for upwards and other VPN router upwards.
interface fa1/0
Description Connection ot MPLS CE
ip add 192.168.1.1 255.255.255.0
ip ospf cost 10
interface fa1/1
Description Connection to Backup VPN CE
ip add 192.168.2.1 255.255.255.0
ip ospf cost 100
interface vlan 10
Description Connection to Servers Subnet
ip add 192.168.3.1 255.255.255.0
HTH-Cheers,
Swaroop

OSPF downward bit in MPLS network

Hi all,
I have an issue with using the OSPF downward bit and hope someone has seen this before. It appears to do nothing in this example to prevent routes being learnt via the wrong path. That is via a backup router that has learnt the route from the site primary router which has received the OSPF route originally redistibuted into OSPF from the PE (with downward bit set).
The docco says:
"The down bit is used between the PE-routers to indicate which routes were inserted into the OSPF topology database from the MPLS VPN super-backbone and thus shall not be redistributed back in the MPLS VPN super-backbone. The PE-router that redistributes the MP-BGP route as OSPF route into the OSPF topology database sets the down bit. Other PE-routers use the down bit to prevent this route from being redistributed back into MP-BGP. "
Therefore I would not expect a route received with the downward bit set to be installed into the route table nor BGP table however the below shows it is? This has essentially created a routing scenario where core routes are learnt via a dual OSPF attached access site.
The PE receiving the incorrect route:
7609#sh ip ospf 116 database summary 192.168.104.0
            OSPF Router with ID (10.200.204.116) (Process ID 116)
        Summary Net Link States (Area 0)
LS age: 1094
Options: (No TOS-capability, DC, Downward)
LS Type: Summary Links(Network)
Link State ID: 192.168.104.0 (summary Network Number)
Advertising Router: 10.200.212.116
LS Seq Number: 80000013
Checksum: 0xFDB1
Length: 28
Network Mask: /24
    MTID: 0     Metric: 1798
7609#sh ip route vrf RED 192.168.104.0
Routing Table: RED
Routing entry for 192.168.104.0/24
Known via "ospf 116", distance 110, metric 1798, type intra area
Redistributing via bgp 100
Advertised by bgp 100 match internal external 1 & 2 nssa-external 1 & 2
Last update from 10.1.59.138 on GigabitEthernet1/0/1.3684, 00:18:23 ago
Routing Descriptor Blocks:
* 10.1.59.138, from 10.200.4.229, 00:18:23 ago, via GigabitEthernet1/0/1.3684
      Route metric is 1798, traffic share count is 1
7609#sh ip bgp vpnv4 vrf RED 192.168.104.0
BGP routing table entry for 100:116:192.168.104.0/24, version 195113
Paths: (1 available, best #1, table RED)
Advertised to update-groups:
     1
Local
10.1.59.138 from 0.0.0.0 (10.200.0.65)
      Origin incomplete, metric 1798, localpref 100, weight 32768, valid, sourced, best
      Extended Community: RT:100:116 OSPF DOMAIN ID:0x0005:0x000000740200
        OSPF RT:0.0.0.0:2:0 OSPF ROUTER ID:10.200.204.116:512
      mpls labels in/out 312/nolabel
7609#
Regards,
Kent.

Ive implemented what I consider to be a workaround, but it does now work as expected. I had to filter the updates received by the PE from the primary CPE at each site to only accept the LAN range from that site, not the LAN range from other sites that it was learning via the backup CPE, via PE, via other site backup router. I think I was barking up the wrong tree re the downward bit. This issue is because there is indirect OSPF connectivity between all the CPE's connected to the same PE. Basically the PE needs to never pass on LSA's learnt from one CPE to another CPE then we would be all ok.
I still have an issue to solve for PPP xDSL services as they all share the one loopback as an ip unnumbered interface on the PE. The same distribute list approach wont work there.
Here is what I have done. There must be a less config intense and flexible approach to this.
router ospf 116 vrf RED
distribute-list prefix RED-acacia-ospf-subnets-inbound in GigabitEthernet1/0/1.3681
distribute-list prefix RED-acacia-ospf-subnets-inbound in GigabitEthernet1/0/1.3682
distribute-list prefix RED-geebung-ospf-subnets-inbound in GigabitEthernet1/0/1.3684
distribute-list prefix RED-kawana-ospf-subnets-inbound in GigabitEthernet1/0/1.3685
distribute-list prefix RED-goldcoast-ospf-subnets-inbound in GigabitEthernet1/0/1.3686
ip prefix-list RED-geebung-ospf-subnets-inbound permit 192.168.103.0/24
ip prefix-list RED-acacia-ospf-subnets-inbound permit 192.168.100.0/24
ip prefix-list RED-acacia-ospf-subnets-inbound permit 0.0.0.0/32
ip prefix-list RED-kawana-ospf-subnets-inbound permit 192.168.104.0/24
ip prefix-list RED-goldcoast-ospf-subnets-inbound permit 192.168.101.0/24

Time Machine: "Partially Deleted Backup"

Last night, after Time Machine performed a backup and began its post-backup thinning, it got stalled on "Finishing backup... ." The system log showed that it was attempting to delete a previously partially deleted backup:
Starting standard backup
Starting post-backup thinning
Found partially deleted backup - trying again to delete: 2009-09-30-110803
The backup it was trying to delete was the last one on its list (i.e., the oldest one on that TM volume). And when I opened it up, it indeed appeared to be a partially deleted folder. So I let TM run. However, it never finished "Finishing backup... ," so after letting it run all night and all day, I simply told TM to stop. It did, and the system then added two more messages to the log, acknowledging my cancelation as well as TM's current success:
Starting standard backup
Starting post-backup thinning
Found partially deleted backup - trying again to delete: 2009-09-30-110803
Backup deletion was canceled by user
Backup completed successfully.
However, the next time TM ran, it began all over again:
Starting standard backup
Starting post-backup thinning
Found partially deleted backup - trying again to delete: 2009-09-30-110803
It's still sitting there in its "Finishing backup..." mode.
I was thinking about entering Time Machine, selecting that backup, and telling Time Machine to delete that backup—and only that backup. But I'm (a) not sure that will address the actual problem, and (b) wondering if deleting that particular backup (i.e., the oldest one on the list) is advisable.
Suggestions?

Pondini wrote:
Maxwell’s Demon wrote:
I'm aware of the multilink nature of TM's backups. What I don't understand is how you immediately concluded that the backups were corrupted.
TM finding partially deleted backups, trying repeatedly to deleted them, and failing to.
(And yes, I though you meant that you'd tried to delete the backup yourself.)
It took forever. I ran TechTool Pro, and it "choked" (i.e., ran out of memory) trying to rebuild the directory. When I asked Disk Warrior to graph the directory, it revealed that it was more than 40% fragmented!
I'm not sure fragmentation is a problem, or even applies, given the structure of TM backups.
So I ran Disk Warrior. It ran without incident. When I then looked inside the TM drive, I discovered that along with rebuilding the directory—which is what I understood its job to be—DW apparently removed/deleted the offending (partially deleted) backup. The next time Time Machine ran, everything went smoothly. It's been running fine ever since.
Great! And yes, there are times it can repair/rebuild TM backups that nothing else can (I guess that's why it costs $100!).
I'm obviously quite pleased with the results: Not only did DW perform an incredible directory rebuild (fragmentation went from more than 40% to less than 1% !!) but it cleared out the partially deleted backup that was causing TM to stumble. But I remain awfully curious: Had I simply gone into Time Machine and deleted the partially deleted backup myself, wouldn't that have fixed the problem? (Granted, DW not only got TM back on track, but it also rebuilt its directory, which is a definite plus in my mind...I'm just trying to understand.)
It's possible you couldn't have deleted it completely, any more than TM was able to. Remember, a single backup folder has hard links to hundreds, thousands, or hundreds of thousands of other items. Just one of those being screwy can have a ripple effect through the whole structure.
And if you could have, it might well have left some of the actual backup files "abandoned" -- some or all of the hard links to them deleted, but still somewhere in the disk directory, so still taking up space.
I got the idea from
http://www.macosxhints.com/article.php?story=20090515063602219
which provided a link to the "solution" when partial backups remain that result in TM "error: 11" failures:
http://www.bytebot.net/blog/archives/2008/08/13/fixing-time-machine-backup-faile d-with-error-11
Admittedly, mine wasn't an "error: 11" problem, but it sure seemed similar. My hesitation/concern was due to the fact that the partially deleted backup was the last one (i.e., the "oldest") in my TM volume: I wasn't sure if deleting it would screw up all of the links used by the remaining backups. However, since DW removed it without causing any problems, it seems like I may have been able to accomplish the same result by removing it "manually" from within TM. If that is the case, then it suggests that there may not have been any actual "corruption."
Again, I am very happy with the result, and likely will resort to DW again the next time I have similar problems. The only reason I'm harping on it is simply to try to gain a deeper understanding of how to determine when such problems are indeed due to corruption as opposed to simply an errant file that causes TM to stumble. (Had TM indicated that it stumbled and was unable to successfully perform the backup, then I would have little doubt that there was actual corruption.)

ISDN configuration for backup of backup

Hello Guys..
I have an MPLS connection where I have running BGP with service provider and I have an ISDN configured (default route with higher AD) as a Backup of that. My customer wants to implement another ISDN connection which should act the backup of backup. Could anybody help me to find a solution to make it work. I can set the priority for the dialer interface , but I am worried about the routing configuration..

Try configuring them as a multilink group:
http://www.cisco.com/en/US/tech/tk801/tk133/technologies_configuration_example09186a0080094a6c.shtml

Advertise OSPF with higher cost

hi all,
I need to implement following scenario and i really need your help in this regard.
My active path toward Branch Office should be via 'CORE ACTIVE' and 'WAN Edge Actve'.
In case of 'WAN Edge Acive ' failure , I need to traverse that traffic through 'WAN Edge Backup'.
I used AS path prepend to implement this in BGP Configuration.
I want to Advertise OSPF routes with higher cost from 'Core Backup'
1) How should I do this ?
2) Is there any other better alternate solution which I can use ?
Thanks a lot for your time and consideration.

Hello Harshaabba,
In the past, this is how I have accomplished this in similar situations.
Under the OSPF config, something similar to this.
distance 15 8.8.8.8 0.0.0.0 99
access-list 99 permit 10.5.0.0 0.0.0.255
access-list 99 permit 10.6.0.0 0.0.0.255
(15) = AD
8.8.8.8 = OSPF Router ID
0.0.0.0 = wildcard bits
99 = Access list to match
Note: This isn't always the best solution, but after looking at your diagram, this should work just fine.

Backup to multilink in ospf

Similar Messages

Maybe you are looking for