[c-nsp] OSPF design question

[Bruce Pinsky]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Justin M. Streiner wrote:
| I have a pair of interconnections between two networks running OSPF,
| though I'm only running on one at the moment.  The rough layout looks like
| this:
|
| backbone_router_A <---network backbone---> backbone_router_B
|  	|					|
| layer 2 firewall			layer 2 firewall
|  	|					|
| backend_router_A <---separate backbone---> backend_router_B
|
| The backbone uses OSPF process ID 100 and the back-end network uses OSPF
| process ID 101, each with their own backbone area.  The back-end routers
| handle the redistribution of routes between the two OSPF processes.  The
| interconnect networks are their own appropriately numbered areas connected
| to area 0 on the backbone network.  All of the routers are Ciscos.
|
| The links need to operate in an active-passive mode because of the
| firewalls that sit between the networks.  Traffic that exits the back-end
| network via one interconnect and tries to return via the other will break
| because the second firewall has no session cache entry built for it and
| drops the packets.
|
| Under many circumstances, this could be accomplished by making the OSPF
| link cost on both sides of one of the interconnects higher than the other.
| When I tried that, the costs were not being honored correctly, so I
| couldn't guarantee route symmetry in both directions at the interconnect
| points.  I'm trying to remember my OSPF preference flowchart from several
| years ago, but I seem to recall metrics/costs not being preserved in
| certain cisrumstances, and maybe I'm getting bitten by this.
|
| I can't use weighted static routes to accomplish this because of the layer
| 2 firewalls sitting 'in the middle' of each interconnecting link.  If one
| side of those interconnecting links (a segment between one of the
| routers and the layer 2 firewall) drops, the router on the other side of
| that interconnect would happily continue to route packets down a half-dead
| segment, since its layer 3 interface would still be up.  This requires a
| protocol with keepalive or timer-expiration capabilities.
|
| The way I see it, my options are:
| 1) isolate the two OSPF instances from each other, using BGP
| 2) fold all of the back-end network into a non-backbone area in OSPF
|  	process 100, getting rid of 101 entirely
| 3) possibly use OSPF virtual-links
| 4) do static routes over a keepalive-based transport such as a GRE tunnel.
|  	This would necessitate rule changes on the firewall and MTU issues
|  	would need to be taken into account
|
| Am I missing anything?  To people who have done designs like this before,
| what approach did you use?
|

How about doing the static routes but using Enhanced Object Tracking to
track segment availability bidirectionally to decide when the routes are
used and when they are not?  Can you run BFD to track availability?

As for why your metrics are not being honored, I see you mention route
redistribution on the backend routers.  Those redistributed routes would be
externals and would not be preferred over intra- or inter-area routes
learned directly via the local OSPF process.  Can't say that is exactly
why, but could be a good possibility.

- --
=========
bep


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCwdFbE1XcgMgrtyYRAk7zAKDnnbojaV+ar7UjwsU3YktodEIYiwCgiPOS
mOeox5+WPZ/XT7QuilyNRyU=
=2aUl
-----END PGP SIGNATURE-----