Injecting a route(host route) through OSFP neighbor

SOLVED
Happiman
Building a reputation

Injecting a route(host route) through OSFP neighbor

OSFP Static Redis.jpg

 Hello my Meraki Warriors ! 

 

I am trying to advertise a host route(/32) from a secondary data center.

 

The MX is terminating its Auto-VPN and is formed a OSPF neighbor with the DC switch. Since MX is on its transparent mode, I cannot add the route from it. It has to come from another OSPF neighbor.

 

Is it possible to inject a static route though OSPF redistribution from the Core switch to Branch MX's routing table through Meraki VPN concentrator?

 

DC CoreSwitch:

router ospf 1
router-id 192.168.19.10
passive-interface default
no passive-interface Vlan129
no passive-interface FastEthernet0/1; Fa0/1: IP address 192.168.19.10
network 192.168.19.10 0.0.0.0 area 0  (transit subnet between DC Edge FW and CoreSW)
network 192.168.129.1 0.0.0.0 area 0  (for MX subnet)
network 192.168.130.0 0.0.0.255 area 0 ( for Server subnet)

 

 

1 ACCEPTED SOLUTION

Whilst the required network operation is achievable, it's probably worth noting that this woldn't work in the way described:   an MX only advertises routes using OSPF that reside within the AutoVPN  (in the direction of the DC).   The switches running OSPF in the DC cannot advertise a route to the MX, in the other direction.   The (more) specific route can, however be advertised into the AutoVPN by the VPN Concentrator MX, however, by adding it as a Local network 'Use VPN: Yes' under Security & SD-WAN > Configure > Site-to-site VPN.  (NB:  this doesn't use OSPF)


Note; in your dual-active with OSPF DC configuration, with an inter-DC link, you may need to take care to avoid routing loops by stopping your AutoVPN Hubs advertising routes to each other (Support can enable this for you).   If you wish traffic to fail over from your more specific subnet, to the less specific match in the other DC, there's also some extra setup can be applied by Support to increase the number of failure scenarios handled.

View solution in original post

4 REPLIES 4
sLyDwAyZ
Here to help

@Happiman

 

Yes that should be a supported scenario to route that /32 via OSPF redistribution on the HA concentrators.

Happiman
Building a reputation

HI Anyone can confirm that I can advertise a  /24 and /32 at the same time?

 

for example, use MX to advertise 192.168.130.0/24 and CoreSW to advertise 192.168.130.101/32 to the Spoke Site ?

Whilst the required network operation is achievable, it's probably worth noting that this woldn't work in the way described:   an MX only advertises routes using OSPF that reside within the AutoVPN  (in the direction of the DC).   The switches running OSPF in the DC cannot advertise a route to the MX, in the other direction.   The (more) specific route can, however be advertised into the AutoVPN by the VPN Concentrator MX, however, by adding it as a Local network 'Use VPN: Yes' under Security & SD-WAN > Configure > Site-to-site VPN.  (NB:  this doesn't use OSPF)


Note; in your dual-active with OSPF DC configuration, with an inter-DC link, you may need to take care to avoid routing loops by stopping your AutoVPN Hubs advertising routes to each other (Support can enable this for you).   If you wish traffic to fail over from your more specific subnet, to the less specific match in the other DC, there's also some extra setup can be applied by Support to increase the number of failure scenarios handled.

PhilipDAth
Kind of a big deal
Kind of a big deal

Note that a MX in concentrator mode can advertise a static route.  Check out this post I did describing how.

https://community.meraki.com/t5/Security-SD-WAN/Vmx-100-routing/m-p/18526/highlight/true#M4455

 

As @GreenMan says, the OSPF support only advertises AutoVPN routes.  I does not listen to routes.

 

If you really want to go down this path you should open a ticket with support and ask to go on the BGP beta program, and change to using BGP.  The BGP support is two-way.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels