Solved

how do i redistribute static route into ospf?

  • 15 September 2021
  • 7 replies
  • 50 views

Userlevel 3

On our two   690 cores, I have a static route for 192.168.56.0/24 pointed to a vpn firewall that has a connection to the internet.  Vpn users connect to the device and the device has a static route back to our core.  Our core has OSPF and can get to other networks and offices in different locations.  
 

We have a vendor who also installed an MPLS router and they OSPF peer to our core.  This takes us down to a rack we have with them in another state for DR.  The issue is we need to advertise our vpn subnet to them (192.168.56.0/24) so on VPN we can access that DR network.  Right now the core would know to send the traffic to them, but that provider has no return routes.  Their support said if we advertise in ospf they will get the routes and it should work.  
 

In Cisco routers I would create an ip prefix acl, but how would I do it on EXOS?  It’s important I don’t disturb the already working connection (at least within our network).

icon

Best answer by Keith 16 September 2021, 15:13

Nevermind, i see its a match any.  So i edited this on our two cores to look like this

entry rule1{
        if match any {
        nlri 192.168.56.0/24 ;
        nlri 192.168.55.0/24 ;
        }
        then {
        permit ;
        }
        }

 

Then ran refresh policy static-to-ospf

 

It works perfectly.  Tested with our two VPN clients one off of each network.  Forcefully disabled a port to the DR providers router in our HQ and the VPN clients were still able to access the DR provider via our core, out or wan to another office where our DR provider has a secondary.

All is working well.

View original

7 replies

Userlevel 7
Badge +1

Hello Keith,

the procedure for EXOS is described here:

https://extremeportal.force.com/ExtrArticleDetail?an=000092574

Userlevel 3

Great,.so when they say <route> am i putting the full route like an ip route statement or just the network that already has a static route on the firewall?

 

Example on the cores now:
configure iproute add 192.168.56.0 255.255.255.0 10.1.0.120

 

So would I do this?

 entry rule1 {     if match any {     nlri 192.168.56.0 255.255.255 10.1.0.120 ;          }     then {     permit  ;     }     } 

 

Or just nlri 192.168.56.0/24

I need to know the syntax of the <route> shown in that article.

Userlevel 7
Badge +1

Hello Keith,

“nlri 192.168.56.0/24” should be fine.

Do set the next hob you can use the following:

entry rule 1{

if match any {

nlri 192.168.56.0/24;

}

then {

next-hop 10.1.0.120;
permit;
}
}

But not tested!

Userlevel 3

I have two vpn firewalls, 192.168.55.0/24 to 10.1.0.97 (production) and 192.168.56.0/24 to 10.1.0.120 (test).   So i’ll try with test first!

Userlevel 3

Ok trying with the test…

Fist attempt, I’m just trying exactly whats in the kb article linked…

vi static-to-ospf.pol

entry rule1{
        if match any {
        nlri 192.168.56.0/24 ;
        }
        then {
        permit ;
        }
        }
 

enable ospf export static static-to-ospf

 

In another exos switch I see the route and its pointed out its wan interface that takes us back to the core
#o1  192.168.56.0/24

 

However the laptop i have in this network, 192.168.56.0/24 still cannot reach the vendor.  The one thing I see is the vendor is in ospf area 10 in HQ and ospf area 20 in our secondary office (yes we have two paths to the DR vendor, using their supplied Cisco routers connected to CenturyLink).

 

So before I toy around with the production route, I just want to get this test route in.  I’ve submitted my findings to the vendor.  They are an ace in the hole when it comes to cisco routing, so I’ll have to see if they have any tips with Extreme exos routing.

Userlevel 3

Ok that works, on the other side the vendor had to do something quick to their end and now I’m advertising this static throughout our network and to the DR vendor.  On this test VPN i can access the DR site.

entry rule1{
        if match any {
        nlri 192.168.56.0/24 ;
        }
        then {
        permit ;
        }
        }
 

 

Now I want to add in our current production VPN.  Would it be as easy as putting a second nlri under that existing, or would I have to make a whole new rule.

Example 1

entry rule1{
        if match any {
        nlri 192.168.56.0/24 ;
        nlri 192.168.55.0/24;
        }
        then {
        permit ;
        }
        }
 

Or make a whole new rule in static-to-ospf.pol ?

Example 2

entry rule1{
        if match any {
        nlri 192.168.56.0/24 ;
        }
        then {
        permit ;
        }
        }
entry rule2{
        if match any {
        nlri 192.168.55.0/24 ;
        }
        then {
        permit ;
        }
        }
 

Userlevel 3

Nevermind, i see its a match any.  So i edited this on our two cores to look like this

entry rule1{
        if match any {
        nlri 192.168.56.0/24 ;
        nlri 192.168.55.0/24 ;
        }
        then {
        permit ;
        }
        }

 

Then ran refresh policy static-to-ospf

 

It works perfectly.  Tested with our two VPN clients one off of each network.  Forcefully disabled a port to the DR providers router in our HQ and the VPN clients were still able to access the DR provider via our core, out or wan to another office where our DR provider has a secondary.

All is working well.

Reply