Extreme Networks

Keith9 · ‎09-15-2021

On our two 690 cores, I have a static route for 192.168.56.0/24 pointed to a vpn firewall that has a connection to the internet. Vpn users connect to the device and the device has a static route back to our core. Our core has OSPF and can get to other networks and offices in different locations.

We have a vendor who also installed an MPLS router and they OSPF peer to our core. This takes us down to a rack we have with them in another state for DR. The issue is we need to advertise our vpn subnet to them (192.168.56.0/24) so on VPN we can access that DR network. Right now the core would know to send the traffic to them, but that provider has no return routes. Their support said if we advertise in ospf they will get the routes and it should work.

In Cisco routers I would create an ip prefix acl, but how would I do it on EXOS? It’s important I don’t disturb the already working connection (at least within our network).

Keith9 · ‎09-16-2021

Nevermind, i see its a match any. So i edited this on our two cores to look like this

entry rule1{
if match any {
nlri 192.168.56.0/24 ;
nlri 192.168.55.0/24 ;
}
then {
permit ;
}
}

Then ran refresh policy static-to-ospf

It works perfectly. Tested with our two VPN clients one off of each network. Forcefully disabled a port to the DR providers router in our HQ and the VPN clients were still able to access the DR provider via our core, out or wan to another office where our DR provider has a secondary.

All is working well.

View solution in original post

Keith9 · ‎09-16-2021

Nevermind, i see its a match any. So i edited this on our two cores to look like this

entry rule1{
if match any {
nlri 192.168.56.0/24 ;
nlri 192.168.55.0/24 ;
}
then {
permit ;
}
}

Then ran refresh policy static-to-ospf

It works perfectly. Tested with our two VPN clients one off of each network. Forcefully disabled a port to the DR providers router in our HQ and the VPN clients were still able to access the DR provider via our core, out or wan to another office where our DR provider has a secondary.

All is working well.

Keith9 · ‎09-16-2021

Ok that works, on the other side the vendor had to do something quick to their end and now I’m advertising this static throughout our network and to the DR vendor. On this test VPN i can access the DR site.

entry rule1{
if match any {
nlri 192.168.56.0/24 ;
}
then {
permit ;
}
}

Now I want to add in our current production VPN. Would it be as easy as putting a second nlri under that existing, or would I have to make a whole new rule.

Example 1

entry rule1{
if match any {
nlri 192.168.56.0/24 ;
nlri 192.168.55.0/24;
}
then {
permit ;
}
}

Or make a whole new rule in static-to-ospf.pol ?

Example 2

entry rule1{
if match any {
nlri 192.168.56.0/24 ;
}
then {
permit ;
}
}
entry rule2{
if match any {
nlri 192.168.55.0/24 ;
}
then {
permit ;
}
}

Keith9 · ‎09-15-2021

Ok trying with the test…

Fist attempt, I’m just trying exactly whats in the kb article linked…

vi static-to-ospf.pol

entry rule1{
if match any {
nlri 192.168.56.0/24 ;
}
then {
permit ;
}
}

enable ospf export static static-to-ospf

In another exos switch I see the route and its pointed out its wan interface that takes us back to the core
#o1 192.168.56.0/24

However the laptop i have in this network, 192.168.56.0/24 still cannot reach the vendor. The one thing I see is the vendor is in ospf area 10 in HQ and ospf area 20 in our secondary office (yes we have two paths to the DR vendor, using their supplied Cisco routers connected to CenturyLink).

So before I toy around with the production route, I just want to get this test route in. I’ve submitted my findings to the vendor. They are an ace in the hole when it comes to cisco routing, so I’ll have to see if they have any tips with Extreme exos routing.

Keith9 · ‎09-15-2021

I have two vpn firewalls, 192.168.55.0/24 to 10.1.0.97 (production) and 192.168.56.0/24 to 10.1.0.120 (test). So i’ll try with test first!

Extreme Networks

how do i redistribute static route into ospf?

how do i redistribute static route into ospf?