08-01-2023 12:32 PM
We have a bunch of sites connected via metro ethernet and Extreme 5520's, 450G2's, and x690's at our core. When we establish OSPF we basically add the vlan, the cost the authentication and the area.
I've noticed that Exos automatically adds configure ospf vlan VLANNAME priority 0.
Everything seems to work for the most part but I'm starting to wonder if I should start changing the priority. We have a remote site with multiple wan connections so after hours when testing failover by disabling a WAN port at our HQ, our other branch locations peered with an IPSEC VPN over their cable modems to our DR site, which made its way down that 10 gig ring to HQ. However the cost for these ipsec vpns are higher than the cost to our far site that has multiple connections. It should have connected via Comcast to that site a few miles away at 50/50mbps and then from that site via 10gig crown castle to HQ.
But it just didnt. I'm wondering if it has anything to do with the ospf priority, even though our costs are calculated and set properly.
I'm noticing that the remote site only is in ODR / 2WAY state with Comcast sites, whereas at our HQ core on x690s they are in DR and FULL state. THe remote site has the 5520s with a Premier licence so I don't think its a limitation of the licence. The HQ site has the core licence which is what was sold at the time of the x690s.
I hope this makes some sense. I can try to attach a drawing possibly if you need it.
Basically, I'm wondering how the OSPF priority can influence this differently than ospf cost. Each site needs to dual peer with remote DR and HQ over wan links. The sites can have a third adjacency with a netgate ipsec tunnel to a firewall in our colo which is on our 10 gig ring.
Solved! Go to Solution.
08-02-2023 07:33 AM
VLANs receive an OSPF priority of 0 automatically when the switch does not have a Core/Premier license installed at the time of configuration. If you've later added a Core/Premier license, this config is not updated automatically.
A priority of 0 prevents that switch from becoming a BR/BDR for OSPF Broadcast networks therefore requiring another switch to be the DR/BDR, or the use of point-to-point OSPF networks. This is basically an artificial license limitation.
https://extremeportal.force.com/ExtrArticleDetail?an=000090090
https://extremeportal.force.com/ExtrArticleDetail?an=000091267
The OSPF priority only determines which router becomes BR/BDR and does not have an influence on path selection.
Hope that helps!
08-03-2023 07:30 AM - edited 08-03-2023 07:34 AM
Should I make our HQ a priority of like 1 and maybe the DR location a priority of 5 for example?
Then the branch locations that dual connect to the HQ and DR, would that prefer the HQ (the real core) as the main OSPF router and the DR as the secondary?
Seems they think pfsesne running ospf is a bdr so if Comcast fiber is cut at HQ, the branches would rather talk to pfsense ipsec tunnel over a cable modem, rather than their fiber to DR (and DR can get back to HQ over Crown Castle fiber). All the costs are set appropriately.
Here are our standard configurations.
Branch config (Comcast Market): Adv Edge Licence
Fiber wan 50/50mbps- Comcast Cost 1 Can see ANY other Comcast branch.
Cable modem backup ipsec to Colo (Cost 20) (Colo to HQ via 10gbps fiber - cost 1)
Branch config (Crown Castle) Adv Edge Licence
Fiber wan 1gbps/1gbps - Crown Castle Cost 1 P2P with HQ only.
Cable modem backup ipsec to Colo (Cost 20) (Then Colo to HQ via 10gbps fiber - cost 1)
DR Hub config (North branch offices terminate here due to fiber distance) Premier license on switches
Fiber wan Comcast 50/50m- Cost 8
P2P Crown Castle 10g - Cost 1 (Peers with HQ)
Crown Castle 10g ring to DR colo and HQ - Cost 2
HQ Core license on x690s
Comcast - Cost 5 (one vlan because all branches in Comcast territory can peer with each other - its like a virtual switch in the cloud)
Crown Castle - Cost 3 (multiple vlans for various Crown Castle territory branch offices Its a p2p circuit) as well as the ring to DR Colo and DR Hub
Primary servers are located here
DR Colo (Backup servers are located here) Cisco endpoint, but X590 going in soon with Core license.
Crown Castle 10g ring to DR Hub and HQ - Cost 1
IPSEC VPN Headend over the Internet - Cost 20