02-01-2021 09:37 AM
Hi,
Have been told that it is quite routine to redistribute OSPF routes into ISIS and visa versa. In my topology OSPF is used as routes are exchanged with external firewalls.
Initially my thoughts where that I just needed to redistribute ISIS into OSPF, it doesn’t need to be the other way around. The reason for this was that each router in the topology will be running OSPF, so all routes and known paths would be shared.
Recently this changed a little, in that the network / fabric is expanding and there isn’t necessarily a need to run OSPF on these VSP’s, so should all routes be distributed into ISIS then the other fabric nodes will automatically be aware of the rest of the network.
Equally I come into a situation where the routing was not quite optimised, and OSPF was not able to reach certain nodes but ISIS could, so having the redistribution in both directions in place would have allowed connectivity to continue.
So think this gives a couple of good reasons as to why redistributing in both directions OSPF → ISIS and and ISIS → OSPF is a good idea.
Issue is, how do a do this safely without creating a routing loop?
Here is an overview of my topology:
The configuration on each of the VSPs currently looks like this:
ip ecmp
ip ecmp max-path 8
ip route 0.0.0.0 0.0.0.0 172.22.1.202 weight 1
ip route 0.0.0.0 0.0.0.0 172.22.1.206 weight 1
router ospf enable
router ospf
as-boundary-router enable
router-id 172.22.0.211
router ospf
redistribute isis
redistribute isis metric-type type1
redistribute isis route-map "isis-internal"
redistribute isis enable
redistribute direct
redistribute direct enable
exit
router isis
redistribute direct
redistribute direct route-map "suppressIST"
redistribute direct enable
exit
ip ospf apply redistribute isis
ip ospf apply redistribute direct
isis apply redistribute direct
The route map just stops traffic transversing the vIST:
ip prefix-list "suppressIST" 172.22.1.240/30 id 1 ge 29 le 29
ip prefix-list "suppressIST" 172.22.1.244/30 id 1 ge 29 le 29
route-map "suppressIST" 1
no permit
enable
match network "suppressIST"
set metric-type type2
set nssa-pbit enable
route-map "suppressIST" 2
permit
enable
match protocol local
route-map "isis-internal" 1
permit
enable
match metric-type-isis internal
exit
As you can see I am just redistributing in one direction ISIS → OSPF. Equally I am redistributing directly attached subnets into OSPF and ISIS.
Really appreciate some advise and examples.
Many thanks in advance.
Solved! Go to Solution.
02-01-2021 05:43 PM
Attached are my notes, on the various approaches.
02-06-2021 06:06 PM
Linked the other post to this one.
The added information in this post really helps bring it together.
Just wanted to say thanks for all the information.
02-01-2021 06:32 PM
FYI...this topic has been brought up before.
But as it has been explained to me by folks WAAAAAAAY smarter than me, its a traditional ISIS-to-OSPF redistribute and OSPF-to-ISIS accept policy.
However to avoid routing loops there are some extra considerations you need to make.
1- You will want a dedicated OPSF broadcast interface between your viST Cores. This is required on the VSPs viST core because you want OSPF state changes from your external OSPF routers to be shared between the two VSPs.
2- You want the VSPs to reject routes learnt from the external Routers by specifically marking all routes redistributed from OSPF into ISIS as “external”, as they default to type “internal”.
no ip alternative-route
router isis
redistribute ospf
redistribute ospf metric-type external
redistribute ospf enable
exit
Then, in the route-map for the accept policy you specifically match only on ISIS external routes, again discarding only those from the V-IST peer.
route-map "reject" 1
no permit
enable
match metric-type-isis external
exit
router isis
accept adv-rtr 0.0x.0x enable
accept adv-rtr 0.0x.0x route-map "reject"
exit
where 0.0x.0x is the IST peer.
alternatively.
In the past I worked with a colleague(very smart guy) who recommended that instead of rejecting the route you can increase the the preference so the route was only used in the absence of a better route. But it can get mixed results based on your network.
This works well in a viST cluster to a single OSPF router. (Triangle topology)
Example:
route-map "peer-externals" 1
permit
enable
match metric-type-isis external
set ip-preference 120
exit
router isis
accept route-map "peer-externals"
exit
isis apply accept
02-01-2021 05:43 PM
02-01-2021 05:13 PM
HI Mig,
Thanks for this.
Its good to get the reassurance. It stemmed from a recent GTAC call, when looking at my config they said they routinely redistribute in both directions?
My obvious concern was creating a routing loop, but the said it was easy to configure the route maps to manage it and referred me to professional services.
Obviously on the surface it didn’t seem a straight forward thing to do, so was also double checking what others might do.
Yeah, P2P’s I have already scratched to remove them tomorrow. Plan was to simply create a /29 subnet, give each VSP an IP in and use say VLAN 3401 between each of the VSP’s and just configure OSPF broadcast to share OSPF routing information between each of the VSP’s - think that's what you are referring to.
Anyway, thanks again.