Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login
Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Tek-Tips LinkedIn® Group

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site
Partner Button
(Download This Button Today!)

Feedback

"...The enviroment is simple, natural and efficient. The members are competent, educated and professionals..."
More...

Geography

Where in the world do Tek-Tips members come from?
Click Here To Find Out!

Tek-Tips Shirts!

Get Tek-Tips Swag
Get your
Tek-Tips Forums
SWAG here!
Home > Forums > Communications Rack > Networking > Cisco: Routers Forum

Preventing ospf neighborship on svis

thread557-1686398
Read More Threads Like This One
andrew4728 (TechnicalUser)
21 Jun 12 7:51
Hey guys been searching for days for an answer to this one.. Could use some help..

We run asa5520s in active/standby for our vpn concentrators. They are plugged in on the inside into dual core switches (asa1 into switch1, asa2 into switch2)
The asas are plugged into access switchports on the same vlan (active standby failover requires this)
We have a lot of dynamic tunnels that are being added and removed often and also a set of asas at our DR site for redundancy.. For this reason we run ospf between the asas and the core switches to dynamically advertise routes for the vpn tunnels.

It is working well except we have issues with our core switches peering with each other via ospf between the svis across our layer 2 link... We have a seperate l3 link between the core switches and would prefer that to be the only Link used to peer between the cores..

How would one go about preventing the cores from peering between svis but continue to peer with the asas via the svis?

Thank you for your help guys!

Andrew
vipergg (MIS)
21 Jun 12 20:28
Under the ospf process , use the passive interfACe command. Passive-interface vlan X .
baddos (MIS)
28 Jun 12 16:59
Depending upon the software / hardware of your switch, you should be able to do passive interface default.

For a Cisco L3 switch it would look like this:

CODE

router ospf [mypid]
 log-adjacency-changes
 passive-interface default
 no passive-interface Vlan123
andrew4728 (TechnicalUser)
28 Jun 12 17:14
The problem with that guys is if you turn on passive interface on the vlan interface... The switchez will no longer peer with the asas... Defeatin the whole purpose...
What i am finding is that i need to get my routing protocols cleaned up so we arent redistributing bidirectionally into and out of ospf and just allow the cores to peer via ospf via the svis... I cannot find a better answer.. And have grindig through srnds and whatnot with no perfect answer found... Or just avoid using active/standby asas....

Thanks all for your help... Also im all ears as to you handle your active standby asas.. Thanks!
baddos (MIS)
28 Jun 12 17:26
OSPF will try to peer with any other router on any interface that isn't passive providing it is in the same OSPF area. I beleive you could split the ASA's off into their own area and passive the interfaces for the main area but not passive for the new area, but I haven't tried this.

I'm curious as to why you don't want your core switches to peer over this SVI and why you need them down a physical layer 3 interface. Can you draw a diagram or something to explain a little bit better what you are trying to accomplish?
unclerico (IS/IT--Management)
28 Jun 12 22:23
Enable OSPF authentication globally and configure the MD5 key (or clear text) under each interface that you want to form an adjacency. For the devices that you don't want forming adjacencies, don't configure the MD5 key.

Read More Threads Like This One

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco: Routers

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close