Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Preventing ospf neighborship on svis

Status
Not open for further replies.
andrew4728

andrew4728

Technical User
Jul 6, 2004
61
US
Hey guys been searching for days for an answer to this one.. Could use some help..

We run asa5520s in active/standby for our vpn concentrators. They are plugged in on the inside into dual core switches (asa1 into switch1, asa2 into switch2)
The asas are plugged into access switchports on the same vlan (active standby failover requires this)
We have a lot of dynamic tunnels that are being added and removed often and also a set of asas at our DR site for redundancy.. For this reason we run ospf between the asas and the core switches to dynamically advertise routes for the vpn tunnels.

It is working well except we have issues with our core switches peering with each other via ospf between the svis across our layer 2 link... We have a seperate l3 link between the core switches and would prefer that to be the only Link used to peer between the cores..

How would one go about preventing the cores from peering between svis but continue to peer with the asas via the svis?

Thank you for your help guys!

Andrew
 
Sort by date Sort by votes
Under the ospf process , use the passive interfACe command. Passive-interface vlan X .
 
Upvote 0 Downvote
Depending upon the software / hardware of your switch, you should be able to do passive interface default.

For a Cisco L3 switch it would look like this:

Code: 
router ospf [mypid]
 log-adjacency-changes
 passive-interface default
 no passive-interface Vlan123
 
Upvote 0 Downvote
The problem with that guys is if you turn on passive interface on the vlan interface... The switchez will no longer peer with the asas... Defeatin the whole purpose...
What i am finding is that i need to get my routing protocols cleaned up so we arent redistributing bidirectionally into and out of ospf and just allow the cores to peer via ospf via the svis... I cannot find a better answer.. And have grindig through srnds and whatnot with no perfect answer found... Or just avoid using active/standby asas....

Thanks all for your help... Also im all ears as to you handle your active standby asas.. Thanks!
 
Upvote 0 Downvote
OSPF will try to peer with any other router on any interface that isn't passive providing it is in the same OSPF area. I beleive you could split the ASA's off into their own area and passive the interfaces for the main area but not passive for the new area, but I haven't tried this.

I'm curious as to why you don't want your core switches to peer over this SVI and why you need them down a physical layer 3 interface. Can you draw a diagram or something to explain a little bit better what you are trying to accomplish?
 
Upvote 0 Downvote
Enable OSPF authentication globally and configure the MD5 key (or clear text) under each interface that you want to form an adjacency. For the devices that you don't want forming adjacencies, don't configure the MD5 key.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
187
testman1
testman1
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
272
iggsterman
iggsterman
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
168
bfordz
bfordz
serge9
  • Locked
  • Question
Cisco GUI on cme stop working
Replies
2
Views
206
serge9
serge9
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
126
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top