Howdy experts,
I have a firewall connected via a LAN link to my data center and I also have a backup VPN connection via the Internet to the same data center.
The router at the remote office learns routes via EIGRP and redistributes them into OSPF which the firewall picks up on the "LAN" port. The backup VPN connection learns OSPF routes from the firewall in our data center which also learns routes from OSPF. Below is a snippet of the routing table.
The setup works fine, but the routes being learned across the backup VPN are more preferred than the routes learned via the "LAN" interface. I would appreciate suggestions on how to make the routes learned across the VPN less preferred.
I already monkeyed with OSPF interfaces and costs but couldn't make it work. For now the VPN tunnel is up but OSPF is passive on the VPN interface. EDE_PFAU, kannst Du helfen? :)
Routing database when OSPF on the VPN interface is disabled:
O E2 *> 10.68.255.4/30 [110/20] via 10.68.255.1, lan, 2d14h49m O E2 *> 10.77.8.0/22 [110/20] via 10.68.255.1, lan, 2d12h49m O E2 *> 10.77.141.208/28 [110/20] via 10.68.255.1, lan, 2d12h49m O E2 *> 10.77.248.0/23 [110/20] via 10.68.255.1, lan, 2d12h49m O E2 *> 10.77.250.0/23 [110/20] via 10.68.255.1, lan, 2d12h49m Routing database when OSPF on the VPN interface as well as the LAN interface is enabled: O E2 *> 10.68.255.4/30 [110/10] via 10.68.255.1, VPN, 2d14h49m O E2 *> 10.77.8.0/22 [110/10] via 10.68.255.1, VPN, 2d12h49m O E2 *> 10.77.141.208/28 [110/10] via 10.68.255.1, VPN, 2d12h49m O E2 *> 10.77.248.0/23 [110/10] via 10.68.255.1, VPN, 2d12h49m O E2 *> 10.77.250.0/23 [110/10] via 10.68.255.1, VPN, 2d12h49m
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Looks like your ospf interface costs are reversed. Based on the snippet VPN interface has cost 10 and lan interface has 20. Reversing them should flip the preferred interface.
Thanks Toshi. I already saw that. Now the question is "How do I make the VPN routes have a higher cost?"
I didn't know those 10 and 20 were default values if not specified. I understood when I read below cookbook. In our case, we always specify the cost under ospf-interface config just like in the cookbook so I didn't realize.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.