Should I redistribute or use static?

phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
Scenario: Nine offices connected to mpls and using bgp. Two of the offices go though asa to connect to internet. The asa's are used for anyconnect vpn with voip phones. In order for the vpn phones to reach all internal phones, the asa's need to know the bgp routes of the internal network. Should I just add the 9 static routes to the asa's or redistribute the learned bgp routes into an ospf area where the asa and one of the bgp routers are neighbors?

Comments

  • MstavridisMstavridis Member Posts: 107
    I always frown on static routes.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I'd lean towards statics in this situation personally. I avoid them when possible, but I'm also a big believer in the K.I.S.S. method. If you are already putting these routes in OSPF then I'd go that way though.
    An expert is a man who has made all the mistakes which can be made.
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    Depends on how big your network is and what kind of BGP we are talking about: iBGP or eBGP? If your network is large enough to justify using iBGP over OSPF as your IGP then i might consider redistribution into iBGP if that's an option as it is pretty stable and scalable to redistribute connected and static.

    On the flip side of the coin, redistribution into an IGP like OSPF gets a bit more complex especially if you are using multiple areas since the redistributed routes will show up across the entire OSPF instance.

    The biggest factor in deciding whether or not to redistribute is how many routers will be redistributing between the same two protocols and instances. Multipoint redistribution gets really tricky if you're not compfortable with redistribution.
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    I think I'll just do statics to keep it clean. I don't foresee the routes growing too much that it would necessitate redistribution. Thanks for the feedback!
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    Statics can be an administrative nightmare, especially if you forget about them. The static route is always going to be there as long as the next hop is active. I would personally redistribute the prefix's using a route-map, sourcing from a prefix-list. That way if the source routes ever disappear, they're withdrawn automatically. It's a hell of alot easier to go update a prefix-list at a redistribution point than it is to manage static routes across multiple devices.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    I understand where you are coming from Forsaken_GA, but I don't think nine static routes on a firewall is that big of an administrative nightmare in this situation. Much less of an administrative nightmare than dealing with a new instance of OSPF and redistribution IMO.
    An expert is a man who has made all the mistakes which can be made.
  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    Noted. For simplicity sake, would you suggest redistributing to the asa with eigrp or ospf? My knowledge of ospf is very basic.
    Statics can be an administrative nightmare, especially if you forget about them. The static route is always going to be there as long as the next hop is active. I would personally redistribute the prefix's using a route-map, sourcing from a prefix-list. That way if the source routes ever disappear, they're withdrawn automatically. It's a hell of alot easier to go update a prefix-list at a redistribution point than it is to manage static routes across multiple devices.
  • vinbuckvinbuck Member Posts: 785 ■■■■□□□□□□
    I'm gonna have to lean towards Forsaken on this one bcause firewalls are a notorious dumping ground for special purpose static routes. I've seen some nasty routing loops due to a mountain of static and default routes on a firewall.

    Two ways you can go here for dynamic...

    1) If iBGP runs on top of OSPF then just turn up another iBGP/OSPF pairing and advertise the routes you need out of the firewall (I would especially lean this way if you're using multiple vrfs)

    2) If you are going to do OSPF, then do as others have said and redistribute only the routes needed for connectivity.

    If you guys are using MPLS and BGP, I would probably lean towards using BGP since you almost aassuredly have an IGP providing fast convergence and reachability to the underlying transport IP infrastructure.

    Static routes are like networking crack rock....you can't ever use it just this once and then never touch it again...you always come back for more because it's just soo easy....
    Cisco was my first networking love, but my "other" router is a Mikrotik...
  • ColbyGColbyG Member Posts: 1,264
    In situations like this, I typically do three statics on the ASA, one for each block of RFC1918 space pointing to the inside interface. The only concern is when you have VPN sites externally and you need to add more statics pointing outside.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    I understand where you are coming from Forsaken_GA, but I don't think nine static routes on a firewall is that big of an administrative nightmare in this situation. Much less of an administrative nightmare than dealing with a new instance of OSPF and redistribution IMO.

    Well, I suppose it depends. Judging from the OP, he'd need to add 9 static routes, to two different firewalls. Or, he could redistribute a select few BGP routes into OSPF. That sounds simpler to me, but yeah, it's a matter of opinion.

    And honestly, this kind of Dear Abby network engineering needs to be taken with a grain of salt. My quick and easy answer may be totally reversed if I had a better view of the overall network makeup, and what kind of effect redistributing at a select point is going to have on traffic flow. Of course, redistributing on just one firewall may not be desirable, as it then becomes a single point of failure for those routes, so may need to redistribute on both.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    phoeneous wrote: »
    Noted. For simplicity sake, would you suggest redistributing to the asa with eigrp or ospf? My knowledge of ospf is very basic.

    It depends on what it does to your routing traffic flow, and it depends on what the devices that need those routes run.

    Assuming both is an option, I'd use the protocol you're more comfortable with.
Sign In or Register to comment.