topic Re: OSPF E2 Default route in FTD in Network Security

OSPF E2 Default route in FTD

great.mathmatician11 — Sat, 25 Nov 2023 13:14:57 GMT

Hi,

I have a question if someone can help me with that please, I have FTD configured in Active standby and managed by FMC. These FTDs are going in to an upstream nexus switch. I am using RFC1918 addresses between the outside interface of FTD and SVI on the switch. I have run OSPF between the SVI and the outside interface which is working, the neighbourship comes up, switch and FTD are learning the OSPF routes from each other, but the problem is i have issued a command default information originate always on nexus and FTD is not taking a default route in its routing table. In principle it should work but is there any limitation on the FTD?

Your help on this would be highly appreciated.

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sat, 25 Nov 2023 14:31:57 GMT

Nexus is ABR or ASBR or internal ?

Only ABR and internal router can advertise defualt route via ospf if it not in rib using always keyword.

If nsk is asbr then you need to add defualt route to rib.

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sat, 25 Nov 2023 18:24:24 GMT

Hi, Nexus is Internal and everything within Nexus is in area 1, FTD has two interfaces the LAN interface goes to area 0 and upstream WAN link goes to area 1 towards nexus. On nexus I have tried default information originate always and it didnt work, just for testing purposes I have tried adding a default route towards null interface as well but it did not help.

For the testing purposes I deviated from my design and added everything in area 0 LAN and WAN but it didnt much help either. Can it be impacted by licenses, I can not seem have alot of documentation for OSPF in FTD.

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sat, 25 Nov 2023 18:36:22 GMT

Ok, let forget defualt route for moment,

Add and static route on nsk and redistribute static subnet into ospf

See if this route is appear in ftd or not.

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 13:45:09 GMT

Hi,

I created a default route on the nexus pointing towards the null0, its in the rib as well, I redistributed in to ospf but it is not showing up in the FTD. I am really confused what is happening here

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sun, 26 Nov 2023 13:48:55 GMT

Friend as I mention above'

Dont use defualt route' add any other static route like

Ip route 111.111.111.111 255.255.255.255 null0

Then redistrubte it

Check if ftd see it or not'

I think there is no ospf between nsk and ftd

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 14:09:17 GMT

there is ospf between FTD and NSK.

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 14:09:33 GMT

this is the output from the FTD

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 14:23:00 GMT

Yes this is the output and routes from the FTD, FTD has only 1 OSPF neighbour and that is the nexus

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 14:28:43 GMT

This is another screenshot from the FTD, i think the problem is with Nexus, I created a static route and redistribute it with route-map any any which matches the prefixes list 0.0.0.0/0 le 32 but i can not see any e2 routes and FTD is not accepting any E1 or E2 routes

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sun, 26 Nov 2023 14:37:49 GMT

Can you share how you config nexus.

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 14:46:21 GMT

here you go

I managed to bring the 1.1.1.1/32 route in the FTD as E2 route but default route is still not comming in. I have started to think if there is a limitation

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sun, 26 Nov 2023 14:53:01 GMT

Do you add defualt information under vrf address family of ospf?

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 14:56:12 GMT

Hi,

I have added and deleted that as part of the investigation, but it makes no difference! I think I have not added licenses to the FTDs, will it make any difference? Its just its not taking an E1 or E2 default route, I just tested putting another router to the nexus and run ospf between nexus and the router, the router takes the default route but FTD does not.

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sun, 26 Nov 2023 15:05:03 GMT

Just to check again'

Add defualt information originate under vrf of ospf and check with always keyword.

I think you add it under global not under vrf context.

MHM

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 15:29:52 GMT

Hi,

just checked didnt work, i changed the topology just to check something, i added default information originate on new router and delete it from nexus just to check whether nexus adds a default route from upstream router and propagate it to ftd, i can see the default route in nexus now but there is nothing on the ftd

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sun, 26 Nov 2023 15:47:01 GMT

Ok' let return to nsk-ftd

In nsk add

Default information originate route-map mhm

Route-map mhm permit 10

Set forward address

Note:- add this command under vrf context of ospf in nsk.

MHM

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sun, 26 Nov 2023 17:36:17 GMT

Any update?

If not working

Can you share

Show ip ospf database external

Re: OSPF E2 Default route in FTD

great.mathmatician11 — Sun, 26 Nov 2023 17:36:09 GMT

Yeah doing it now, i donot understand the route-map -> set forward address? what address does it need to be?

Re: OSPF E2 Default route in FTD

MHM Cisco World — Sun, 26 Nov 2023 17:39:48 GMT

Set forward address

No need IP it make nsk set forward address ip automatically point to nsk interface connect to ftd.