07-30-2019 06:36 PM
Previously, I have configured OSPF on ASA Firewall and is very similar to Cisco Routers and Switches.
However, when I tried to configure OSPF on FirePOWER Firewall, the SmartCLI and FlexConfig looks pretty confusing.
How do you relate the following Cisco ASA command to FlexConfig?
router ospf 1
network 192.168.1.0 255.255.255.0 area 0
07-30-2019 08:26 PM
Are you managing your device using Firepower Management Center (FMC) server or locally using Firepower Device Manager (FDM)? What version is your software?
07-30-2019 11:33 PM - edited 07-31-2019 01:46 AM
I am managing the device locally using Firepower Device Manager (FDM) via the management LAN port. Software version is 6.3.0-83
07-31-2019 02:41 AM
You should be able to do it as follows:
1. On the Device page, select Advanced Configuration
2. In the left pane, under Smart CLI, select Routing
3. Click on the Create Smart CLI Object button or the plus button on the top right
4. In the Add Smart CLI Object pop up, Enter Name, Description, and Select OSPF template
5. Fill in the values highlighted in green (OSPF area number and network information)
6. Then use the Interface cli template to assign an interface to the OSPF area you just configured.
7. Deploy the changes and confirm.
Note - if somebody needs a more advanced OSPF configuration, select the "Show disabled" buttons when first selecting the OSPF template. That will give you more OSPF parameters to choose from (area types, route summarization static neighbors, redistribution etc.). Things like MD5 key, priority etc. are set under the interface template.
07-31-2019 06:45 AM
I just need to do the following command, but using SmartCLI and maybe FlexConfig if required.
1. May I know how to do the following using SmartCLI and maybe FlexConfig?
router ospf 1
network 192.168.10.0 255.255.255.0 area 0
I would greatly appreciate if you are able to provide detailed steps, as I am new to this Cisco FirePOWER.
2. I know for Cisco Router and Switches key in wildcard mask, and Cisco ASA Firewall key in subnet mask for OSPF.
May I know for Cisco FirePOWER/FTD, what do i add for OSPF network? Subnet or Wildcard mask?
07-31-2019 07:33 AM - edited 07-31-2019 10:49 PM
1. Like this:
2. Use the subnet mask (not wildcard mask).
+ don't forget to add Smart CLI object for the interface OSPF parameters.
07-31-2019 07:52 PM
1. For the interface OSPF parameters, can I leave the parameters as default?
2. If the parameters are default and we have 7 sub-interfaces, can we apply the same template to all the sub-interfaces?
07-31-2019 10:54 PM
As with an ASA, you can change some interface-specific OSPFv2 parameters, if necessary. You are not required to change any of these parameters, but the following interface parameters must be consistent across all routers in an attached network: ospf hello-interval , ospf dead-interval , and ospf authentication-key . If you configure any of these parameters, be sure that the configurations for all routers on your network have compatible values.
08-01-2019 05:22 AM
Hi Marvin, I'm assisting Peter with this deployment and thank you for your kind help this far.
We are clear on the Ospf template but not so clear on the interface ospf settings part. Usually we would use the Ospf template globally and all interfaces will be using the global routing table. However there is a need to create an Ospf interface template in order to complete the Ospf configuration.
We have 7 sub-interfaces. Must we apply the same template to all 7 sub-interfaces or do we use 7 different interface templates, but same configuration, for all sub-interfaces?
Thank you and hope you can shed some light in this.
08-01-2019 05:42 AM
You're welcome. I wasn't positive if FTD Smart CLI required us to apply the template per interface or leave it blank. I've only done a single interface in my lab.
If it is indeed requiring the interface template, then it will require it to be repeated for each (sub)interface that you want to participate in establishing OSPF adjacencies. It can be the same default settings but will have to be repeated per interface as the Smart CLI template requires you to input an unique interface nameif each time it is created.
04-17-2020 11:35 AM - edited 04-17-2020 02:12 PM
I am struggling with OSPF on a HA pair of virtual FTDs. I tried this on 6.2, 6.3 & 6.5 and cannot add a network statement.
I have just built another pair of 6.6 virtual FTDs and I was hopeful as OSPF & BGP are in the release notes as being available in FDM now. However it looks like Cisco have just moved the SmartCLI for BGP & OSPF from the advanced section to the routing section.
When I add an OSPF object I can set the process ID but there is no option to add a network statement. I am beginning to wonder if this is some limitation of the virtual appliance
04-17-2020 12:56 PM