Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
8
Replies

Cisco Firepower 2130 - PBR Redistribution into OSPF

brian.emil.harris
Level 1
Level 1

‎05-29-2025 11:26 AM

I have a Firepower 2130 that homes all of my S2S VPN connections, as well as some AWS Direct Connect and Microsoft ExpressRoute links.

The FW has static routes for VPN destinations, to push them over the appropriate outbound interface, and a route-map that redistributes select static routes into the OSPF neighborship.

I didn't set this up, so I only have a partial understanding of how this is working, and am hoping someone can assist me in getting my PBR to redistribute.

So, in order to redistribute a static route, not only does the static route have to be present, but I also have to add that route to the ACL for the redistribution route-map.

I've got a couple of connections that aren't the traditional S2S VPN tunnels, but are redundant AWS Direct Connect or Microsoft ExpressRoute links.

Those were setup with a pair of matching static routes, but this isn't providing the automated failover - whatever route has precedence is the route, regardless of that link being down or not.

I believe that I need to use a policy-based route to get over this hurdle.

I've setup the PBR, and it appears to work, but now my issue is that, since the static routes aren't there anymore, the route isn't being redistributed.

I'm failing to find the connection between the static routes and the route-map/ACL that redistributes those, and thus, not implementing a similar connection between the PBR and the route-map/ACL that I created for it.

Any guidance would be most appreciated!

Labels:
0 Helpful
8 Replies 8

brian.emil.harris
Level 1
Level 1

‎05-29-2025 11:37 AM - edited ‎05-29-2025 12:18 PM

OK, looks like I found another step that I missed, and that's defining the redistribution into OSPF.

I found the redistribution rule for the statics, so, to define a rule for the PBR, I think I'll need to choose "BGP".

Will test this later tonight.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to brian.emil.harris

‎05-29-2025 03:02 PM

I do not understand your environment so can not comment on specifics. But I can say that redistribution is for routes. And PBR is a way to change the forwarding logic for some packets. And as such is it not possible to redistribute PBR into OSPF.

HTH

Rick
0 Helpful

MHM Cisco World
VIP
VIP

‎05-31-2025 01:07 AM

This issue solved ?

MHM

0 Helpful

brian.emil.harris
Level 1
Level 1
In response to MHM Cisco World

‎06-02-2025 07:12 AM

Not yet.  The documentation I found indicates that I *CAN* inject a policy-based route into the OSPF environment, however, I was yet unable to get a downtime/approval to terminate the static route and try my solution.  Soon!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to brian.emil.harris

‎06-04-2025 06:41 AM

I would be interested in what documentation says that you can redistribute PBR into OSPF.

HTH

Rick
0 Helpful

brian.emil.harris
Level 1
Level 1
In response to Richard Burts

‎06-04-2025 01:13 PM

Started here:

https://www.google.com/search?q=redistribute+pbr+into+ospf

Looked at the various linked sources the AI response gave me.

In the brief downtime I had, before I had to roll back, the PBR shows as:

Routing entry for 192.168.253.0 255.255.255.0
Known via "bgp 65001", distance 20, metric 0

So, I'm going to redistribute the BGP route into OSPF, I suppose.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to brian.emil.harris

‎06-04-2025 02:25 PM

Thanks for the link. While the title of that post does say PBR redistribution with OSPF there is not anything in that post that actually mentions redistributing PBR. I do not know what other links you looked at. 

Your most recent post mentions redistributing BGP into OSPF. That is certainly feasible. I hope that turns out to be the solution that you need. 

HTH

Rick
0 Helpful

brian.emil.harris
Level 1
Level 1
In response to Richard Burts

‎06-04-2025 03:07 PM

Thank you, and please forgive me - the route that I need to redistribute IS a PBR, but my routing table sees it as a BGP route.

FWIW, I have two Microsoft ExpressRoute links, BGP between local AS 11111 and remote AS 33333, and when implemented, two static routes pointing 192.168.128.0/24 over each link.  This was implemented, mirroring an earlier virtually identical setup, only using twin AWS links, BGP between local AS 11111 and remote AS 22222, with a pair of static routes pointing 192.168.64.0/24.

Well, as I've come to discover, that's not any kind of fault-tolerant.  The most recent route added takes precedence, and if that link goes down, all traffic goes down - it doesn't flip to the other link that's still up, hence my need to craft the PBR for that fault-tolerance.

Redistributing a static-route worked, and I've since educated myself on how that gets redistributed (with the route-map and whatnot).

Thank you again!

0 Helpful
Customers Also Viewed These Support Documents