03-13-2023 07:07 PM
I have a client that is installing Palo Alto firewalls.
Currently, internal routing is all EIGRP so the plan is to setup OSPF on the 3 devices that will peer with the firewall and export routes from EIGRP to OSPF and vice versa. The firewall will only be advertising 3 interfaces (1 active & 2 passive) and a default route. The plan is to just have an Area 0 putting all 4 devices in the same subnet. This is not required, though if the best recommendation is to use separate areas.
What I want is for the Palo Alto to advertise to the 3 Cisco routers and vice versa without the Cisco routers advertising OSPF routes to each other. I'm asking for options on how to do this.
- Should I use a redistribution profile on the routers?
- Can I use the OSPF neighbor command to limit the Cisco routers to only peering with the Palo Alto?
Thanks in advance for any recommendations.
03-15-2023 03:51 AM
Hello @CNMatt
If you want the Palo Alto firewall to advertise routes to the three Cisco routers and vice versa, without the Cisco routers advertising OSPF routes to each other, you can try:
-- Using separate areas: you could use separate OSPF areas for the Palo Alto and the three Cisco routers. This would prevent the Cisco routers from advertising OSPF routes to each other, while still allowing them to receive routes from the Palo Alto. The downside is that you would need to configure virtual links between the areas to ensure connectivity between all devices.
-- Using a redistribution profile: another option would be to use a redistribution profile on the routers. You could redistribute the routes learned from OSPF on the Palo Alto firewall into EIGRP on the routers, and vice versa. This would allow the routers to learn the routes from the Palo Alto without advertising OSPF routes to each other.
03-15-2023 03:59 AM
I dont get, can you draw topology??
03-15-2023 08:59 AM
"What I want is for the Palo Alto to advertise to the 3 Cisco routers and vice versa without the Cisco routers advertising OSPF routes to each other."
Ah, that's sort of what dynamic routing protocols do.
I'm guessing your experience is with EIGRP and not (much if any) experience with OSPF?
If so, they are a bit different, and perhaps things you might do with EIGRP, like distribute lists to EIGRP neighbors, aren't so "easy" to accomplish with OSPF (it's also a link-state, per area, which has implications for how it supports routing). As you mention multiple areas, I'm also guessing you've been looking into how area design "plays" within OSPF.
Perhaps rather than just jumping into what you want to accomplish, might you also explain why you believe you need to do what you want to do?
I've wondering, if you don't well understand OSPF, you might be wanting to do things a way, that either isn't really necessary and/or there's a "better" OSPF way, especially for just 4 OSPF devices.
03-15-2023 01:44 PM
Hi,
redistributing routes are Type5 external routes, so whether there is one are one subnet ,multiple area, one area multiple subnet (interconnections) all routers will see other type5 LSAs in OSPF DB.
Better to have one area with multiple interconnections to avoid neighborships between cisco devices which are not needed.
Regarding, to filter these routes, there will be in DB but EIGRP (if it is internal) is preferred. If you have external EIGRP routes behind routers, increase AD for external OSPF routes to be more than 170.
Note that, when you have multiple points for mutual redistribution always problems happen, if you just configured routing and redistribution without filtering in redistribution.
Use tag attribute and tag routes that are redistributed from eigrp protocol to ospf protocol on one router and filter all routes with respective tags on other routers while doing reverse redistribution (ospf into eigrp).
Note that, you can still use distribute list on both routing protocol to filters routes to be downloaded to RIB/FIB
03-15-2023 02:33 PM
"redistributing routes are Type5 external routes, so whether there is one are one subnet ,multiple area, one area multiple subnet (interconnections) all routers will see other type5 LSAs in OSPF DB."
I believe OSPF stub areas do NOT see type 5 LSAs, unless the ASBR is in a NSSA, and within the NSSA, type 5 LSAs are sent as type 7 LSAs, correct?
I think (?) the OP is also looking for all non FW OSPF routers, sharing no routes, whatsoever, except between any FW and each non FW router. (Incidentally, your mention of using distribute list [NB: in] might be one way to suppress "undesired" routes [not the underlying area LSA topology, of course].)
03-15-2023 11:11 PM
Hi Joseph,
that'is correct, but Ares0 can not be stub. And even if you use another area and if area is stub, then firewall can not see redistributed routes (since Type5 is blocked in stub). Or even if you use NSSA area (one area) then type7 will be flooded within area.
One way could be 3 interconnections and each in different NSSA area (non-backbone).
03-16-2023 06:11 AM
"but Ares0 can not be stub."
Agreed, never wrote it could.
I was just pointing out your earlier posting stated LSA type 5 go to all areas, and as you now agree with me, that's not the case.
BTW, as I see you have a CCIE, I was about 99.999% certain you already knew this, and likely just avoiding the deeper details of OSPF. However, I worry some less knowledgeable readers might take what you earlier wrote as "fact", especially as you have a CCIE.
Personally, I often find it difficult to not drown an answer in many non-essential details without implying something that's incorrect.
Regarding the rest of your post, yea I too believe an OSPF multi-area design could be a possible solution (assuming I now actually understand what OP wants).
For such an approach, I'm thinking along the lines for FW in area 0 and each EIGRP router in its own NSSA. (One of the reasons I asked whether inside network needs more than default. [I.E. if NSSAs used, kind of stub?])
04-05-2023 02:15 PM
04-05-2023 03:09 PM
Thanks for the update!
Yea, I thought your needs might be accomplished in a simpler way, which is why I questioned what you wanted to actually do.
BTW, early on, I was testing different redistribution setups between OSPF<>EIGRP (using Packet Tracer - not the best tool). Although using two NSSAs looked to be about the "best fit", possibly going to that extreme might not have been needed either. (Although I'm working another thread dealing with EIGRP, and have found either PT or EIGRP [or both] can be "quirky". [I have only a text book reading on EIGRP, I've never dealt with it in production.])
03-15-2023 05:11 PM
Here's a quick diagram. It crude but hopefully it makes it easier to understand.
Basically the non FW (Cisco switches) are already participating in EIGRP so all internal routes are learned that way. OSPF is only being used so the FW can learn internal routes and then advertise the DMZ and default gateway to the switches.
I'm trying to avoid the OSPF routes being learned between the switches. I want the firewall to advertise it's 2 routes and learn the internal routes and for the switches to learned the 2 routes from the firewall and advertise to the firewall. I'd prefer the switches did not advertise their internal routes to each other.
If I use P2MP, could I just specify the peer at the Cisco switches so they only peer with the firewall? Is there a drawback to this?
03-15-2023 05:53 PM
you idea about config P2M in FW can work here.
what I want to ask here, why you want to run OSPF in L2 SW ??
03-15-2023 05:58 PM
03-16-2023 03:30 AM
Hi Friend, I run lab
first I try P2MP without no-broadcast and with neighbour commend (direct OSPF neighbor config) this not work,
the I try P2MP with no-broadcast and with neighbor command and sucess to make both IOU3 and IOU4 have OSPF establish only with IOU2 (in your case this will be FW).
03-16-2023 03:59 AM
I test also eigrp redistribute into OSPF, and success with P2MP no-broadcast, and all traffic go to IOU2 (FW in your case) before direct to other router.
so I think exactly what you want that all traffic must pass through FW.
thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide