03-13-2023 07:07 PM
I have a client that is installing Palo Alto firewalls.
Currently, internal routing is all EIGRP so the plan is to setup OSPF on the 3 devices that will peer with the firewall and export routes from EIGRP to OSPF and vice versa. The firewall will only be advertising 3 interfaces (1 active & 2 passive) and a default route. The plan is to just have an Area 0 putting all 4 devices in the same subnet. This is not required, though if the best recommendation is to use separate areas.
What I want is for the Palo Alto to advertise to the 3 Cisco routers and vice versa without the Cisco routers advertising OSPF routes to each other. I'm asking for options on how to do this.
- Should I use a redistribution profile on the routers?
- Can I use the OSPF neighbor command to limit the Cisco routers to only peering with the Palo Alto?
Thanks in advance for any recommendations.
03-15-2023 11:24 PM - edited 03-15-2023 11:25 PM
Hi,
as I remember P2MP still multicast based, but you may use P2MP non-broadcast with neighbors statements.
But it will not do much more changes since OSPF is link-state protocol and FW will flood learned Type5 LSA to other router. You will still have type5 (external) LSA from left-switch on the right-switch (and vice versa).
You can use distribute list for filtering in general. And here is another interesting method that should help:
Use distance 255 (never install to routing protocol) to prevent routes from another switch. Command is under ospf process
distance 255 [router_id_of_another switch] 0.0.0.0 (without access-list so all routes from this device will have 255 distance which means don't install to RIB)
03-16-2023 05:23 AM
Ah, so in OP when you describe 3 Cisco devices, two are L3 and one is L2, correct?
I think I finally realized what you want to accomplish, namely you don't want either EIGRP L3 switch to "see" the other switch's EIGRP routes via OSPF, correct?
03-16-2023 05:42 AM
Oops, accidentally hit reply on prior posting.
If my last prior posting is correct, why is this a concern?
If we do block "seeing", just from route table or from OSPF database?
Understandable you want FW to provide default to EIGRP, but why the need for it also providing DMZ routes (as default will go through FW?)?
Although I still question the need to suppress OSPF routes (BTW, I recall [?] EIGRP's default AD is better than OSPF's default), I believe there are several possible approaches, some, though, would depend on FW's features.
03-29-2023 10:30 AM
It's funny you say this because I had this same conversation with the client last night. We don't need to advertise anything except a default route because access to the DMZ & Global Protect would just traverse the default route. I was actually including so if someone is logged into a router and is looking for a route they'll actually see it. I guess for completeness sake more than anything else?
03-29-2023 02:35 PM
"I guess for completeness sake more than anything else?"
Well, personally, I like to have as few "moving parts" as possible, and also do things in a way that someone else won't come along and say "huh?", i.e. if you use a default route with "needless" specific routes, one often then assumes that those specific routes are "needed", then you can go crazy trying to figure out why they are "needed".
03-29-2023 10:28 AM
Sorry for going dark on this. I appreciate everything everyone has done on this. Things just got stupid busy. I finally got to got this setup and here's what I found.
P2MP: Tried this first with and without non-broadcast setting. For some reason the Palo Alto just didn't like it. Running debug on one of the routers showed mismatched HELLOs. I researched on the PAN side to see how they handle P2MP and couldn't find any explicit info on if it operated as unicast or broadcast. The documentation just states this is the only way to manually list peers.
P2P: For giggles I tried this between 1 router and the PAN. This actually did work.
Broadcast: This is what I ended up having to choose to get the neighbor relationships to work. I just setup on the PAN side to not export OSPF routes (so routes learned from one switch wouldn't just be broadcasted to the next via the PAN). On the switch/router side I setup a distribution in EIGRP and a redistribution list in OSPF which was just to prevent routes exported from OSPF to EIGRP not being exported back into OSPF.
I only ended up with a single route that was coming from EIGRP where the OSPF route was the active route on the Cisco switches/routers. This route was the ASA's AnyConnect subnet which is an EIGRP external route. THe OSPF route cost was just higher priority than the EIGRP route. This was acceptable.
Final Config on the Cisco side:
The below prefix list & route-map are the routes that the Palo Alto is advertising into the network. This is used to prevent the routes being exported to EIGRP and then being exported back into OSPF:
ip prefix-list FW_ROUTES seq 10 permit 172.31.253.0/24
ip prefix-list FW_ROUTES seq 20 permit 10.250.1.0/24
ip prefix-list FW_ROUTES seq 30 permit 10.0.1.250/32
ip prefix-list FW_ROUTES seq 40 permit 209.76.14.0/24
route-map OSPF_NOREDIST deny 10
match ip address prefix-list FW_ROUTES
!
route-map OSPF_NOREDIST permit 20
Dynamic Routing Configuration. The only change I made on the EIGRP side was to add the redistribute line. The "network" used in OSPF covers just the interface used for peering.
router ospf 20
redistribute eigrp 10 metric 20 metric-type 1 subnets route-map OSPF_NOREDIST
network 10.0.1.0 0.0.0.255 area 0
router eigrp 10
network 10.0.0.0
redistribute ospf 20 metric 100000 20 255 255 1500
passive-interface default
no passive-interface TenGigabitEthernet1/10
no passive-interface TenGigabitEthernet1/13
no passive-interface TenGigabitEthernet1/14
no passive-interface Vlan805
no passive-interface Vlan806
no passive-interface Vlan901
no passive-interface Vlan800
no passive-interface Vlan801
no passive-interface Vlan804
no passive-interface TenGigabitEthernet1/9
no passive-interface Vlan810
no passive-interface Vlan811
eigrp router-id 10.0.0.1
03-29-2023 10:56 AM
Thanks for update us
03-30-2023 02:39 AM
Hello
@CNMatt wrote:
I want is for the Palo Alto to advertise to the 3 Cisco routers and vice versa without the Cisco routers advertising OSPF routes to each other. I'm asking for options on how to do this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide