Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1576
Views
0
Helpful
8
Replies

OSPF Neighbour between Core Switch and Router, connected through firewall in between

Sureshkumar B
Level 1
Level 1

‎03-09-2019 02:00 AM - edited ‎03-09-2019 02:01 AM

Hi Team, I am planning to seggregate Wan Connectivity and Corporate users through Firewall. Currently OSPF is running between my Core Switch and Wan router, if i move Wan Router to Firewall Ext Zone and Core Switch to Firewall Int Zone. I dont want to run OSPF on Firewall. What is the best practice to establish ospf neighbour between Wan Router and core switch. Please suggest solution on this.
Labels:
0 Helpful
8 Replies 8

Georg Pauwen
VIP
VIP

‎03-09-2019 02:08 AM

Hello,

 

which Firewall are you planning on installing ? Below is the procedure for Checkpoint firewalls...

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39960

0 Helpful

Sureshkumar B
Level 1
Level 1
In response to Georg Pauwen

‎03-09-2019 03:59 AM

Hi There, Thanks for your input Lets consider Cisco Firewall itself, what is the configuration of Router router OSPF and Core Switch OSPF command, what firewall policies needs to be enabled.
0 Helpful

Sureshkumar B
Level 1
Level 1
In response to Georg Pauwen

‎03-09-2019 03:59 AM

Hi There, Thanks for your input Lets consider Cisco Firewall itself, what is the configuration of Router router OSPF and Core Switch OSPF command, what firewall policies needs to be enabled.
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-09-2019 02:24 AM

Hi, 

If I am considering your point

 I dont want to run OSPF on Firewall. What is the best practice to establish ospf neighbour between Wan Router and core switch. Please suggest solution on this.

Then it is looking that you are not fulfilling OSPF Neighborship Requirements as the same subnet. I don't think there is an issue with OSPF running on the Firewall but If you don't want due to some network or protocol or your standard then you can implement a Cisco Firewall in the Transparent mode.

 

Before processing the Transparent mode configuration also check the firewall documents. Will it fulfill your requirements in the Transparent mode?

 

I have the second option as Configure GRE tunnel Between Core switch and WAN router (If supported) But here is more issue with your security configuration. But your firewall will not able to scan the GRE encapsulated traffic and provide you desire security.  Also another issue with the performance of your WAN router. Keep in mind that this is not a recommended solution.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

paul driver
VIP
VIP
In response to Deepak Kumar

‎03-09-2019 02:53 AM

Hello

 

@Deepak Kumar wrote:

Hi, 

If I am considering your point

 I dont want to run OSPF on Firewall. What is the best practice to establish ospf neighbour between Wan Router and core switch. Please suggest solution on this.

Then it is looking that you are not fulfilling OSPF Neighborship Requirements as the same subnet. I don't think there is an issue with OSPF running on the Firewall but If you don't want due to some network or protocol or your standard then you can implement a Cisco Firewall in the Transparent mode.

 

Before processing the Transparent mode configuration also check the firewall documents. Will it fulfill your requirements in the Transparent mode?

 

I have the second option as Configure GRE tunnel Between Core switch and WAN router (If supported) But here is more issue with your security configuration. But your firewall will not able to scan the GRE encapsulated traffic and provide you desire security.  Also another issue with the performance of your WAN router. Keep in mind that this is not a recommended solution.

 

Regards,

Deepak Kumar

At the end of the day what’s the point of segregation if your going to do this?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to paul driver

‎03-09-2019 02:59 AM

Hi @paul driver 

I am not sure but my consideration was "Currently OSPF is running between my Core Switch and Wan router," Statement made by the original author of this post.

 

Your point is correct but he may be using any DMVPN/MPLS or other services which is currently depending on the OSPF and He is not aware of redistribution or limitation with this point.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

paul driver
VIP
VIP

‎03-09-2019 02:47 AM - edited ‎03-09-2019 02:50 AM

Hello

 

@Sureshkumar B wrote:
Hi Team, I am planning to seggregate Wan Connectivity and Corporate users through Firewall.

So why do you want a ospf peering between the two - the whole point is to segregate them correct? So just use static routing so egress/ingress traffic traverses your fw

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎03-09-2019 06:38 AM

if the user path like below 

 

users---access---core---FW--WAN router(internet)

 

Suggest to have static route on FW is the best approach, since it is default route. Until you have different ISP in the network(then different plan totally).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card