I have the below network.
Here is the senario.
OSPF process 1000
Firewall is in area 2 and 1 and 0
Switch1 is in area 2 and 1 (not 0)
Internal switch is in area 1 only
Router1 is in area2 only
As you see I want to transfer the default route from Router 1 to Firewall 1 and Switch1. This is not an issue.
However for the internal switch I want to send the ip address of the firewall (located at area 1) as default gateway.
(This can not work with static route and I don't want that as this is a part of network and there is a fully mirror site with double connections that I haven't put on the diagram.)
Is there any way to send a different default route for the area 1?
as Switch1 has the default route point to Router1 any packets from Internal switch will be sent directly to the Firewall1 now which is wrong.
Thanks for any help
Basics on OSPF is that all traffic goes to Area 0. I doubt if this setup you are trying to achieve will work.
You should change your setup so that Area 2 is area 0 and the exit point out of your network
If we do your sugestion still traffic from Internal switch can go to the switch 1 and then the router 1. It can bypass the firewall.
The important aim here is to have the ip address of the firewall as the defaul gateway for Internal switch.
However the defaul gateway of the firewall will be the router.
in OSPF multi area all areas should communicate via area 0 and not directly. This is by protocol design.
So in your case the FW is the only real ABR node interconnecting area 1 and area 2. switch1 is member of area 2 and area1, but it is not an area border router because it is missing a connection to area 0.
Your setup has the problem that switch1 is not part of area 0. For this reason the internal switch in area 1 sees only the path via the firewall for the default route.
The first suggestion is to have area 0 running also on switch1, this should allow it to propagate in area 1 the LSA type 5 generated by router1 in area 2, that represents the default route..
At that point you can influence what ABR is used by using link metric in area 1.
Generally speaking OSPF is link state so its behaviour is to propagate information everywhere. To control LSA propagation you can use different type of OSPF areas like stubby areas or not so stubby areas.
It is possible to filter internal routes between areas (LSA type on ABR routers), but when we speak of external routes like the default router of interest OSPF provides a way to control propagation only by using stubby areas.
in order to avoid FW to be bypassed, it would be better to have switch1 as only ABR for area 1,2 (via area 0) and to have the FW as internal router on area 2 on the path to router1
Hope to help
The main reason of having firewall only on area 0 and not the switches is area 0 will have some servers connect to it. It is basically the DMZ area. So what is somebody set the ip address of the switch on area 0 as gateway?! This will be a security issue.
I think we need to have area 0 only for the firewalls. Others will be point of the communication of the firewall with the rest of network.
All we need is using firewall ip address as default route for the internal switch and router ip address as default route for the firewalls. How can that be achived?
My suggestion then will be to have the router and firewall in area 0 and then the switches will be in area 1. This way you can have the default route on the firewall as the router and the switches have the firewall as their default route.
The switch doesn't have to be in Area 0 at all.
Router will have 1 interface in Area 0 [which is connected to the firewall]
Firewall will have 1 outside interface in area 0 [which is connected to the Router].
Firewall will have 1 inside interface [DMZ] on Area 1 [which is connected to the switch]
Switch will have all interfaces in Area 1
Hope this helps.