OSPF adjacency between switches through firewall?

tporembski · ‎06-26-2017

I have a 6509 - checkpoint FW - 7609. Currently we are using static routing to get out however we would like to open the FW to allow OSPF through, OSPF will not be running on the FW itself. How do I than configure the switches on either end to form OSPF adjacency through the firewall(with no OSPF actually running on the FW)? TIA.

cofee · ‎06-26-2017

OSPF has a ttl of 1 by default, so if there is layer 3 device like firewall in your case between the ospf neighbors it won't work because ttl will be decremented to 0 and ospf hello packet will be dropped by the firewall. In my opinion you can either use bgp between the switches and then redistribute ospf routes through bgp or use the neighbor command under the ospf process and that should give you a ttl of 2.

Mark Malone · ‎06-26-2017

Another option maybe is build a GRE tunnel going over the firewall between the devices run ospf through it

cofee · ‎06-26-2017

I agree that's an option too. I was afraid that may defeat the purpose of a firewall between the switches.

Mark Malone · ‎06-26-2017

Ye good point I was just thinking of bypassing it completely to form the adjacency something had to do a long time back but we weren't reliant on the fw for any routing/security for those subnets or traffic passing it at the time, it was more something in the way