OSPF question

Nerm · March 22, 2016, 07:48:38 AM

I have a unique situation (at least for me) where I have two OSPF routers on each side of a static routing only device. Is it possible to do any kind of OSPF transit across/through a device that doesn't support OSPF? I thought about doing something like a GRE tunnel but the static device is a firewall and I want it to be able to see into the traffic.

routerdork · March 22, 2016, 08:09:54 AM

Is the firewall VLAN capable?

Nerm · March 22, 2016, 08:18:04 AM

Yes it is and I didn't even think about that.

deanwebb · March 22, 2016, 08:19:49 AM

Each router has a big ol' static route pointing at the firewall?

icecream-guy · March 22, 2016, 08:20:40 AM

GRE in transport mode should allow visibility at the firewall, if you want to hide it, you could do tunnel mode and encapsulate it in IPSEC

Nerm · March 22, 2016, 08:28:09 AM

Quote from: deanwebb on March 22, 2016, 08:19:49 AM
Each router has a big ol' static route pointing at the firewall?

Yep, big ol' summary routes.

that1guy15 · March 22, 2016, 08:30:32 AM

Yup tunnel is your solution as everyone above said.

BUT I hate this design and try to avoid it when possible. OSPF or any IGP does not play nice when you start to separate the control-plane from the data plan and even more so when you push those through a firewall. Same reason OSPF virtual links are a bad idea.

If you need dynamic routing between those two devices then BGP is a better fit. Just open up BGP on the firewall and go to town.

deanwebb · March 22, 2016, 09:13:34 AM

BGP on a firewall...

I laugh because of Cisco.

that1guy15 · March 22, 2016, 10:27:22 AM

Yeah Cisco firewalls suck, but then again I hate firewalls...

Our new DCs are all BGP peered with our firewalls and we are slowly migrating the rest. Used to pass the BGP peer through but its ugly. We are getting some seriously impressive failover times with this new model.

Nerm · March 22, 2016, 06:19:36 PM

The firewall unfortunately doesn't do ospf/bgp/etc.

deanwebb · March 22, 2016, 06:38:58 PM

Quote from: Nerm on March 22, 2016, 06:19:36 PM
The firewall unfortunately doesn't do ospf/bgp/etc.

Let me guess... Cisco ASA?
Yeah, you're going to want to use that big ol' static route.

Nerm · March 22, 2016, 07:28:38 PM

Meraki

Nerm · March 22, 2016, 08:14:25 PM

Based on my research it looks like I might be able to "redneck" it with bgp. Gonna lab it tomorrow and will post back with my results.

dlots · March 23, 2016, 07:20:53 AM

How would BGP work?

yes router 1 and 2 will exchange routes, but if you don't have a tunnel of some kind (which as ristau5741 your FW should be able to see into as long as your not encrypting it) the FW won't know what to do with the traffic once R1 sends it up there to go to R2.

You can't make it a transparent (L2) firewall can you?

LynK · March 23, 2016, 07:51:11 AM

If you have any sort of outside switch, on the other end of the firewall, I do not see what the problem is here? Connect them via L2, and do not have them go through a FW.