FWSM: OSPF

Unanswered Question
Oct 5th, 2009

Can you configure OSPF on the FWSM. VLAN 199 & 200 are configured behind the FWSM and I want them to be routed apart of OSPF 99.

Please advise.

### 6500 ###

interface Vlan100

description "MGMT"

ip address 10.26.20.1 255.255.255.0

interface Vlan199

description "Voice"

ip address 10.27.0.2 255.255.254.0

interface Vlan200

description "DATA"

ip address 10.27.2.2 255.255.255.0

router ospf 99

router-id 10.26.28.4

log-adjacency-changes

area 0 authentication message-digest

redistribute connected subnets

network 10.26.0.16 0.0.0.3 area 0

network 10.26.0.20 0.0.0.3 area 0

### 6500 + FWSM ###

### 6500 ###

no aaa new-model

firewall module 4 vlan-group 1

firewall vlan-group 1 100,199,200

interface Vlan100

description "MGMT"

ip address 10.26.20.1 255.255.255.0

router ospf 99

router-id 10.26.28.4

log-adjacency-changes

area 0 authentication message-digest

redistribute connected subnets

network 10.26.0.16 0.0.0.3 area 0

network 10.26.0.20 0.0.0.3 area 0

### FWSM ###

interface Vlan100

nameif OUTSIDE

security-level 0

ip address 10.26.20.250 255.255.255.0

!

interface Vlan199

nameif CM-VOICE

security-level 100

ip address 10.27.0.1 255.255.254.0

!

interface Vlan200

nameif CM-SERVERS

security-level 100

ip address 10.27.2.1 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 10.26.20.1 1

regards,

C

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dinesh.das Mon, 10/05/2009 - 08:48

In single context mode, the routed firewall supports OSPF and RIP (in passive mode).

Multiple context mode supports static routes only.

Configure the static route and redistribute them into ospf

Hope this will help you.............

Regards,

Dinesh

Jon Marshall Mon, 10/05/2009 - 10:06

Colm

Is it safe to assume that the section marked "### 6500 ###" is the config prior to migrating to the FWSM ?

If so yes you can run OSPF on the FWSM as long as you are running in single context mode.

However i'm a little confused with this config on the 6500

interface Vlan100

description "MGMT"

ip address 10.26.20.1 255.255.255.0

router ospf 99

network 10.26.0.20 0.0.0.3 area 0

is the network statement under ospf 99 meant to match the network of vlan 100 because it doesn't at the moment. Anyway your config would look something like

6500

====

router ospf 99

network 10.26.20.0 0.0.0.255 area 0 <-- assuming this is indeed in area 0

FWSM -

router ospf 99

network 10.26.20.0 0.0.0.255 area 0

network 10.27.0.0 0.0.0.1 area 0

network 10.27.2.0 0.0.0.255 area 0

You may also want to set the OSPF priority of the FWSM interfaces to 0 to ensure that they are not elected as the BDR/DR on the ethernet segment.

Additional OSPF config options can be found here -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ip.html#wp1094564

Jon

Actions

This Discussion