ospf through firewall

Unanswered Question
Mar 26th, 2010
User Badges:

Here's the situation..


3750 L3 switch on a /29

|

Firewall

|

3750 L3 switch on a different /29


I need to get ospf working through the firewalls. Originally I though i could do this with a loopback interface in the same subnet on each 3750, but that's not working.


The checkpoint FW doesn't seem to be passing the OSPF traffic, in fact the logs say it's not even seeing it. Has anyone set this up before? There must be a way to get OSPF adjacency through a checkpoint FW.


OSPF config it pretty basic on both L3 switches, something like this


router ospf 100
log-adjacency-changes
area 0 authentication message-digest
redistribute connected subnets
passive-interface default
no passive-interface <interface>

no passive-interface <interface>

no passive-interface Loopback0
network X.X.X.X 0.0.0.3 area 0
network X.X.X.X 0.0.0.7 area 0


I can see the OSPF sending hello messages out

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Fri, 03/26/2010 - 10:30
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You must also run OSPF in the FW.


Another option is running a GRE tunnel over the FW but Catalyst 3750 switch does not support GRE in hardware so I recommend against it.


Regards


Edison

paolo bevilacqua Fri, 03/26/2010 - 11:07
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Another option is running a GRE tunnel over the FW but Catalyst 3750  switch does not support GRE in hardware so I recommend against it


Actually the 3xxx switches do not support GRE tunnels at all.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/release/notes/OL18263.html

(Catalyst 3750 or 3560 switches and Cisco  EtherSwitch service modules) The switch does not support tunnel  interfaces for unicast routed traffic. Only Distance Vector Multicast  Routing Protocol (DVMRP) tunnel interfaces are supported for multicast  routing.

Edison Ortiz Fri, 03/26/2010 - 13:46
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Paolo,


GRE can be configured via the CLI...


http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#topic3


"High CPU Due to a GRE Tunnel


The General Routing Encapsulation (GRE) tunnel is not supported by the Cisco Catalyst 3750 Series Switches. Even though this feature can be configured with CLI, the packets can be neither switched by hardware, nor by software, which increases the CPU utilization.


Note: Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing in the Catalyst 3750. Even for this, packets cannot be switched with hardware. The packets routed through this tunnel must be switched through software. The larger number of packets forwarded through this tunnel increases CPU utilization.


There is no workaround for this problem. This is a hardware limitation in the Catalyst 3750 Series Switches."

paolo bevilacqua Fri, 03/26/2010 - 13:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Altough it can be configured, it will not work:


The General Routing Encapsulation (GRE)  tunnel is not supported by the Cisco Catalyst 3750 Series Switches. Even  though this feature can be configured with CLI, the packets can be  neither switched by hardware, nor by software, which increases the CPU  utilization.


Consequently, it is not supported, as indicated above,

Edison Ortiz Fri, 03/26/2010 - 14:05
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Paolo,


You can configure the GRE tunnel via the CLI and packets will actually traverse via the tunnel but it will cause high CPU and that's the reason it's not supported.


Please note: I never said it was supported.


Also note: not supported and can not be configured are two different things...

Edison Ortiz Fri, 03/26/2010 - 14:17
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Adding some proof of concept...



Rack1SW1#sh ver | i IOS
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
Rack1SW1#sh run int tunnel 0
Building configuration...


Current configuration : 114 bytes
!
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
tunnel source Vlan112
tunnel destination 112.1.1.2
end


Rack1SW1#sh ip os ne


Neighbor ID     Pri   State           Dead Time   Address         Interface
112.1.1.2         0   FULL/  -        00:00:34    1.1.1.2         Tunnel0
Rack1SW1#


Rack1SW2#sh ver | i IOS
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
Rack1SW2#sh run int tunn 0
Building configuration...


Current configuration : 114 bytes
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.252
tunnel source Vlan112
tunnel destination 112.1.1.1
end


Rack1SW2#sh ip os ne


Neighbor ID     Pri   State           Dead Time   Address         Interface
112.1.1.1         0   FULL/  -        00:00:30    1.1.1.1         Tunnel0
Rack1SW2#


Again, I'm not suggesting the use of Tunnel interfaces on 3560 nor 3750 switches but for little lab scenarios this feature works...



Regards,


Edison


Each time you rate a CSC discussion we'll donate $1 to the American Red Cross Haiti fund up to a maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

vishalgajjar Fri, 03/26/2010 - 10:43
User Badges:

As I know ospf only forms adjacencies when neighbor are not in the same subnet , when they are connected on point-to-point link – you can use interface command

#ip unnumbered on connected point-to-point interface

paolo bevilacqua Fri, 03/26/2010 - 11:08
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

when they are connected on point-to-point link – you  can use interface command


Since LAN interfaces are being discussed here, that does NOT apply.

paolo bevilacqua Fri, 03/26/2010 - 10:17
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

How can you expect OSPF to pass and work, when interface are on different subnets and OSPF is supposed to work withing the same subnet..


The design that you are attempting is flawed and you must change it. Recommend you get help from a experienced/cerfied network engineer.

milan.kulik Mon, 03/29/2010 - 00:32
User Badges:
  • Red, 2250 points or more

Hi,


why don't you run OSPF on the FW?

Checkpoint does support that with a lot of security filtering.


IMHO, it's more effective than using GRE tunnels - they would make all traffic passing the FW inside the tunnel making the packet inspection more complicated.


Another possibility came to my mind: How many prefixes are you talking about? If you don't want to run any dynamic routing protocol on your FW, why not use BGP on your switches and let the routing upadates go through the FW without any tunnels?

(BGP should be supported in enhanced IOS on 3750s.)


BR,

Milan

Edison Ortiz Mon, 03/29/2010 - 09:57
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Another possibility came to my mind: How many prefixes are you talking about? If you don't want to run any dynamic routing protocol on your FW, why not use BGP on your switches and let the routing upadates go through the FW without any tunnels?

(BGP should be supported in enhanced IOS on 3750s.)


That would work as well but the FW must contain the routes or the routes will be blackholed even if they are in BGP at either switch.


Regards


Edison


______


Each time you rate a CSC   discussion  we'll donate $1 to the American Red Cross Haiti fund up to a   maximum  donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

milan.kulik Mon, 03/29/2010 - 10:53
User Badges:
  • Red, 2250 points or more

Yes, you are right.

But in many cases some aggregated static routes only are sufficient on the FW to forward the traffic to the correct interface.


If not, running OSPF on the FW is still a possibility.


BR,

Milan

Actions

This Discussion