Having just upgraded my PIXs to software v8 at last I was hoping to have them partake in OSPF on the network.
The PIXs all have lots of DMZs which I would like to advertise over OSPF to remove a *lot* of brittle static routes but of course I would like to *not* advertise or receive OSPF from those DMZs. I had assumed I could make those interfaces passive - or better still, issue:
router ospf 1
And then exempt just the internal interface.
However, (unlike IOS) there seems to be no concept of passive in the PIX's OSPF implementation - a place where I thought it would be very useful...
How do I distribute those DMZs over OSPF without advertising OSPF into them?
I had considered using:
redistributed connected subnets
However, that redistributes things like the public Internet interface, which I don't want. Plus, even if there is a way to stop it including the public interface it seems more prone to user error than passive default with a single exception.
Any ideas? If not, can I limit the interfaces in redistributed connected subnets?
Thanks for any ideas!
thanks, yes.. i was suggesting to remove the dmz network commands under the OSPF process. As you mentioned, it wont really do what you are looking to do with removing the statics since its disabling ospf for that network.
Turning on eigrp would seem to be alot of extra work just to remove the statics if that is all that it will be used for but it would allow you to do the passive interface which would accomplish not snd/rcv eigrp out the specific interface.
I just reread your entire first message and i believe i understand now what you are after-- Going back to your first inquiry with the redistribution.. you can redistribute the static and use a route map to control which routes you are going to redistribute. You can then remove the networks for the dmz under the router ospf process.
access-list ospfredist standard permit 10.10.10.0 255.255.255.0
access-list ospfredist standard permit 192.168.10.0 255.255.255.0
match ip address ospfredist
router ospf 10
redistribute static subnets route-map static-ospf
this should redistribute only the statics that you listed above.
hope this helps a bit.