OSPF on PIX

umar-rana · ‎06-04-2006

We are running OSPF; we have PIX 525 protecting our server farm. OSPF process is running fine on PIX. PIX have established adjacencies with switches and routers on the same segment and show full neighbor relationships with all devices. All Interfaces belongs to same area, the advertising interface is outside, and it cannot be down because all traffic is going through. I am also attaching the config of PIX for your review.

These both networks are directly connected to the PIX on layer2.

router ospf 1

network 172.16.1.0 255.255.255.0 area 101

network 172.16.3.0 255.255.255.0 area 101

network 172.16.103.0 255.255.255.0 area 101

network 172.16.104.0 255.255.255.0 area 101

router-id 192.168.255.84

log-adj-changes

The problem is PIX is showing all the subnets in OSPF database received from other network devices, but no other network device is showing the IP subnets of server farms which are supposed to be advertised by PIX.

gopal_4476 · ‎06-04-2006

Hi Umar,

Can you give clear picture about your network. For instance whether your server farm ip segment.

Regars,

Gopal

umar-rana · ‎06-05-2006

The server farm IP class is 172.16.1 and 172.16.3.

172.16.103 is used to link the firewall with switches and 104 is for state full failover.

Output of show ospf nei command.

Neighbor ID Pri State Dead Time Address Interface

192.168.255.83 1 FULL/BDR 0:00:35 172.16.103.249 outside

192.168.255.82 1 FULL/DR 0:00:34 172.16.103.250 outside

Output of show run | inc adder

ip address ccsrv 172.16.1.252 255.255.255.0

ip address intf2 172.16.104.252 255.255.255.0

ip address inside 172.16.3.252 255.255.255.0

ip address outside 172.16.103.252 255.255.255.0

failover ip address ccsrv 172.16.1.251

failover ip address intf2 172.16.104.251

failover ip address inside 172.16.3.251

failover ip address outside 172.16.103.251

vladrac-ccna · ‎06-05-2006

Hello,

I think you should check on the other devices configuration too.

You said that you dont see the routes on the other routers? Can you see it on the ospf database?

Let us know more about the other devices configs.

vlad

umar-rana · ‎06-05-2006

Other devices configs are standard, I am pasting one of my core switches ospf config and output of show nei. The PIX is connected with two of these switches.

OSPF config:

router ospf 1

log-adjacency-changes

network 172.16.8.0 0.0.0.255 area 101

network 172.16.9.0 0.0.0.255 area 101

network 172.16.12.0 0.0.0.255 area 101

network 172.16.13.0 0.0.0.255 area 101

network 172.16.14.0 0.0.0.255 area 101

network 172.16.15.0 0.0.0.255 area 101

network 172.16.102.0 0.0.0.255 area 101

network 172.16.103.0 0.0.0.255 area 101

Sh ip ospf nei

Neighbor ID Pri State Dead Time Address Interface

192.168.255.83 1 FULL/BDR 00:00:35 172.16.9.249 Vlan2

192.168.255.83 1 FULL/BDR 00:00:35 172.16.12.249 Vlan3

192.168.255.83 1 FULL/BDR 00:00:33 172.16.13.249 Vlan4

192.168.255.83 1 FULL/BDR 00:00:33 172.16.14.249 Vlan5

192.168.255.83 1 FULL/BDR 00:00:32 172.16.15.253 Vlan6

192.168.255.83 1 FULL/BDR 00:00:32 172.16.8.249 Vlan8

192.168.255.81 1 FULL/DR 00:00:30 172.16.102.254 GigabitEthernet2/17

192.168.255.83 1 FULL/DROTHER 00:00:36 172.16.102.249 GigabitEthernet2/17

192.168.255.84 1 FULL/DROTHER 00:00:37 172.16.103.252 GigabitEthernet2/18

192.168.255.83 1 FULL/BDR 00:00:37 172.16.103.249 GigabitEthernet2/18

192.168.255.83 is a Core Switch connected with PIX

192.168.255.82 is also a Core switch connect with PIX

192.168.255.81 is Router acting as ABR

192,168.255.84 is PIX firewall

Show ip ospf database (on core switch)

Net Link States (Area 101)

Link ID ADV Router Age Seq# Checksum

172.16.8.250 192.168.255.82 439 0x800002AF 0x0014B3

172.16.9.250 192.168.255.82 439 0x800002AF 0x0009BD

172.16.12.250 192.168.255.82 439 0x800002AF 0x00E7DB

172.16.13.250 192.168.255.82 439 0x800002AF 0x00DCE5

172.16.14.250 192.168.255.82 439 0x800002AF 0x00D1EF

172.16.15.250 192.168.255.82 439 0x800002AF 0x00C6F9

172.16.102.254 192.168.255.81 581 0x800005E0 0x001A59

172.16.103.250 192.168.255.82 624 0x80000292 0x00CD33