ospf on fwall

ive inserted a firewall on an ospf area. The firewall is configured using ospf. I found out that ospf is taking different DR on each of the firewall interfaces.

1. Is there a way on the firewall to manipulate the configuration so that each interface will have have a common DR?

2. Is there also a way to make the firewall to have an ospf priority of zero so as not to participate on dr/bdr election?

thanks a lot.


Re: ospf on fwall

In answer to Question 1: The DR is normally different on each interface because each interface is a seperate subnet and unless there is a router that has interfaces on both subnets and is using a loopback ip address as the router id, you will have separate DRs on each interface. All the DR does is to send out the appropriate ospf info so that other routers on that subnet that are participating in OSPF do not have to. Is there a reason that you want to use a common DR?

In answer to Q2. I noted in the pix 6.3 command reference that the way to set the ospf priority is to do it on an interface basis. Below is a snippet from the pix 6.3 command reference. The parameter that you are interested in is the ospf priority, the default is 1, set it higher to make sure that the pix has a higher value than other ospf routers on that subnet. Note that making the number higher will not automatically let the PIX become the DR, to do that you need to restart the ospf processes on the DR and backup DR (BDR) routers. That will force an election and the pix will win with the higher number.

I hope this info was useful. Let me know if I can help further.

Ed Hirsel

routing interface

Configures interface-specific OSPF routing parameters. This command is the main command for all OSPF interface submode commands. (Use the router ospf command to configure global parameters and to enable OSPF routing through the firewall.) OSPF routing is not supported on the PIX501.

[no] routing interface interface_name

Subcommands to the routing interface command:

[no] ospf authentication [message-digest | null]

[no] ospf authentication-key password

[no] ospf cost interface_cost

[no] ospf database-filter all out

[no] ospf dead-interval seconds

[no] ospf hello-interval seconds

[no] ospf message-digest-key key-id md5 key

[no] ospf mtu-ignore

[no] ospf priority number

[no] ospf retransmit-interval seconds

[no] ospf transmit-delay seconds

Re: ospf on fwall


3 vlan 3 vlan

yes theres a reason...coz i have 2 L3 connected thru fiber...each L3 is vlanded..the other end has got firewall which is connected to the internet..the L3 on that firewall side has got 3 of the vlans on this side has got different dr than the other 2..this particular vlan is having a problem on mapping the server drives which resides on the other L3...What ive done temporarily is configure a low router id so as not to be elected as dr, reboot my L3, and there it goes. All of the vlans now on my L3 has a common DR and the problem is rectified...Well, any other solution is welcome..Mine is jus temporary still.


Re: ospf on fwall

How is the firewall connected to the L3 switch? Are you using logical links on the pix interface, or are there separate phy links?

You should be able to use the ospf priority command on the ospf interface to set the pix priority to zero, so that it won't become the DR.

When you stated that you used a low router id, was that was on the L3 config, and not the pix?

The next time you have this issue, or if you can recreate it with test equipment, examine all of the ospf db info on the pix and both L3 switches.

Is there only one ospf area, or more than one?

If I come across any more useful hints or solutions, I'll post them here.

Re: ospf on fwall

I was able to use the ospf priority..thanks for the advise..

1.I am using PIX physical links.

2.Low router ID on the pix. That was temporary. Ive remove it now, coz ive done the ip ospf priority.

3.Theres only 1 ospf area.

The problem remains...DR on the outside is different on the DR on the inside part of the firewall


Re: ospf on fwall

Are you using the pix only to control access to and from the Internet? Or are you using it as an internal firewall too? I.E. does the vlan traffic from one layer 3 switch destined for another vlan, on the same or the other L3 switch, pass thru the pix?

The reason I ask is that if the PIX is only used for external connectivity then you may want to consider creating two ospf areas on the l3 switch that the pix is connected to, and move the pix to the 2nd area, lets call it area 1. Then on the L3 switch you can configure another subnet and logical interface where the pix and internet/isp connection reside and move that into that new area. Yes, there would be some pix reconfiguration involved, but it would isolate changes in one ospf area from others


By separating the pix into a different area, all user vlans would still share the same DR router, which would be the L3 switch.

From what you have described and shown, am I correct in understanding that all pix interfaces terminate on the same layer 3 switch, along with isp connectivity and the users? And that the other L3 switch (the leftmost one in your diagram) is where the servers sit?

I also assume that becasue you are using layer 3 switches, that the switch's routing interface is the default gateway for each station on the vlans, except for the pix and that the isp connection is on the same vlan as the pix's outside interface. Am I correct in that understanding as well?

