cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5102
Views
5
Helpful
13
Replies

ospf through firewall

codflanglers
Level 1
Level 1

Here's the situation..

3750 L3 switch on a /29

|

Firewall

|

3750 L3 switch on a different /29

I need to get ospf working through the firewalls. Originally I though i could do this with a loopback interface in the same subnet on each 3750, but that's not working.

The checkpoint FW doesn't seem to be passing the OSPF traffic, in fact the logs say it's not even seeing it. Has anyone set this up before? There must be a way to get OSPF adjacency through a checkpoint FW.

OSPF config it pretty basic on both L3 switches, something like this

router ospf 100
log-adjacency-changes
area 0 authentication message-digest
redistribute connected subnets
passive-interface default
no passive-interface <interface>

no passive-interface <interface>

no passive-interface Loopback0
network X.X.X.X 0.0.0.3 area 0
network X.X.X.X 0.0.0.7 area 0

I can see the OSPF sending hello messages out

13 Replies 13

paolo bevilacqua
Hall of Fame
Hall of Fame

How can you expect OSPF to pass and work, when interface are on different subnets and OSPF is supposed to work withing the same subnet..

The design that you are attempting is flawed and you must change it. Recommend you get help from a experienced/cerfied network engineer.

Edison Ortiz
Hall of Fame
Hall of Fame

You must also run OSPF in the FW.

Another option is running a GRE tunnel over the FW but Catalyst 3750 switch does not support GRE in hardware so I recommend against it.

Regards

Edison

Another option is running a GRE tunnel over the FW but Catalyst 3750  switch does not support GRE in hardware so I recommend against it

Actually the 3xxx switches do not support GRE tunnels at all.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/release/notes/OL18263.html

(Catalyst 3750 or 3560 switches and Cisco  EtherSwitch service modules) The switch does not support tunnel  interfaces for unicast routed traffic. Only Distance Vector Multicast  Routing Protocol (DVMRP) tunnel interfaces are supported for multicast  routing.

Paolo,

GRE can be configured via the CLI...

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_tech_note09186a00807213f5.shtml#topic3

"High CPU Due to a GRE Tunnel

The General Routing Encapsulation (GRE) tunnel is not supported by the Cisco Catalyst 3750 Series Switches. Even though this feature can be configured with CLI, the packets can be neither switched by hardware, nor by software, which increases the CPU utilization.

Note: Only Distance Vector Multicast Routing Protocol (DVMRP) tunnel interfaces are supported for multicast routing in the Catalyst 3750. Even for this, packets cannot be switched with hardware. The packets routed through this tunnel must be switched through software. The larger number of packets forwarded through this tunnel increases CPU utilization.

There is no workaround for this problem. This is a hardware limitation in the Catalyst 3750 Series Switches."

Altough it can be configured, it will not work:

The General Routing Encapsulation (GRE)  tunnel is not supported by the Cisco Catalyst 3750 Series Switches. Even  though this feature can be configured with CLI, the packets can be  neither switched by hardware, nor by software, which increases the CPU  utilization.


Consequently, it is not supported, as indicated above,

Paolo,

You can configure the GRE tunnel via the CLI and packets will actually traverse via the tunnel but it will cause high CPU and that's the reason it's not supported.

Please note: I never said it was supported.

Also note: not supported and can not be configured are two different things...

Adding some proof of concept...

Rack1SW1#sh ver | i IOS
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
Rack1SW1#sh run int tunnel 0
Building configuration...

Current configuration : 114 bytes
!
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
tunnel source Vlan112
tunnel destination 112.1.1.2
end

Rack1SW1#sh ip os ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
112.1.1.2         0   FULL/  -        00:00:34    1.1.1.2         Tunnel0
Rack1SW1#

Rack1SW2#sh ver | i IOS
Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
Rack1SW2#sh run int tunn 0
Building configuration...

Current configuration : 114 bytes
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.252
tunnel source Vlan112
tunnel destination 112.1.1.1
end

Rack1SW2#sh ip os ne

Neighbor ID     Pri   State           Dead Time   Address         Interface
112.1.1.1         0   FULL/  -        00:00:30    1.1.1.1         Tunnel0
Rack1SW2#

Again, I'm not suggesting the use of Tunnel interfaces on 3560 nor 3750 switches but for little lab scenarios this feature works...

Regards,

Edison

Each time you rate a CSC discussion we'll donate $1 to the American Red Cross Haiti fund up to a maximum donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

Rated.

vishalgajjar
Level 1
Level 1

As I know ospf only forms adjacencies when neighbor are not in the same subnet , when they are connected on point-to-point link – you can use interface command

#ip unnumbered on connected point-to-point interface

when they are connected on point-to-point link – you  can use interface command

Since LAN interfaces are being discussed here, that does NOT apply.

milan.kulik
Level 10
Level 10

Hi,

why don't you run OSPF on the FW?

Checkpoint does support that with a lot of security filtering.

IMHO, it's more effective than using GRE tunnels - they would make all traffic passing the FW inside the tunnel making the packet inspection more complicated.

Another possibility came to my mind: How many prefixes are you talking about? If you don't want to run any dynamic routing protocol on your FW, why not use BGP on your switches and let the routing upadates go through the FW without any tunnels?

(BGP should be supported in enhanced IOS on 3750s.)

BR,

Milan

Another possibility came to my mind: How many prefixes are you talking about? If you don't want to run any dynamic routing protocol on your FW, why not use BGP on your switches and let the routing upadates go through the FW without any tunnels?

(BGP should be supported in enhanced IOS on 3750s.)

That would work as well but the FW must contain the routes or the routes will be blackholed even if they are in BGP at either switch.

Regards

Edison

______

Each time you rate a CSC   discussion  we'll donate $1 to the American Red Cross Haiti fund up to a   maximum  donation of $10,000 USD.

https://supportforums.cisco.com/docs/DOC-8895

Yes, you are right.

But in many cases some aggregated static routes only are sufficient on the FW to forward the traffic to the correct interface.

If not, running OSPF on the FW is still a possibility.

BR,

Milan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: