2 September 2010

You are here: Home / Cisco / Cisco ASA Supports Two OSPF Processes

Cisco ASA Supports Two OSPF Processes

6 March 2008 By Greg Ferro 6 Comments

Sometimes, thinking too much stops you from checking the basics. I have often wished that the Cisco ASA supported more than one routing process like the Juniper Netscreen does (which does this brilliantly). Why didn’t I look for this sooner ?-

The security appliance can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.

You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP routing process, or from static and connected routes configured on OSPF-enabled interfaces.

This is a kewl feature and allows for some fancy routing capabilities.

router ospf 1
 network 192.168.1.0 255.255.255.0 area 0
 area 0 authentication message-digest
 log-adj-changes
 redistribute ospf 2 metric 100 subnets
!
router ospf 2
 network 192.168.2.0 255.255.255.0 area 0
 area 0 authentication message-digest
 log-adj-changes
 redistribute ospf 1 metric 100 subnets

A related article Why Two Routing Processes as requested by Christian in the comments.

Filed Under: Cisco, Security Tagged With: , , ,

Please rate this post:

1 Star - It\\\'s Crud2 Stars - It\\\'s Tosh3 Stars - Something\\\'s missing4 Stars - Needs works5 Stars - Good Enough6 Stars - Good7 Stars - Excellent8 Stars - Brilliant9 Stars - Astonishing10 Stars - Awesomely Godlike? (1 votes, average: 9.00 out of 10)
Loading ... Loading ...

About Greg Ferro
Greg is a Network and Security Architect / Designer / Engineer working freelance in the UK and worked for Resellers, DotCom's, Large Corporate's and Service Providers across a variety of products & Vendors. He prefers to work for end users, believes in the life cycle, total cost of ownership and that near enough is often good enough. He likes talking about himself in the first person to feel "royal", even when hosting the Packet Pushers Podcast on Data Networking. More about Greg at http://etherealmind.com/who-am-i/ and you can follow him on Twitter.

Comments

  1. Andrew says:
    6 March 2008 at 23:19 +0000

    Multiple OSPF PID’s were available even on the PIX 6.3 code

    Reply
  2. Christian says:
    7 March 2008 at 01:27 +0000

    i’ve always wondered how many people are actually using routing protocols on firewalls..

    i was never really fond of the idea, dont know why, but then again im an SP guy, so firewalls are firewalls , and routers are for routing traffic

    i’d definitely love to read of some scenarios/architectures where one would want to run ospf on an asa

    c

    Reply
  3. Greg Ferro says:
    7 March 2008 at 07:58 +0000

    Andrew – I have been working on PIX since V3 (i.e. directly after Cisco acquired the company) and somehow just wasn’t expecting it. Sometimes you get to a point where you stop reading the release notes.

    Mental note to self – must spend more time looking at release notes

    -sigh-

    Reply
  4. Greg Ferro says:
    7 March 2008 at 07:58 +0000

    Christian – thanks for your post, I have some ideas for an article and I will make a post in the next few weeks.

    Reply
  5. Francois Ropert says:
    7 March 2008 at 09:39 +0000

    Hello

    Typical scenarii where OSPF can be useful: ASA on headend configured as an IPSEC termination, hub and spoke with ASA and ISR,…

    Reply

Trackbacks

  1. My Etherealmind · Why use two routing processes in a firewall ? says:
    23 March 2008 at 18:06 +0000

    [...] a recent post on Two OSPF Processes on an ASA firewall Christian asked why you would want to do this. Here is one case of a design that needs secure [...]

    Reply

Speak Your Mind

*