8th February 2012

You are here: Home / Cisco / Cisco ASA supports two OSPF processes

Cisco ASA Supports Two OSPF Processes

6th March 2008 By 6 Comments

Sometimes, thinking too much stops you from checking the basics. I have often wished that the Cisco ASA supported more than one routing process like the Juniper Netscreen does (which does this brilliantly). Why didn’t I look for this sooner ?-

The security appliance can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.

You can redistribute routes into an OSPF routing process from another OSPF routing process, a RIP routing process, or from static and connected routes configured on OSPF-enabled interfaces.

This is a kewl feature and allows for some fancy routing capabilities.

router ospf 1
 network 192.168.1.0 255.255.255.0 area 0
 area 0 authentication message-digest
 log-adj-changes
 redistribute ospf 2 metric 100 subnets
!
router ospf 2
 network 192.168.2.0 255.255.255.0 area 0
 area 0 authentication message-digest
 log-adj-changes
 redistribute ospf 1 metric 100 subnets

A related article Why Two Routing Processes as requested by Christian in the comments.

This post is copyright of Thropos Ltd ©2008-2011 at Etherealmind.com - contact | email: greg.ferro@packetpushers.net - twitter: @etherealmind | All rights reserved
Filed Under: Cisco, Security Tagged With: , , ,
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

  • Andrew

    Multiple OSPF PID’s were available even on the PIX 6.3 code

  • Christian

    i’ve always wondered how many people are actually using routing protocols on firewalls..

    i was never really fond of the idea, dont know why, but then again im an SP guy, so firewalls are firewalls , and routers are for routing traffic

    i’d definitely love to read of some scenarios/architectures where one would want to run ospf on an asa

    c

  • http://etherealmind.com Greg Ferro

    Andrew – I have been working on PIX since V3 (i.e. directly after Cisco acquired the company) and somehow just wasn’t expecting it. Sometimes you get to a point where you stop reading the release notes.

    Mental note to self – must spend more time looking at release notes

    -sigh-

  • http://etherealmind.com Greg Ferro

    Christian – thanks for your post, I have some ideas for an article and I will make a post in the next few weeks.

  • http://www.fcug.fr Francois Ropert

    Hello

    Typical scenarii where OSPF can be useful: ASA on headend configured as an IPSEC termination, hub and spoke with ASA and ISR,…

  • Pingback: My Etherealmind · Why use two routing processes in a firewall ?