Firewall Dynamic Routing For Dummies – Part Deux

So the best part about OSPF is you don’t have to figure out what the configurations are. In fact, if you try to tell the router geeks what the configurations are they will burn down your house. This is a sensitive area for router geeks. You have the ability to screw with their kingdom and bring their house of cards down. So I could tell you what most these parameters are, but you can also Read The Friggin Manual and the router geeks will feed them to you.

But I’ll gloss over some of the obvious ones.

  • Router id is usually one of the interfaces but is ONLY and ID and does not impact routing. All the routers have to have unique IP addresses.
  • Cost: Small is faster, big is slower. Router geeks usually have a table they use to calculate the cost of the links.  1 gig links are low cost and dial up are expensive.

ospf 1

  • Virtual links you can usually ignore. This is like a VPN tunnel through the firewall when OSPF routers on either side want to talk thru the firewall directly to each other.
  • Areas: this is the fun part where it comes all together. <wait for it….>

areas

So remember in my Part Uno when I said that Windows 8 PC nut created a new network 10.5.0.0 and I wanted all routers in my AS to know about it? This is where it happens. This is where you can tell an interface to join an area and suck in and distribute routes that the firewall knows about. As the firewall gets Link State Announcements (LSA) from far and wide (can be from non-adjacent areas) the firewall will enter the LSA into the routing table and forward the LSA to its adjacent areas. How do you prevent internal addresses from leaking out? Well usually the router geeks will put filters on the perimeter and/or also on the internal BGP domain so that only the right LSAs come your way. You really don’t have to worry about that, that’s why we pay router geeks big bucks.

So in our example the 10.5.0.0/25 is created in some far off router and at some point the LSA makes it to the firewall. Because it traveled  a long distance it has a cumulative cost as hopped through all the OSPF and BGP routers to get to the firewall. The firewall enters the route into the routing table and forwards the LSA (after adding in more cost for the adject links) to other areas the firewall is linked into in this page.

Some thing goes when the 10.5.0.0 goes down. The Windows 8 geek trips over the network wire and the port goes unlinked. The far off router will detect that the network 10.5.0.0 is down and send an LSA to pull the entry from everyones routing table.

Once again, you really don’t have to worry about many of these parameters. They have to match up with the adjacent routers or it won’t work.

The one parameter that you can dink with is the passive option. This tells your local OSPF daemon that the local interface will participate in the local OSPF calculations for that port BUT it will not advertise or suck in LSAs through that port (let’s say eth1, 10.1.0.0/27). If the port goes down, then locally the subnet entry 10.1.0.0/27 will be removed from the routing table BUT the LSA will go out OTHER interfaces (eth2/3/4/5) that the firewall is participating in. So the subnet of the interface (e.g eth1 is 10.1.0.0/27) will be part of the OSPF LSA going out on eth 2/3/4/5 assuming they are attached to OSPF areas, when eth1 goes up and down, but because the interface eth1 does not accept LSAs none of the attached eth1 networks will be in the local routing table and won’t be repeated out eth 2/3/4/5

area config

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

blog.lachmann.org

Michael Endrizzi's - St. Paul MN - CheckPoint blog on topics related to Check Point products and security in general.

%d bloggers like this: