OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto

I tested OSPF for IPv4 in my lab: I configured OSPF inside a single broadcast domain with five devices: 2x Cisco Router, Cisco ASA, Juniper SSG, and Palo Alto PA. It works perfectly though these are a few different vendors.

I will show my lab and will list all the configuration commands/screenshots I used on the devices. I won’t go into detail but maybe these listings help for a basic understanding of the OSPF processes on these devices.

I don’t want to say much about OSPF. Whoever reaches this post might already know about it. (Or read the articles about OSPF on Wikipedia or Cisco.)

Lab

This figure shows my lab and the basic OSPF values:

Note that I have a few more networks and Site-to-Site VPNs between these devices. So this figure is not complete at all but shows all relevant OSPF objects.

Some information

• Everything is in area 0.0.0.0, type broadcast
• Juniper SSG should be the DR: interface priority set to 100.
• Palo Alto PA should be the BDR: interface priority set to 50.
• Router-ID is always set manually to the IPv4 address of the interface (172.16.1.x).
• Cost for the interfaces as seen in the figure. For the Cisco routers I used the 

  auto-cost reference-bandwidth 10000

   command, while for all the other devices I configured them manually.
• Passive-interface on all user/access interfaces.
• Static routes are redistributed on a few devices for Remote Access VPN (Cisco ASA, Palo Alto) and Site-to-Site VPNs (Juniper).
• The default route to the Internet via the Juniper SSG is also redistributed. It has a cost of 42 because it is the answer of everything.
• No changes in the administrative distance / route preference, though it is different on all devices (Cisco: 110, Juniper: 60, Palo Alto: 30). However, since I am only using one dynamic routing protocol, this does not matter since it is only for local relevance on each firewall.

Of course, these are only the basic configurations for OSPF. I have not worked with authentication between the neighbors, nor have I fine-tuned other parameters such as graceful restart (non-stop forwarding), etc.

Cisco Router

I have two Cisco routers in my lab: One 2621 with IOS version 12.3(26) and one 2811 with IOS 12.4(24)T8.

This is the configuration for one of the Cisco routers. The config of the other router looks exactly the same:

router ospf 1
 router-id 172.16.1.5
 log-adjacency-changes
 auto-cost reference-bandwidth 10000
 passive-interface default
 no passive-interface FastEthernet0/0
 network 172.16.1.0 0.0.0.255 area 0.0.0.0
 network 192.168.150.0 0.0.0.255 area 0.0.0.0
 network 192.168.151.0 0.0.0.255 area 0.0.0.0

And here are two show commands:

fd-wv-ro03#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.16.1.1      100   FULL/DROTHER    00:00:33    172.16.1.1      FastEthernet0/0
172.16.1.2       50   FULL/BDR        00:00:37    172.16.1.2      FastEthernet0/0
172.16.1.3        1   FULL/DROTHER    00:00:36    172.16.1.3      FastEthernet0/0
172.16.1.4        1   FULL/DROTHER    00:00:32    172.16.1.4      FastEthernet0/0

fd-wv-ro03#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

O E1 192.168.29.0/24 [110/10100] via 172.16.1.1, 07:27:01, FastEthernet0/0
O    192.168.122.0/24 [110/110] via 172.16.1.2, 2d19h, FastEthernet0/0
     192.168.133.0/32 is subnetted, 1 subnets
O E1    192.168.133.10 [110/1100] via 172.16.1.1, 00:41:33, FastEthernet0/0
S    192.168.121.0/24 [1/0] via 10.0.0.5, Tunnel121
C    192.168.151.0/24 is directly connected, FastEthernet0/1.151
O    192.168.120.0/24 [110/110] via 172.16.1.2, 2d19h, FastEthernet0/0
C    192.168.150.0/24 is directly connected, FastEthernet0/1.150
O    192.168.110.0/24 [110/200] via 172.16.1.1, 2d19h, FastEthernet0/0
O E1 192.168.9.0/24 [110/10100] via 172.16.1.1, 05:31:48, FastEthernet0/0
     192.168.126.0/25 is subnetted, 1 subnets
O E1    192.168.126.0 [110/1100] via 172.16.1.2, 2d19h, FastEthernet0/0
S    192.168.111.0/24 [1/0] via 10.0.0.9, Tunnel111
O    192.168.125.0/24 [110/110] via 172.16.1.2, 2d19h, FastEthernet0/0
O    192.168.130.0/24 [110/200] via 172.16.1.3, 2d21h, FastEthernet0/0
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, FastEthernet0/0
O    192.168.124.0/24 [110/110] via 172.16.1.2, 2d19h, FastEthernet0/0
O    192.168.131.0/24 [110/200] via 172.16.1.3, 2d21h, FastEthernet0/0
O    192.168.140.0/24 [110/200] via 172.16.1.4, 2d20h, FastEthernet0/0
O    192.168.141.0/24 [110/200] via 172.16.1.4, 2d20h, FastEthernet0/0
O E1 192.168.5.0/24 [110/10100] via 172.16.1.1, 06:12:23, FastEthernet0/0
     10.0.0.0/30 is subnetted, 2 subnets
C       10.0.0.8 is directly connected, Tunnel111
C       10.0.0.4 is directly connected, Tunnel121
O    192.168.113.0/24 [110/200] via 172.16.1.1, 2d19h, FastEthernet0/0
O E1 192.168.188.0/24 [110/10100] via 172.16.1.1, 1d00h, FastEthernet0/0
O    192.168.112.0/24 [110/200] via 172.16.1.1, 2d19h, FastEthernet0/0
O E1 192.168.86.0/24 [110/10100] via 172.16.1.1, 06:10:03, FastEthernet0/0
O*E1 0.0.0.0/0 [110/142] via 172.16.1.1, 01:45:39, FastEthernet0/0

Cisco ASA

The Cisco ASA 5505 in my lab runs at version 9.1(4).

I configured the ASA through the ASDM GUI. In the following configuration screenshots, the redistribution of the static routes to the AnyConnect RA VPN are also shown:

And these are some monitoring screenshots:

Juniper SSG

In my lab, it’s an SSG 5 with software version 6.3.0r17.0.

Here with the redistribution of static routes for the Site-to-Site VPNs (complicated: access list, route map, OSPF redistributable rules) and the default route:

And here are a few listings from the CLI. (For some reasons, the host route to the AnyConnect VPN Client on the Cisco ASA, 192.168.133.10/32,  is missing in the routing table. I do not know why. On the Cisco routers as well as on the Palo Alto it is present.)

fd-wv-fw01-> get vrouter trust-vr protocol ospf neighbor
VR: trust-vr RouterId: 172.16.1.1
----------------------------------
                Neighbor(s) on interface ethernet0/5.1 (Area 0.0.0.0)

                Neighbor(s) on interface ethernet0/5.10 (Area 0.0.0.0)

                Neighbor(s) on interface ethernet0/5.2 (Area 0.0.0.0)

                Neighbor(s) on interface ethernet0/5.3 (Area 0.0.0.0)

                Neighbor(s) on interface ethernet0/6 (Area 0.0.0.0)
IpAddr/IfIndex  RouterId        Pri State    Opt  Up           StateChg
------------------------------------------------------------------------------
172.16.1.5      172.16.1.5        1 Full     E    2d;20:30:14  (+7 -0)
172.16.1.3      172.16.1.3        1 2Way     E    2d;20:30:18  (+3 -0)
172.16.1.2      172.16.1.2       50 Full     E    2d;20:30:19  (+7 -0)
172.16.1.4      172.16.1.4        1 2Way     E    2d;20:30:23  (+3 -0)

fd-wv-fw01-> get route v4 protocol ospf


IPv4 Dest-Routes for  (0 entries)
--------------------------------------------------------------------------------------
H: Host C: Connected S: Static A: Auto-Exported
I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
N: NHRP
iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
E2: OSPF/OSPFv3 external type 2 trailing B: backup route


IPv4 Dest-Routes for  (40 entries)
--------------------------------------------------------------------------------------
         ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
--------------------------------------------------------------------------------------
         98   192.168.151.0/24         eth0/6      172.16.1.5   O   60    200     Root
*        97   192.168.150.0/24         eth0/6      172.16.1.5   O   60    200     Root
         96   192.168.131.0/24         eth0/6      172.16.1.3   O   60    200     Root
*       102   192.168.130.0/24         eth0/6      172.16.1.3   O   60    200     Root
         94   192.168.141.0/24         eth0/6      172.16.1.4   O   60    200     Root
*        93   192.168.140.0/24         eth0/6      172.16.1.4   O   60    200     Root
*        99   192.168.126.0/25         eth0/6      172.16.1.2  E1   60   1100     Root
*        92   192.168.125.0/24         eth0/6      172.16.1.2   O   60    110     Root
*        91   192.168.124.0/24         eth0/6      172.16.1.2   O   60    110     Root
*        90   192.168.122.0/24         eth0/6      172.16.1.2   O   60    110     Root
         89   192.168.121.0/24         eth0/6      172.16.1.2   O   60    110     Root
*        88   192.168.120.0/24         eth0/6      172.16.1.2   O   60    110     Root

Total number of ospf routes: 12

fd-wv-fw01-> get vrouter trust-vr protocol ospf config
VR: trust-vr RouterId: 172.16.1.1
----------------------------------
set protocol ospf
set enable
set advertise-def-route metric 42 metric-type 1
exit
set protocol ospf
set redistribute route-map "map_redist-vpns" protocol static
exit
set interface ethernet0/5.1 protocol ospf area 0.0.0.0
set interface ethernet0/5.1 protocol ospf passive
set interface ethernet0/5.1 protocol ospf enable
set interface ethernet0/5.1 protocol ospf cost 100
set interface ethernet0/5.10 protocol ospf area 0.0.0.0
set interface ethernet0/5.10 protocol ospf passive
set interface ethernet0/5.10 protocol ospf enable
set interface ethernet0/5.10 protocol ospf cost 100
set interface ethernet0/5.2 protocol ospf area 0.0.0.0
set interface ethernet0/5.2 protocol ospf passive
set interface ethernet0/5.2 protocol ospf enable
set interface ethernet0/5.2 protocol ospf cost 100
set interface ethernet0/5.3 protocol ospf area 0.0.0.0
set interface ethernet0/5.3 protocol ospf passive
set interface ethernet0/5.3 protocol ospf enable
set interface ethernet0/5.3 protocol ospf cost 100
set interface ethernet0/6 protocol ospf area 0.0.0.0
set interface ethernet0/6 protocol ospf enable
set interface ethernet0/6 protocol ospf priority 100
set interface ethernet0/6 protocol ospf cost 100

Palo Alto

Finally, the Palo Alto PA-200 in my lab runs at PAN-OS version 6.0.3.

Before we start, remember to add a security policy rule to allow OSPF on the specific zone. I have forgotten it and was searching a while in all OSPF configurations before I saw the denied packets in the traffic log.

Here are the configuration steps for the OSPF routing. I also configured a redistribution profile which is referenced in the export rules of the OSPF process:

The “More Runtime Stats” look like that:

And for the friends of the CLI, take one of these commands:

show routing protocol ospf neighbor
show routing protocol ospf interface
show routing protocol ospf summary
show routing route type ospf

Links

• Cisco: Configuring OSPF (IOS)
• Cisco: Configuring OSPF (ASA)
• Juniper: Configuring OSPF on firewall
• Corelan Team: Using OSPF on Juniper Netscreen Firewalls
• Palo Alto: Understanding Route Redistribution and Filtering