OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto

I tested OSPF for IPv4 in my lab: I configured OSPF inside a single broadcast domain with five devices: 2x Cisco Router, Cisco ASA, Juniper SSG, and Palo Alto PA. It works perfectly though these are a few different vendors.

I will show my lab and will list all the configuration commands/screenshots I used on the devices. I won’t go into detail but maybe these listings help for a basic understanding of the OSPF processes on these devices.

I don’t want to say much about OSPF. Whoever reaches this post might already know about it. :) (Or read the articles about OSPF on Wikipedia or Cisco.)

Lab

This figure shows my lab and the basic OSPF values:

OSPF Lab

Note that I have a few more networks and Site-to-Site VPNs between these devices. So this figure is not complete at all but shows all relevant OSPF objects.

Some information

  • Everything is in area 0.0.0.0, type broadcast
  • Juniper SSG should be the DR: interface priority set to 100.
  • Palo Alto PA should be the BDR: interface priority set to 50.
  • Router-ID is always set manually to the IPv4 address of the interface (172.16.1.x).
  • Cost for the interfaces as seen in the figure. For the Cisco routers I used the  auto-cost reference-bandwidth 10000 command, while for all the other devices I configured them manually.
  • Passive-interface on all user/access interfaces.
  • Static routes are redistributed on a few devices for Remote Access VPN (Cisco ASA, Palo Alto) and Site-to-Site VPNs (Juniper).
  • The default route to the Internet via the Juniper SSG is also redistributed. It has a cost of 42 because it is the answer of everything.
  • No changes in the administrative distance / route preference, though it is different on all devices (Cisco: 110, Juniper: 60, Palo Alto: 30). However, since I am only using one dynamic routing protocol, this does not matter since it is only for local relevance on each firewall.

Of course, these are only the basic configurations for OSPF. I have not worked with authentication between the neighbors, nor have I fine-tuned other parameters such as graceful restart (non-stop forwarding), etc.

Cisco Router

I have two Cisco routers in my lab: One 2621 with IOS version 12.3(26) and one 2811 with IOS 12.4(24)T8.

This is the configuration for one of the Cisco routers. The config of the other router looks exactly the same:

And here are two show commands:

 

Cisco ASA

The Cisco ASA 5505 in my lab runs at version 9.1(4).

I configured the ASA through the ASDM GUI. In the following configuration screenshots, the redistribution of the static routes to the AnyConnect RA VPN are also shown:

And these are some monitoring screenshots:

 

Juniper SSG

In my lab, it’s an SSG 5 with software version 6.3.0r17.0.

Here with the redistribution of static routes for the Site-to-Site VPNs (complicated: access list, route map, OSPF redistributable rules) and the default route:

 

And here are a few listings from the CLI. (For some reasons, the host route to the AnyConnect VPN Client on the Cisco ASA, 192.168.133.10/32,  is missing in the routing table. I do not know why. On the Cisco routers as well as on the Palo Alto it is present.)

 

 

 

Palo Alto

Finally, the Palo Alto PA-200 in my lab runs at PAN-OS version 6.0.3.

Before we start, remember to add a security policy rule to allow OSPF on the specific zone. I have forgotten it and was searching a while in all OSPF configurations before I saw the denied packets in the traffic log. ;)

Here are the configuration steps for the OSPF routing. I also configured a redistribution profile which is referenced in the export rules of the OSPF process:

 

The “More Runtime Stats” look like that:

 

And for the friends of the CLI, take one of these commands: :)

Links

For more posts about routing/switching you can follow the Routing” or “Switching” categories concerning various firewall/router vendors, or the “Cisco Router“/”Cisco Switch” tags for posts related to Cisco stuff.

Featured image “Rail Routs” by Don Burkett is licensed under CC BY-NC-ND 2.0.

2 thoughts on “OSPF for IPv4 Test Lab: Cisco Router & ASA, Juniper SSG & Palo Alto

  1. This had me stumped for a while

    “Before we start, remember to add a security policy rule to allow OSPF on the specific zone”

    Thanks for the tip!

Leave a Reply

Your email address will not be published. Required fields are marked *