OSPF Design Example

As shown in Figure 9-3, in this example, the same OSPF process routes between the DMZ and the inside security domains. The FWSM is in a single context routed mode. The configuration does not have MD5 enabled. It is a good practice to enable MD5 authentication. Example 9-2 shows the FWSM configuration.

Figure 9-3 OSPF Single-Process Between Two Security Zones

Router 1 (R1) - Outside Router (MSFC)

The FWSM has a default route that points to R1 router. VLANs 92 and 91 are configured in the OSPF process 4. The FWSM advertises the default routes to R2 and R3. The default-information originate is configured. (Note that there is a static default route pointing to the outside security domain.)

FWSM (Single'Context Routed Mode)

FWSM (Single'Context Routed Mode)

OSPF Process 4

Router 2 (R2) - Inside Router

OSPF Process 4

Router 2 (R2) - Inside Router

Example 9-2 FWSM Configuration

FWSM(config)# show run : Saved

hostname FWSM

enable password 8Ry2YjIyt7RRXU24 encrypted names

! Configure the outside interface interface Vlan90 nameif outside security-level 0

ip address 10.100.1.2 255.255.255.0 ! Configure the inside interface interface Vlan91 nameif inside security-level 100

continues

Example 9-2 FWSM Configuration (Continued)

ip address 10.101.1.2 255.255.255.0 ! Configure the dmz interface interface Vlan92 nameif dmz security-level 50

ip address 10.102.1.2 255.255.255.0

passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive

! Configure the access list. Note that the access list should be configured based ! on the security policy access-list 100 extended permit ip any any access-list 101 extended permit ip any any access-list 102 extended permit ip any any access-list 106 extended permit ip any any pager lines 24 mtu outside 1500 mtu inside 1500 mtu dmz 1500 no failover icmp permit any outside icmp permit any inside icmp permit any dmz no asdm history enable arp timeout 14400 nat-control

! Configure NAT for the security domains defined nat (inside) 0 0.0.0.0 0.0.0.0 nat (dmz) 0 0.0.0.0 0.0.0.0

! Apply access list to the interfaces in the security domain access-group 100 in interface outside access-group 100 out interface outside access-group 106 in interface inside access-group 101 out interface inside access-group 102 in interface dmz access-group 102 out interface dmz

! Configure default route pointing to the outside next hop address route outside 0.0.0.0 0.0.0.0 10.100.1.1 1

Configure OSPF defined in each security domain. Configure the router Id. The default-information originate command will generate a default route in DMZ and inside security domains, based on the static route configured in the FWSM towards the outside security domain router ospf 4 network 10.101.0.0 255.255.0.0 area 0 network 10.102.0.0 255.255.0.0 area 0 router-id 10.101.1.2 log-adj-changes default-information originate

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Example 9-2 FWSM Configuration (Continued)

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart telnet timeout 5 ssh timeout 5 console timeout 0 !

class-map inspection_default match default-inspection-traffic

policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect skinny inspect smtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp

service-policy global_policy global prompt hostname context

Cryptochecksum:1296bbc15e71a27c5087f81eae48b43c End

The following examples are the outputs for the configuration shown in "OSPF Design Example 1." Example 9-3 illustrates checking the routing table at the FWSM.

Example 9-3 Checking the Routing Table at the FWSM

FWSM(config)# show route

O

172.17

1

1 255

255.255

255

110/11] via 10.102

1.1, 17:02

07,

dmz

O

172.16

1

1 255

255.255

255

110/11] via 10.101

1.1, 17:02

07,

inside

C

10.102

1

0 255

255.255

0 is

directly connected

dmz

C

10.101

1

0 255

255.255

0 is

directly connected

inside

C

10.100

1

0 255

255.255

0 is

directly connected

outside

S*

0.0.0.(

9.0.0-t

[1/0] via 1(

9.100.1.1, outside

The highlighted portion in the output of this show route command indicates the networks learned from OSPF neighbors as O, directly connected routes at the FWSM as C, and static routes configured in the FWSM as S. Example 9-4 illustrates checking the OSPF database at the FWSM.

Example 9-4 Checking the OSPF Database at the FWSM

FWSM(config)#

show ospf 4 database

OSPF Router with ID

(10.101.1.2)

(Process ID 4)

Router Link

States (Area

0)

Link ID

ADV Router

Age

Seq#

Checksum

Link count

10.109.1

1

10.109.1.1

1087

0x80000029

0x3ca5

2

10.101.1

2

10.101.1.2

1411

0x8000002b

0x43f2

2

10.102.1

1

10.102.1.1

1291

0x8000002b

0x e14

2

Net Link States (Area 0)

Link ID

ADV Router

Age

Seq#

Checksum

10.101.1

1

10.109.1.1

1857

0x80000020

0x5fc9

10.102.1

1

10.102.1.1

1550

0x80000020

0x470a

Type-5 AS External Link

States

Link ID

ADV Router

Age

Seq#

Checksum Tag

0.0.0.0

10.101.1.2

1411

0x80000026

0x8e89

4

The output shown in Example 9-4 gives the LSA types in the OSPF process learned via the OSPF neighbors. Example 9-5 shows the partial output of the show ip route command at the DMZ router.

Example 9-5 Displaying the IP Route at the DMZ Router

Gateway of last resort is 10.102.1.2 to network 0.0.0.0

172.17.0.0/32 is subnetted, 1 subnets C 172.17.1.1 is directly connected, Loopback201

172.16.0.0/32 is subnetted, 1 subnets O 172.16.1.1 [110/12] via 10.102.1.2, 17:01:34, Vlan92

10.0.0.0/24 is subnetted, 2 subnets C 10.102.1.0 is directly connected, Vlan92

O 10.101.1.0 [110/11] via 10.102.1.2, 17:01:34, Vlan92

O*E2 0.0.0.0/0 [110/1] via 10.102.1.2, 17:01:34, Vlan92

Note that the highlighted portion of the default route (O*E2) is learned from the FWSM. This is an external Type 2 route.

Example 9-6 shows the partial output of the show ip route command at the inside router.

Example 9-6 Displaying the IP Routes at the Inside Router

Gateway of last resort is 10.101.1.2 to network

172.17.0.0/32 is subnetted, 1 subnets

172.17.1.1 [110/12] via 10.101.1.2, 17:01:25, Vlan91 172.16.0.0/32 is subnetted, 1 subnets C 172.16.1.1 is directly connected, Loopback200

10.0.0.0/24 is subnetted, 2 subnets O 10.102.1.0 [110/11] via 10.101.1.2, 17:01:25, Vlan91

C 10.101.1.0 is directly connected, Vlan91

O*E2 0.0.0.0/0 [110/0] via 10.101.1.2, 17:01:32, Vlan91

Note that the highlighted portion of the default route (O*E2) is learned from the FWSM.

Was this article helpful?

0 0

Post a comment