I have a unique situation (at least for me) where I have two OSPF routers on each side of a static routing only device. Is it possible to do any kind of OSPF transit across/through a device that doesn't support OSPF? I thought about doing something like a GRE tunnel but the static device is a firewall and I want it to be able to see into the traffic.
Is the firewall VLAN capable?
Yes it is and I didn't even think about that.
Each router has a big ol' static route pointing at the firewall?
GRE in transport mode should allow visibility at the firewall, if you want to hide it, you could do tunnel mode and encapsulate it in IPSEC
Quote from: deanwebb on March 22, 2016, 08:19:49 AM
Each router has a big ol' static route pointing at the firewall?
Yep, big ol' summary routes.
Yup tunnel is your solution as everyone above said.
BUT I hate this design and try to avoid it when possible. OSPF or any IGP does not play nice when you start to separate the control-plane from the data plan and even more so when you push those through a firewall. Same reason OSPF virtual links are a bad idea.
If you need dynamic routing between those two devices then BGP is a better fit. Just open up BGP on the firewall and go to town.
BGP on a firewall...
:haha3:
I laugh because of Cisco.
Yeah Cisco firewalls suck, but then again I hate firewalls...
Our new DCs are all BGP peered with our firewalls and we are slowly migrating the rest. Used to pass the BGP peer through but its ugly. We are getting some seriously impressive failover times with this new model.
The firewall unfortunately doesn't do ospf/bgp/etc.
Quote from: Nerm on March 22, 2016, 06:19:36 PM
The firewall unfortunately doesn't do ospf/bgp/etc.
Let me guess... Cisco ASA?
Yeah, you're going to want to use that big ol' static route.
Meraki
Based on my research it looks like I might be able to "redneck" it with bgp. Gonna lab it tomorrow and will post back with my results.
How would BGP work?
yes router 1 and 2 will exchange routes, but if you don't have a tunnel of some kind (which as ristau5741 your FW should be able to see into as long as your not encrypting it) the FW won't know what to do with the traffic once R1 sends it up there to go to R2.
You can't make it a transparent (L2) firewall can you?
If you have any sort of outside switch, on the other end of the firewall, I do not see what the problem is here? Connect them via L2, and do not have them go through a FW.
Quote from: dlots on March 23, 2016, 07:20:53 AM
How would BGP work?
yes router 1 and 2 will exchange routes, but if you don't have a tunnel of some kind (which as ristau5741 your FW should be able to see into as long as your not encrypting it) the FW won't know what to do with the traffic once R1 sends it up there to go to R2.
You can't make it a transparent (L2) firewall can you?
Utilizing multihop....I did a lab today using bgp multihop for this proposed idea and it worked. *Let the flaming begin* :)
An unencrypted tunnel was my next option when told it "must" go through the firewall but I am also being told that the Meraki can't see tunneled traffic even if unencrypted. Admittedly I am very new to Meraki so I have no knowledge as to whether this is true or not. I should probably research that to see if all of my "provided" information is correct.
Quote from: LynK on March 23, 2016, 07:51:11 AM
If you have any sort of outside switch, on the other end of the firewall, I do not see what the problem is here? Connect them via L2, and do not have them go through a FW.
This is actually what I wanted to do in the first place but the "boss" demands this traffic go through the firewall.
Still confused, I know you can peer across it with multi-hop but I am still confused how this fixes anything, when R1 sends the FW a packet that is being forwarded by the routes learned by BGP (lets say 1.1.1.1) R1 and R2 both now how to get to 1.1.1.1 via BGP, but how does the FW know what to do with the packet, the only routes it knows are the ones directly connected, or am I missing something?
Quote from: dlots on March 23, 2016, 03:58:50 PM
Still confused, I know you can peer across it with multi-hop but I am still confused how this fixes anything, when R1 sends the FW a packet that is being forwarded by the routes learned by BGP (lets say 1.1.1.1) R1 and R2 both now how to get to 1.1.1.1 via BGP, but how does the FW know what to do with the packet, the only routes it knows are the ones directly connected, or am I missing something?
Static routes on the FW.