Tuesday, September 7, 2021

OSPF Sanity Check

Slightly weird scenario, hoping you guys have maybe tried or seen this before.

We have an existing ASA with it's inside interface on a VLAN that lets it reach the firewall. They discover/broadcast to each other and establish an OSPF adjacency. The ASA is the DR, FW(Checkpoint) is DROther.

What I want to do is add a new router on the same network north of the FW on the same FW interface. The caveat is, I don't want that router to see routes from the ASA to prevent any weird scenarios where traffic to weird destinations skips the firewall.

My "simple" solution was to just bring up the new router as a non-broadcast OSPF and configure the FW as a neighbor to send unicast hellos (so no adjacency with the ASA). Anyone have any ideas/experience as to why that will/won't work?

If it doesn't work I'll just bring the new router up and filter the ASA's OSPF tag out.

Thanks!



No comments:

Post a Comment