[c-nsp] OSPF on PIX?
Niels Bakker
niels=cisco-nsp at bakker.net
Fri Sep 3 13:33:38 EDT 2004
* Delbert.Hudson at LOSANGELES.AF.MIL (Hudson Delbert J Contr 61 CS/SCBN) [Fri 03 Sep 2004, 17:54 CEST]:
> i would unless you just cant, turn off ospf on your firewall.
>
> why...
>
> #1 routers route and firewalls ...well you get it.
Firewalls forward (or not) packets, not just based on destination IP
address, but also according to a local security policy. In what way
does `routing' differ from `forwarding packets' in your world view?
> #2. the pix doesnt need to know its ospf traffic.
> pass it thru as just plain old ip traffic since it doesn't use tcp
> or udp.
OSPF traffic won't pass a PIX, as OSPF over broadcast media uses
multicast with a TTL of 1, which won't be let through as a PIX - even in
transparent mode - decreases the TTL.
> #3. the cpu usage is due to spf runs, lsa's and the resultant floods.
> its not due to the data, its HOW OSPF worx.
SPF algorithm runs shouldn't account for a continuous CPU load.
> #4. why would you want tour pix to get involved in bdr & dr elections.
Apart from the question why you'd buy a PIX in the first place, you can
keep any device non-eligible for DR/BDR duties by appropriately
configuring its OSPF priority.
-- Niels.
--
More information about the cisco-nsp
mailing list