[c-nsp] Redistributing certain BGP routes into OSPF

Keegan Holley keegan.holley at sungard.com
Wed Apr 27 05:48:07 EDT 2011


I don't understand the drawing, but it looks like you have two routers
separated by a firewall and you are trying to send traffic to the DMZ router
even though the routes are advertised by the Indy-rtr.  This seems to not
make sense, but I think it's just because I don't understand your diagram.
 You could create a loopback on the indy-rtr then set the next hop to it in
a route map on the indy-rtr as they are advertised to the DMZ router and
configure another static route on the ASA for said loopback.  You could also
buy a firewall that supports BGP.


On Tue, Apr 26, 2011 at 1:11 AM, Christopher J. Wargaski
<wargo1 at gmail.com>wrote:

> I have eBGP multi-hop set up between a third party provider's router in a
> DMZ and a branch router as such:
>
>
> Indy-Rtr--------------ASA inside interface
>                          ASA DMZ
> interface------------------DMZ-Rtr---(T-1)----PSvrs
>
> Indy-Rtr = 10.2.1.1
> DMZ-Rtr = 10.0.22.50
> ASA-inside = 10.2.1.3
> ASA-DMZ = 10.0.22.1
>
>
> The Indy-Rtr and the DMZ-Rtr exchange BGP routes just fine. Some of the
> traffic from the Indy branch must pass through the ASA and through the DMZ
> router to access some servers (PSvrs). I presently have static routes on
> the
> ASA so it knows which interface to route the traffic bound for the PSvrs.
>
> I presently redistribute some of the enterprise network routes from BGP
> into
> OSPF as such:
> router ospf 10
>  router-id 192.168.254.2
>  log-adjacency-changes
>  redistribute bgp 65001 subnets route-map BGP-to-OSPF
>  passive-interface FastEthernet0/1
>  passive-interface Serial0/0/0
>  passive-interface Serial0/1/0
>  network 10.2.0.0 0.0.7.255 area 0
>  network 10.2.8.0 0.0.7.255 area 0
>  network 192.168.0.0 0.0.0.255 area 0
>
> route-map BGP-to-OSPF permit 10
>  match ip address 10
>
> access-list 10 remark ACL for BGP route map
> access-list 10 permit 10.0.0.0 0.7.255.255
> access-list 10 permit 10.9.0.0 0.0.255.255
> access-list 10 permit 192.168.0.0 0.0.7.255
> access-list 10 permit 192.168.9.0 0.0.0.255
> access-list 10 permit 10.8.0.0 0.0.255.255
> access-list 10 permit 192.0.0.0 0.255.255.255
>
>   What I would like to do is take the routes that the Indy-Rtr receives
> from the DMZ router and send them to the ASA in OSPF. Easy enough, I can
> match on the IP address for the source of those routes and set the next
> hop,
> right? Something like this:
>
> route-map Stinky permit 10
>  match ip route-source 11
>  set ip next-hop 10.0.22.50
>
> access-list 11 remark ACL for Stinky route map
> access-list 11 permit host 10.0.22.50
>
>   When I apply this route-map (to OSPF), the routes are indeed
> redistributed, but the next hop is set as 10.2.1.1, the F0/0 IP address
> configured on the Indy router. Harumph!
>
>   Am I trying to teach a pig to sing here or do you think this is doable?
> If the latter, what might I be doing wrong?
>
> Regards,
> cjw
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list