I am trying to redistribute EIGRP routes from two AS numbers into OSPF so that my PA can learn the proper routes to the rest of the network, but I am running into a stumbling block since I only have one L3 interface connected to my internal network and the PA firewall will only allow a single OSPF area per interface.
The PA is at a remote, unmanned location so I don't have the option of configuring a second interface. Is there a way I can still accomplish my goal without configuring another L3 interface?
Here are the details of what I am trying to accomplish. I have two Cisco routers and a PA firewall connected on the same VLAN to a switch. Router #1 has EIGRP 100 configured, which needs to be redistributed to OSPF for the PA to learn. Router #2 has EIGRP 100 and EIGRP 101 configured. The routes from both of these AS numbers need to be redistributed to OSPF for the PA to learn, but I do not want router #1 to learn about the routes from AS 101. I had no problem configuring area 0 to create an OSPF neighbor with router #2 and to have the routes from AS 101 redistributed. When I try to create a new area to distribute the routes from AS 100, the PA requires a different interface than the one used for area 0.
I'm using a PA3020 with PANOS 7.1.
Since router#2 has both AS numbers, cant you within that router redistributed both 100 and 101 to OSPF? That way the PAN should learn all the routes and then you can filter on what to distribute back out?
Obvisously I dont know the full topology so its just a guess on my part.
One option is multi-area adjacency, but I highly doubt PA supports it.
Barring that, filtering within the same OSPF area is tough. Generally it's not something that you want to do, since the LSAs of every device in the area have to match. Is BGP an option for you? There's far more granularity in policy available.
Another option is to not filter the LSAs, but to modify the distance per neighbor, so that any routes from AS101 will not be installed into the RIB on R1.
Here's an article showing how you could do that but still have all three in the same area:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!