I recently came across a quirk in the ASA’s implementation of OSPF that is widely known but I thought I’d share it here anyway. With the firewall being placed at the security boundary that quite often connects to the Internet on the outside interface, you would most often have a default route redistributed in to OSPF, although of course you could also be talking OSPF to your service provider depending on your situation.
However, in my home lab, the lab itself terminates on an ASA, which has it’s outside interface on my home LAN. I connect in to my lab from that LAN through the ASA and so wish to advertise that network in to the lab for reachability.
All well and good. Except that I have no OSPF speakers on my home LAN and the ASA, by virtue of line 2, is now desperately trying to chat something up on 192.168.1.0/24. In my situation, this is mostly harmless. In another, it poses a security risk as anybody could in theory fire up an OSPF speaker, learn about the internal routes and inject it’s own. Obviously, there are ways to protect this from happening e.g. MD5 authentication but quickly firing up Wireshark shows me the traffic is there and I hate seeing traffic on the wire that doesn’t have to be (Dropbox LAN Sync, I’m looking right at you!).
OSPF passive interface
So it makes perfect sense to use the OSPF passive interface functionality in this scenario. This allows me to turn OSPF chatter off on an interface. In conjunction with the network statement on line 2 above, I can advertise the network in to OSPF, but OSPF will not try to talk on the interface. Job done.
Except that for some reason, the ASA does not support this. The command exists under the RIP and EIGRP configuration modes but not OSPF. One possible way to resolve this would be:
Let’s remove the network statement. This removes the network from being advertised and also stops OSPF talking on that interface. Line 3 redistributes connected subnets (duh, obviously!) in to the OSPF process.
As a side note, line 3 advertises subnets as they are configured on the interface e.g. 192.168.1.128/25 would be advertised as such. If you miss the ‘subnets’ keyword off, it will only advertise classful networks, in our previous example, 192.168.1.128/25 would not be redistributed. Also, if you have the subnets keyword already added, negate the full line before adding it back in without the subnets keyword. It warns that only classful networks will be redistributed, but if you check the config, the subnets keyword remains and, in our example, 192.168.1.128/25 would be redistributed. More quirkiness.
Perhaps somebody reading this has insight as to why this functionality has been missed off the ASA platform. The workaround discussed above isn’t perfect either. Anything redistributed will show as an external route in your routing table and quite often that isn’t what you want.
Day 2 at Cisco Live London 2012 began with the immediate realisation that lots of attendees didn’t come to yesterday’s technical seminars. It was absolutely heaving with wall to wall nerds and geeks with the dweebs sitting in the corner.
The first session of the day was the week’s first keynote speech, given by the CTO of Cisco Padmasree Warrior. There was a big show with performers waving some light wand things about that generated different flags of the world on them and lots of loud music before an introduction by some bloke that I should probably know. Whilst Padmasree’s talk wasn’t anything revelational (by that I mean it was pretty much all known or expected), it was good to hear a fairly complete set of Cisco’s strategies reeled off in an hour session. There was a technical demonstration on the rather expensive looking kit below:
Apologies for the low quality pic but the lighting was being all funky. It is basically a UCS system sitting on top of an EMC VNX storage device with 6500 Catalyst switches and some ‘lower quality’ non-Cisco switches. It was a video conferencing demo but the cheese factor was turned up to 10 when the distinction was made between the Cisco super duper switches and the meh ones by showing a jittery video call being placed, the ethernet cable being taken out of the crap switch and in to a 3750 when the video was just perfect. I wonder how many other techie guys in the audience were like me and just wanted to console on to the crappy switch and check the config out!!
Another demonstration was carried out that was more impressive. The photo below doesn’t really do it justice but it was a video suite that acts like a greenscreen (but without being green, a more business like grey was acceptable) and allows you to put in an active backdrop e.g. perhaps a studio with a TV screen with active content such as a video or presentation). They then ‘teleported’ one of the female UK 5K atheletes on to the screen next to them from another video suite so they appeared side by side. I say you cant beat just picking up the bloody phone but I was impressed by the technology nonetheless. The ‘real people’ can be seen on the far right, missing the athelete who appears on the screen.
After the keynote speech, I then had a couple of hours to browse around the various vendor stalls as I had cancelled a session late last night on an introduction to UCS which I felt was a duplicate of what I had learned in yesterday’s technical seminar. I will cover the entire ‘World of Solutions’ floor this week but today, there were two stalls that I thought I would talk to you about, and unfortunately do not have any photos so you will need to go to their websites for more information.
The first was a company called SevOne, (www.sevone.com) who provide a network performance management tool in the form of pretty much an all in one appliance, each model sized for a certain number of objects (ports\interfaces etc.). You pick the polling period and the first 30 days of data are stored (along with the bastardised Gentoo distro OS) on fast SSD drives. Data from 30 days to 12 months are stored on normal spinning disks but the key difference from, say Solarwinds Orion, which I am more familiar with, is the device does not roll up any of the data, so in 10 months time, you can view the data as it was polled, not a hourly summary for example. Another good selling point was that buying the device buys you a high level of support too so if you need to update the software, they will do it remotely for you, they will help keep your database healthy etc. Finally, the fact that it has Netflow capabilities built in meant that you can use it out of the box. A nice touch to the one on one demo I got was a zoom in on a particular network spike, a button click brought up the Netflow data and the culprit flow was visible immediately. Quite a nice all in one solution from my first glance.
The second stall that I was impressed by were selling smartboards. I believe they may have been called Smartboard but my memory is failing me! The simplicity at which these things operate was what first occured to me. They were very intuitive and the guys hosting the booth knew it as they stood back and just let people play about with them. The collaboration possibilities stood out a mile as you can link multiple smartboards across physical locations for a true brain storming session. There is an iPad app that would allow users of those devices to consume the content as well as add to it. The devices are Powerpoint aware meaning you can open a presentation, add scribbles and notes etc and save the presentation in it’s amended state.
It was actually at this stall when the nice Canadian chap (another attendee) I had been speaking to looked at my name badge, then at his phone and said “are you Vegaskid?”. It turned out it was @ghostinthenet, Jody Lemoine. It seemed slightly surreal to me to have been ousted in such a manner, especially as I had replied to a tweet of his not more than an hour earlier. It’s always nice to put a face to a name and we had lunch and a good chat. There was mention of net beers which I believe is a tradition at such events so looking forward to a couple of those!
I won’t dwell on these points too much but a couple of disappointments today were the WiFi and the fact that one of my sessions on fast routing convergence was over subscribed. The WiFi issue ran on all day but the event organisers are reporting that it should all be fixed for tomorrow so fingers crossed. The over subscription issue was a little annoying, but thankfully it wasnt on my ‘must go to’ session list so I didnt let it annoy me too much.
Later on, I also bumped in to Ron Fuller (@ccie5851) at the Nexus stand and introduced myself. It’s quite interesting how keen and good network engineers can be at the other kind of networking. We are quite the social animal!
I had a two hour session in the afternoon based on enterprise WLANs, which whilst not deep dive enough for me, considering my recently acquired project to implement a two controller, eight AP solution, it gave me enough to get on with it with a little more confidence. Below is a picture of the presenter who was very comfortable with his subject matter.
That took me to 17:45, when the drinkypoos started. So what did I do? I grabbed a beer and a glass of wine and headed over to the walk in labs and decided to take on the CCIE OSPF lab. Not for the first time today, I found myself in a surreal situation with people getting merry all around me and these guys playing music just outside the lab area. Whilst good fun, I did find their musical talents a little stilted….oh dear, back to the day job Matt!
I realised about two questions from the end of my lab that I hadnt rang my wife and daughter to see how they were so did so before my iPhone battery gave up the ghost. Having got about 75% of the way through the topic of OSPF for my ROUTE exam, I found the CCIE lab at quite a good level to keep me on my toes. I think I’ll maybe pop in for another one before the week is out.
Finally, the car attempting to break the world land speed record (at 1000mph apparently) was on display. Wouldn’t want to reverse park it!
OK, it’s now already Wednesday and I am goosed so that’s it for now.