ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Copy vrouter contents to another vrouter (One way)

[ Edited ]
‎06-04-2012 04:14 PM

Hi folks,

 

I have the following setup

 

Internal router <<<<<<<ISG 1000 >>>>>>>>>>>>>>>>>>External router

 

Netscreen ISG 1000 with Untrust , Trust vr, Both vrouters are part of ospf area 0 and have neighborship established with 2 different routers, my question is I need to leak all the untrust vr routes coming from the external router  to the trust vr which will publish this routes internal router ,  I believe the regular route leaking should solve this problm put in route leaking I have to specifiy which routes will be imported and this is not valid in my case as i have around120 route and it's changing by time.

 PS: for security reason I want to leake the routes coming from the external router to the internal router but not vise versa

any ideas

 

Thanks in advance

6 REPLIES 6
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Copy vrouter contents to another vrouter (One way)

‎06-04-2012 09:32 PM

You can config device to import only External OSPF (E1 & E2) routes from one VR to other.

 

You need to follow the steps as mentioned below :

 

1. COnfigure an access list to allow 0.0.0.0/0 

2.  Configure a route-map and Match the above access list and also the external type-1 & type-2 routes in it

 

set route-map name "test" permit 1
set match ip 1
set match route-type type1-external-ospf
exit
set route-map name "test" permit 2
set match ip 1
set match route-type type2-external-ospf
exit

 

3. Apply this route-map on the import rule in Trust-vr to import the routes matching above route-map only.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Copy vrouter contents to another vrouter (One way)

‎06-05-2012 03:03 AM

so the configuration should be like the following :

 

set vrouter untrust-vr
FW(untrust-vr)-> set access-list 2 permit ip 0.0.0.0/0 10

FW(untrust-vr)-> set route-map name rtmap2 permit 10
FW(untrust-vr/rtmap2-10)-> set match ip 2
FW(untrust-vr/rtmap2-10)-> set match route-type type1-external-ospf
FW(untrust-vr/rtmap2-10)-> exit

FW(untrust-vr)-> set route-map name rtmap2 permit 20
FW(untrust-vr/rtmap2-10)-> set match ip 2
FW(untrust-vr/rtmap2-10)-> set match route-type type2-external-ospf
FW(untrust-vr/rtmap2-10)-> exit

ns(trust-vr)->set export-to vrouter untrust-vr route-map rtmap2 protocol ospf

 

Thanks to check it and confirm back 🙂

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Copy vrouter contents to another vrouter (One way)

‎06-05-2012 03:08 AM

Yes, this looks good. Should work fine.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Copy vrouter contents to another vrouter (One way)

[ Edited ]
‎06-05-2012 09:09 AM

hello Sarab,

 

the situation now, the routes are exported to the trust virtual router and didn't moved to the internal router , is there is any thing needed to make this routes move to the other router ? .

 

- another notice , I couldn't find the exported routes in the get vrouter trust protocol ospf database however I can find them in get vrouter trust command and get route .. 

 

 

Thanks

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Copy vrouter contents to another vrouter (One way)

‎06-05-2012 09:33 PM
Hi, I am sorry, I didn't understand the query. Do you mean the route export to trust VR is working fine i.e you are seeing a tag in routes exported to trust VR ? And now you want to move those routes to another VR ?
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Copy vrouter contents to another vrouter (One way)

‎06-12-2012 05:54 PM
OSPF won't pick up the routes automatically. Once your routes are imported (leaked) into the trust VR, you need to redistribute imported routes into OSPF. This is done under the OSPF configuration for the trust VR.
Feedback