Screen OS

Hi,

as the topic says: If you have an inactive route because of bad metric, is this route advertised, so that all the other Routers/Firewalls know that there is a second path with higher metric? I think its not or am I wrong? Is there any way to force advertisement of alternative inactive routes?

Example:

Untrust-VR:

*3 10.1.1.0/24        eth2           10.1.3.1       E1    60    25 root

Trust-VR:

*2 10.1.1.0/24        eth1           10.1.2.1      E1    60     15 root
  1 10.1.1.0/24        n/a            untrust-vr      E1I   60     20 root

I guess I won't see an advertisement for the Untrust-VR route, right? Any way to force this?

The VRs maintain separate routing tables.

If you're already advertising a route for 10.1.1.0/24 from the Trust VR, advertising another one isn't going to change where traffic goes, it would still have the next hop of the Trust VR for the network attached to that VR.

If you want to advertise a 10.1.1.0/24 route to different routers in the Untrust VR, you would need to configure another OSPF instance in the Untrust VR and peer with routers via that VR.

Hey,

thanks for your reply. I've got seperate VRouters running and two OSPF instances. The routes are exported

[...]

set export-to vrouter "trust-vr" route-map "all"  protocol ospf
set export-to vrouter "trust-vr" route-map "all-connected"  protocol connected
set export-to vrouter "untrust-vr" route-map "all-f"  protocol ospf
set export-to vrouter "untrust-vr" route-map "all-f"  protocol connected
set export-to vrouter "untrust-vr" route-map "all-f"  protocol static
[...]

I've got a device that doesn't show up the second route (with bad metric). Not sure if it will if the active route fails. Thats all I worry about..

If the active route to 10.1.1.0/24 in the trust-VR goes away, then the next route will activate and, assuming you have your OSPF peers reachable via other interfaces (if eth1 is down...), the 10.1.1.0/24 route will be advertised.