Selected kernel route redistribution in OSPF on SPLAT

[flawless_cowboy]

We recently moved one of our firewall clusters to SPLAT from Nokia. We do dynamic routing using OSPF on the cluster. A really nice feature on Nokia is the ability to very easily redistribute selected routes into OSPF. This was not as easy to accomplish in SPLAT, so I thought I would share my solution here for others that may have the same problem. First you need to realize that routes added in the sysconfig utility on SPLAT are kernel routes not static routes, from the gated perspective. All the IP addresses used have been randomized. The following command needs to be entered in the OSPF config --

redistribute kernel route-map static-redist

where static-redist is the following route-map --

route-map static-redist permit 5
match ip address prefix-list static-redist
set metric-type type-1
exit

I used a prefix-list instead of a access-list because I personally find it easier to use CIDR notation rather than reverse masks, but you could use an access-list just as well. The prefix list contains the selected networks that I want to be injected into OSPF. Also I wanted the routes to be injected as type-1 routes instead of type-2 (the default) to maintain the metrics. The prefix-list is below --

ip prefix-list static-redist seq 5 permit 192.168.12.0/27 ge 27 le 27
ip prefix-list static-redist seq 10 permit 10.100.197.100/32 ge 32 le 32
ip prefix-list static-redist seq 15 permit 192.168.0.160/27 ge 27 le 27
ip prefix-list static-redist seq 20 permit 10.111.5.0/27 ge 27 le 27

The "ge 27 le 27" is a default that means exactly the network referenced. It does not need to be input in the config. Example would be --

ip prefix-list static-redist seq 5 permit 192.168.12.0/27

So the entire config looks like this --

ip prefix-list static-redist seq 5 permit 192.168.12.0/27 ge 27 le 27
ip prefix-list static-redist seq 10 permit 10.100.197.100/32 ge 32 le 32
ip prefix-list static-redist seq 15 permit 192.168.0.160/27 ge 27 le 27
ip prefix-list static-redist seq 20 permit 10.111.5.0/27 ge 27 le 27
route-map static-redist permit 5
match ip address prefix-list static-redist
set metric-type type-1
exit
router ospf 10
restart-type signaled
router-id 1.1.1.1
network 192.168.15.10 0.0.0.7 area 0.0.0.0
network 192.168.1.0 0.0.0.31 area 0.0.0.0
network 192.168.2.0 0.0.0.31 area 0.0.0.0
network 192.168.3.0 0.0.0.31 area 0.0.0.0
network 192.168.4.0 0.0.0.31 area 0.0.0.0
network 192.168.5.0 0.0.0.31 area 0.0.0.0
authentication md5 1 [hidden]
redistribute kernel route-map static-redist
exit

The restart-type signaled allows transparent failover of OSPF between cluster nodes for all adjacent Cisco devices. Overall I find the SPLAT solution to actually be better in terms of failover. The signaled restart feature along with the FIB daemon that syncs the route tables between the two firewalls, causes no "ripple" effect to occur in OSPF. This was not true in the old Nokia solution, which was running in a VRRP cluster. Every time a failover would occur OSPF would have to reform all adjacencies with neighbors.