(1) In the Input chain I would take this rule.Ĭhange it to this (as this rule includes everything noted above and more and put it as your last rule in the input chain.Īdd action= drop chain=input comment="Drop all else" !dstnat connection-state=new in-interface-list=WAN (i.e.Add action=accept chain=input comment="defconf: accept established,related,untracked" \Ĭonnection-state=established,related,untrackedĪdd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidĪdd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpĪdd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\Īdd action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANĪdd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecĪdd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecĪdd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\Īdd action=accept chain=forward comment="defconf: accept established,related, untracked" \Īdd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidĪdd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\ In general, I'd say that minimizing your external OSPF routes should be a design goal. The only way to manage the number of E routes is to aggregate them at the ASBR originating them, or to use NSSAs to block them from entering into those areas. The reason you want this is so that as your network grows, if you need to partition it into areas, you can do so and the size of the routing table will be more manageable / LSA flooding won't have to go everywhere in the network as it would with external routes, which go trucking right through area boundaries. Just issue a network statement that covers those, and then these interfaces will be properly included as interior OSPF destinations. the pppoe interfaces) so that you don't need to redistribute connected routes into OSPF. This way, you can activate other interfaces where you do NOT want adjacencies (i.e. I'd also suggest that you set the default ospf interface to be passive=yes, and then go add each interface manually where you actually want adjacencies to form. In IPv6, you must define each interface explicitly anyway, so you may as well get used to that being a part of the process. IMO, it's better to explicitly define each interface with its own network=x.x.x.x/30 entry to give yourself the 100% granularity that will come in handy later. You couldn't individually disable OSPF on any particular interface within that range if the need were to arise. The drawback to this method is that it's an all-or-nothing proposition. ![]() You could use network=10.10.2.0/24 and then any /30 interface within that /24 block would become active in OSPF. so at the /routing ospf network segment, I enter every interface ip to networks like 10.10.2.5/30, 10.10.2.1/30, 10.10.2.20/30 so in here is better to use /24 or better to use /30. one some routers there is 3-4 device on their ether interfaces and i connect them to each other with /30 ip addresses. Set redistribute-connected=as-type-1 router-id=10.255.255.2Īdd authentication=simple authentication-key=xxx interface=ether1-10.10.0.3 network-type=broadcastĪdd authentication=simple authentication-key=xxx interface=LoopBack network-type=broadcastĪdd area=backbone network=10.255.255.2/32Īm I going on the correct way to remove bridges and go routed network ? and also do i need add loopback ip to ospf network(area=backbone network=10.255.255.2/32) ?Ĭan i use 10.10.2.0/24 instead of 10.10.2.0/30 at /routing ospf network ? cause i will remove every device from bridge step by step and I would like to use 10.10.2.0/24 range. ![]() ![]() Set redistribute-connected=as-type-1 router-id=10.255.255.1Īdd authentication=simple authentication-key=xxxx interface=Router2 network-type=broadcast priority=2Īdd authentication=simple authentication-key=xxxx interface=ether1-PPPoE-Server network-type=broadcastĪdd authentication-key=xxxx interface=loopback network-type=broadcastĪdd area=backbone network=10.255.255.1/32Īdd address=10.10.2.2/30 interface=ether1-10.10.0.3 network=10.10.2.0Īdd address=10.255.255.2 interface=LoopBack network=10.255.255.2 I remove PPPoE_Server link interface from bridge and give them 10.10.2.1/30 ip to their ethernet interfacesĪnd here is ip and OSPF settings at gateway router Īdd address=10.10.0.3/23 interface=Router2 network=10.10.0.0Īdd address=10.10.2.1/30 interface=ether1-PPPoE-Server network=10.10.2.0Īdd address=10.255.255.1 interface=loopback network=10.255.255.1
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |