Networxpedia

       Ø  By default, an ASA sends routing updates as RIPv1, but receives updates in either RIPv1 or RIPv2.

       Ø  If ASA has a default route and we would like it to be advertised to other RIPv2 routers, you can use the following command:

Ciscoasa(config-router)# default-information originate

       Ø  Identify any passive interface:

Ciscoasa(config-router)# passive-interface  { default | interface }

      Ø  We can filter RIPv2 routing information that is sent or received on an ASA interface by applying a distribute list.

      Ø  In a nutshell, a distribute list uses a standard IP access-list to identify specific routes; routes matching a permit statement are allowed to be used, whereas routes matching a deny statement are filtered out.

Ciscoasa(config)# access-list acl-id standard {permit|deny}  <ip-address>  <mask>

Ciscoasa(config-router)# distribute-list <acl-id> {in | out} interface <interface>

      Ø  Use RIPv2 Authentication on ASA interface:

Ciscoasa(config-if)# rip authentication mode { text | md5 }

Ciscoasa(config-if)# rip authentication key <key-string> key_id <id>

    Ø  Passive-interface command same as RIP. However, we want to interface subnet to be advertised, but don’t want the interface to participate in EIGRP routing exchanges.

     Ø  By default, EIGRP will automatically summarize subnets routes into classful network routes when they are advertised.

     Ø  But we have contiguous subnets that are separated across ASA interfaces or across EIGRP routers, we should disable route summarization with the following EIGRP command:

Ciscoasa(config-router)# no auto-summary

      Ø  If we have already disabled automatic summarization, the firewall can still advertise a summary address that is manually configured.

Ciscoasa(config-if)# summary-address  <as-num> <address> <mask> [distance]

      Ø  Redistribution:

Ciscoasa(config-router)# redistribute { rip | static | connected } [metric bandwidth delay reliability load mtu ] [ route-map map_name ]

Ciscoasa(config-router) # redistribute ospf <pid> [match {internal | external [1 | 2 ] | nssa-external [1  | 2 ] } ]  [metric  bandwidth delay reliability load mtu] [route-map map_name ]

       Ø  Use stub routing for an ASA with a single exit point.

       Ø  If the ASA has a single connection to the outside world through a neighboring router, it can become an EIGRP stub router.

       Ø  As a stub, it can receives routes (usually a default route) from its neighbor, but will advertise only specific routes of its own.

Ciscoasa(config-router)# eigrp stub {receive-only | [connected] [redistributed] [static] [summary ] }

      Ø  Authentication:

#Interface <interface>

  # authentication mode eigrp <as-num> md5

  # authentication key eigrp <as-num> <key-string> key-id <key-id>

      Ø  Use filter EIGRP updates by distribution-list

# log-adj-changes [ detail ]

      Ø  An ASA can advertise a default routes as an external route by using the following command:

Ciscoasa(config-router)# default-information originate [always] [metric value ] [metric-type { 1 | 2}]  [route-map name]

      Ø  By default, all OSPF routers have an AD of 110, we can change the distance values:

Ciscoasa(config-router)# distance ospf [ inter-area d1 ] [inter-area d2] [external d3]

      Ø  We can adjust the OSPF route calculation timers :

Ciscoasa(config-router)# timers { spf  spf_delay spf_holdtime | lsa-group-pacing seconds }

The OSPF process will wait a delay time of spf-delay (default 5 sec) after receiving a topology change before starting the SPF calculation.

OSPF will wait spf_holdtime (default 10 sec) between two consecutive calculations.

We can also tune the calculation process with the lsa-group-pacing keyword.

LSA are gathered and processed at regular intervals (the default is 240 seconds).

      Ø  Authentication OSPF neighbor in an AREA.

Ciscoasa(config-router)# area <area-id> authentication [message-digest]

# int <interface>

   # ospf message-digest-key <key-id> md5 <key>

Ciscoasa(config-router)# area <area-id> stub [no-summary]

No-summary keyword to create a totally stubby area.

      Ø  Route Filtering, If an ASA configure as an ABR, it sends type 3 LSA between the areas it touches.

      Ø  This means that the networks in each area are advertised into other areas.

      Ø  We would not want private networks to be advertised towards the outside, for security and network translation reasons., so we define a prefix-list:

Ciscoasa(config)# prefix-list <list-name> [seq seq_number] {permit | deny } prefix/len [ge min_value] [le max_value]

      Ø  Unlike RIPv2 and EIGRP, OSPF does not use a distribute-list to filter routes that are advertised, this is because every OSPF router maintains its own snapshot of the entire routing topology.

      Ø  For Example: to permit advertisement of routes with a prefix of 172.16.0.0/16, but having any mask length between 16 and 24 bits.

Ciscoasa(config)# prefix-list LIST permit 172.16.0.0/16 ge 16 le 24

      Ø  Next, apply the prefix list to filter LSAs into or out of an area with the following command:

Ciscoasa(config-router)# area <area-id> filter-list prefix <list-name> [ in | out ]

      Ø  Summarize routes between areas: