Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:ospf [2020/05/31 00:08] – bstafford
+++ paloaltonetworks:configuration:ospf [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 26: / Line 26: @@
 If you import a redistributed route in OSPF that you already have as a connected route, the virtual router will not mark the imported route as 'active'.
+Remember, if you set a redistribution profile to redistribute static routes matching 10.10.0.0/16, this will actually distribute all static routes that match 10.10.0.0/16 and anything more specific than that (e.g. 10.10.10.0/24).
@@ Line 58: / Line 60: @@
 If you want MPLS and VPN to have different metrics to achieve the same result, set, in Area 0.0.0.0 the interface metric of MPLS to 1 and the metric of VPN to 2. Then set the export rule to be //ext-1// and set the metric to 11. The means the MPLS metric when installed on the other firewall is 12 and the VPN is 13. This means that if MPLS fails, the VPN will take over with only a few ping drops. If the MPLS is then restored, it will take back control from VPN.
+===== OSPF with Backup Static Route =====
+If you have OSPF from (e.g.) MPLS terminating on your firewall, you may also have a backup VPN to the other sites.
+You can create a static route with metric 20 for the VPN tunnel and OSPF will (depending on configuration) have a metric of 11. However, you may find PAN-OS selecting the static route with metric 20 over the OSPF route with metric 11. The issue is administrative distance. If you update the static route to have an administrative distance of 150, the OSPF route should suddenly get priority. I've tried 129 and that also worked. However, 75 seemed to leave me with the static route still being preferred. Not sure what the tipping point is.