diff --git a/.github/buildomat/jobs/deploy.sh b/.github/buildomat/jobs/deploy.sh
index 7c0cde7d51b..4bea78a3453 100755
--- a/.github/buildomat/jobs/deploy.sh
+++ b/.github/buildomat/jobs/deploy.sh
@@ -33,6 +33,9 @@ _exit_trap() {
 	local status=$?
 	[[ $status -eq 0 ]] && exit 0
 
+    # XXX paranoia
+    pfexec cp /tmp/opteadm /opt/oxide/opte/bin/opteadm
+
 	set +o errexit
 	set -o xtrace
 	banner evidence
@@ -50,6 +53,7 @@ _exit_trap() {
 		standalone \
 		dump-state
 	pfexec /opt/oxide/opte/bin/opteadm list-ports
+	pfexec /opt/oxide/opte/bin/opteadm dump-v2b
 	z_swadm link ls
 	z_swadm addr list
 	z_swadm route list
@@ -104,6 +108,10 @@ curl  -sSfOL https://buildomat.eng.oxide.computer/public/file/oxidecomputer/opte
 pfexec rem_drv xde || true
 pfexec mv xde /kernel/drv/amd64/xde
 pfexec add_drv xde || true
+curl -sSfOL https://buildomat.eng.oxide.computer/wg/0/artefact/01HKB35XW8FK04SZVY7E919ZH6/Jg21ywOzjozB1Ut0p2YO84V0QbiIfSyveZGaQHBQrXWIFmSU/01HKB36D5EAAX20MQENYR9586F/01HKB3HGJ31TEH73RR4RAERMV5/opteadm
+chmod +x opteadm
+cp opteadm /tmp/opteadm
+pfexec mv opteadm /opt/oxide/opte/bin/opteadm
 set -x
 
 #
diff --git a/nexus/src/app/sagas/switch_port_settings_apply.rs b/nexus/src/app/sagas/switch_port_settings_apply.rs
index 0d6bb52421e..acb20f0c184 100644
--- a/nexus/src/app/sagas/switch_port_settings_apply.rs
+++ b/nexus/src/app/sagas/switch_port_settings_apply.rs
@@ -15,6 +15,10 @@ use crate::app::sagas::{
 use anyhow::Error;
 use db::datastore::SwitchPortSettingsCombinedResult;
 use dpd_client::types::PortId;
+use mg_admin_client::types::{
+    AddStaticRoute4Request, DeleteStaticRoute4Request, Prefix4, StaticRoute4,
+    StaticRoute4List,
+};
 use nexus_db_model::NETWORK_KEY;
 use nexus_db_queries::db::datastore::UpdatePrecondition;
 use nexus_db_queries::{authn, db};
@@ -174,6 +178,9 @@ async fn spa_ensure_switch_port_settings(
     let dpd_client: Arc<dpd_client::Client> =
         select_dendrite_client(&sagactx, &opctx, params.switch_port_id).await?;
 
+    let mg_client: Arc<mg_admin_client::Client> =
+        select_mg_client(&sagactx, &opctx, params.switch_port_id).await?;
+
     let dpd_port_settings =
         api_to_dpd_port_settings(&settings).map_err(|e| {
             ActionError::action_failed(format!(
@@ -207,6 +214,26 @@ async fn spa_ensure_switch_port_settings(
         _ => ActionError::action_failed(format!("dpd port settings apply {e}")),
     })?;
 
+    let mut rq = AddStaticRoute4Request {
+        routes: StaticRoute4List { list: Vec::new() },
+    };
+    for r in settings.routes {
+        let nexthop = match r.gw.ip() {
+            IpAddr::V4(v4) => v4,
+            IpAddr::V6(_) => continue,
+        };
+        let prefix = match r.gw.ip() {
+            IpAddr::V4(v4) => Prefix4 { value: v4, length: r.gw.prefix() },
+            IpAddr::V6(_) => continue,
+        };
+        let sr = StaticRoute4 { nexthop, prefix };
+        rq.routes.list.push(sr);
+    }
+
+    mg_client.inner.static_add_v4_route(&rq).await.map_err(|e| {
+        ActionError::action_failed(format!("mgd static route add {e}"))
+    })?;
+
     Ok(())
 }
 
@@ -273,6 +300,34 @@ async fn spa_undo_ensure_switch_port_settings(
     .await
     .map_err(|e| external::Error::internal_error(&e.to_string()))?;
 
+    // roll back the applied routes
+    let settings = sagactx
+        .lookup::<SwitchPortSettingsCombinedResult>("switch_port_settings")?;
+
+    let mut rq = DeleteStaticRoute4Request {
+        routes: StaticRoute4List { list: Vec::new() },
+    };
+
+    for r in settings.routes {
+        let nexthop = match r.gw.ip() {
+            IpAddr::V4(v4) => v4,
+            IpAddr::V6(_) => continue,
+        };
+        let prefix = match r.gw.ip() {
+            IpAddr::V4(v4) => Prefix4 { value: v4, length: r.gw.prefix() },
+            IpAddr::V6(_) => continue,
+        };
+        let sr = StaticRoute4 { nexthop, prefix };
+        rq.routes.list.push(sr);
+    }
+
+    let mg_client: Arc<mg_admin_client::Client> =
+        select_mg_client(&sagactx, &opctx, params.switch_port_id).await?;
+
+    mg_client.inner.static_remove_v4_route(&rq).await.map_err(|e| {
+        ActionError::action_failed(format!("mgd static route remove {e}"))
+    })?;
+
     Ok(())
 }
 
diff --git a/package-manifest.toml b/package-manifest.toml
index 86cab4486e5..1c453068ff7 100644
--- a/package-manifest.toml
+++ b/package-manifest.toml
@@ -437,10 +437,10 @@ source.repo = "maghemite"
 # `tools/maghemite_openapi_version`. Failing to do so will cause a failure when
 # building `ddm-admin-client` (which will instruct you to update
 # `tools/maghemite_openapi_version`).
-source.commit = "f2fc0ddcd78525dc32641d6c03483f2310399f6e"
+source.commit = "295107c80f289171c6c92d79f6e7bc9afd3d598c"
 # The SHA256 digest is automatically posted to:
 # https://buildomat.eng.oxide.computer/public/file/oxidecomputer/maghemite/image/<commit>/maghemite.sha256.txt
-source.sha256 = "008d6ca5c54239cba8191c3c0561ec4415daf72938164f35da3a823b78b77283"
+source.sha256 = "7b274bfd693caa90e0c402fb36729287d482ceb874401fe45d0462e00417936a"
 output.type = "tarball"
 
 [package.mg-ddm]
@@ -453,10 +453,10 @@ source.repo = "maghemite"
 # `tools/maghemite_openapi_version`. Failing to do so will cause a failure when
 # building `ddm-admin-client` (which will instruct you to update
 # `tools/maghemite_openapi_version`).
-source.commit = "f2fc0ddcd78525dc32641d6c03483f2310399f6e"
+source.commit = "295107c80f289171c6c92d79f6e7bc9afd3d598c"
 # The SHA256 digest is automatically posted to:
 # https://buildomat.eng.oxide.computer/public/file/oxidecomputer/maghemite/image/<commit>/mg-ddm.sha256.txt
-source.sha256 = "989ccd4a14b63fbfc651c3df5c80201af800905dda18aa21159fa3d88ce4b39b"
+source.sha256 = "57b1877e5a1bad272d0e382266adb62ec9ca24efd78ea19a61ace2ce9e0ab745"
 output.type = "zone"
 output.intermediate_only = true
 
@@ -468,10 +468,10 @@ source.repo = "maghemite"
 # `tools/maghemite_openapi_version`. Failing to do so will cause a failure when
 # building `ddm-admin-client` (which will instruct you to update
 # `tools/maghemite_openapi_version`).
-source.commit = "f2fc0ddcd78525dc32641d6c03483f2310399f6e"
+source.commit = "295107c80f289171c6c92d79f6e7bc9afd3d598c"
 # The SHA256 digest is automatically posted to:
 # https://buildomat.eng.oxide.computer/public/file/oxidecomputer/maghemite/image/<commit>/mg-ddm.sha256.txt
-source.sha256 = "57e98e99c5a21e856a4f356f6e6888494c4a62ac0044b75cdc36239377d4d78d"
+source.sha256 = "515e94cab9efe1046b78fbba6ff9b3bb466fdca63c689f11f3ee52553990b640"
 output.type = "zone"
 output.intermediate_only = true
 
diff --git a/sled-agent/src/bootstrap/early_networking.rs b/sled-agent/src/bootstrap/early_networking.rs
index e0b13455f07..77c57b64f14 100644
--- a/sled-agent/src/bootstrap/early_networking.rs
+++ b/sled-agent/src/bootstrap/early_networking.rs
@@ -17,7 +17,10 @@ use gateway_client::Client as MgsClient;
 use internal_dns::resolver::{ResolveError, Resolver as DnsResolver};
 use internal_dns::ServiceName;
 use ipnetwork::{IpNetwork, Ipv6Network};
-use mg_admin_client::types::{ApplyRequest, BgpPeerConfig, Prefix4};
+use mg_admin_client::types::{
+    AddStaticRoute4Request, ApplyRequest, BgpPeerConfig, Prefix4, StaticRoute4,
+    StaticRoute4List,
+};
 use mg_admin_client::Client as MgdClient;
 use omicron_common::address::DENDRITE_PORT;
 use omicron_common::address::{MGD_PORT, MGS_PORT};
@@ -560,6 +563,32 @@ impl<'a> EarlyNetworkSetup<'a> {
             }
         }
 
+        // Iterate through ports and apply static routing config.
+        let mut rq = AddStaticRoute4Request {
+            routes: StaticRoute4List { list: Vec::new() },
+        };
+        for port in &our_ports {
+            for r in &port.routes {
+                let nexthop = match r.nexthop {
+                    IpAddr::V4(v4) => v4,
+                    IpAddr::V6(_) => continue,
+                };
+                let prefix = match r.destination.ip() {
+                    IpAddr::V4(v4) => {
+                        Prefix4 { value: v4, length: r.destination.prefix() }
+                    }
+                    IpAddr::V6(_) => continue,
+                };
+                let sr = StaticRoute4 { nexthop, prefix };
+                rq.routes.list.push(sr);
+            }
+        }
+        mgd.inner.static_add_v4_route(&rq).await.map_err(|e| {
+            EarlyNetworkSetupError::BgpConfigurationError(format!(
+                "static routing configuration failed: {e}",
+            ))
+        })?;
+
         Ok(our_ports)
     }
 
diff --git a/tools/maghemite_ddm_openapi_version b/tools/maghemite_ddm_openapi_version
index 9a5b1d122b0..338853afa84 100644
--- a/tools/maghemite_ddm_openapi_version
+++ b/tools/maghemite_ddm_openapi_version
@@ -1,2 +1,2 @@
-COMMIT="f2fc0ddcd78525dc32641d6c03483f2310399f6e"
+COMMIT="295107c80f289171c6c92d79f6e7bc9afd3d598c"
 SHA2="0b0dbc2f8bbc5d2d9be92d64c4865f8f9335355aae62f7de9f67f81dfb3f1803"
diff --git a/tools/maghemite_mg_openapi_version b/tools/maghemite_mg_openapi_version
index 9f98684201a..5e06611d125 100644
--- a/tools/maghemite_mg_openapi_version
+++ b/tools/maghemite_mg_openapi_version
@@ -1,2 +1,2 @@
-COMMIT="f2fc0ddcd78525dc32641d6c03483f2310399f6e"
-SHA2="931efa310d972b1f8afba2308751fc6a2035afbaebba77b3a40a8358c123ba3c"
+COMMIT="295107c80f289171c6c92d79f6e7bc9afd3d598c"
+SHA2="7618511f905d26394ef7c552339dd78835ce36a6def0d85b05b6d1e363a5e7b4"
diff --git a/tools/maghemite_mgd_checksums b/tools/maghemite_mgd_checksums
index d341852c482..d8862680dd2 100644
--- a/tools/maghemite_mgd_checksums
+++ b/tools/maghemite_mgd_checksums
@@ -1,2 +1,2 @@
-CIDL_SHA256="57e98e99c5a21e856a4f356f6e6888494c4a62ac0044b75cdc36239377d4d78d"
-MGD_LINUX_SHA256="11a0482d77caaebfaaeadb9bbccf0481fa07827ab73417a292758c060bfe5b7a"
\ No newline at end of file
+CIDL_SHA256="515e94cab9efe1046b78fbba6ff9b3bb466fdca63c689f11f3ee52553990b640"
+MGD_LINUX_SHA256="505cdc355e92e866cd53143f4c6c60ea1083083eb31c0b0942530da1b2965cc4"
\ No newline at end of file