Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bruno_Petronio
Contributor
Jump to solution

Filtering networks between OSPF Areas

Hello Mates 🙂

 

I'm testing an OSPF configuration in a CheckPoint Firewall cluster with 2 different routers.

I'm not able to avoid to announce all networks from Area0 (the ones directly connected in the Firewall but also the ones learned by OSPF in Backbone Area "0") to Area 1.

 

I attached a simple network diagram for better understanding.

ospf_test.PNG

 

My Configuration:

  • FW has only 1 instance (default);
  • Both Areas in FW are Normal Type;
  • FW has all interfaces except Transit 2 in Area 0 (Backbone);
  • FW has Transit 2 interface in Area 1;
  • Net20, Net 21 and Net 22 are in passive mode;
  • FW config is restricting Net 30 and Net31 from being advertised from Area 1 to Area 0;


My Goal:

  • Only advertise Net22 from Area 0 to Area 1 (Only see Net22 in Router_2 routing table from OSPF);


My failed attempts:

  • Restrict all networks except Net 22 in FW Area 1 config;
  • Add all networks except Net 22 in address range in Area 0 config;

 

My understanding: Open to clarifications 🙂

  • Restrictions and Ranges inside Area configuration is always into Area Backbone. (At least from the R80.30 Advanced Routing Admin Guide);
  • Is my only option to create a different Instance and use redistribution between OSPF instances ?

 

Thanks in advance for your help !

Bruno Petrónio

0 Kudos
1 Solution

Accepted Solutions
Bruno_Petronio
Contributor

Just for the sake of sharing, i ended up creating a different instance with Area 1 and then redistributing what i needed.

View solution in original post

0 Kudos
6 Replies
JackPrendergast
Advisor
Advisor

Hi Bruno.

 

Thank you for your detailed post.

 

Have you configured the ospf areas in cli?

 

Sometimes I find configuring OSPF is better in CLI.

This way, you can set the redistribution options for OSPF areas and also restrict to apply restrictions to areas.

 

A copy of your OSPF configuration maybe handy here - blanking out any ip addresses if you so wish to.

 

Please get this from running show configuration on the firewall CLI

0 Kudos
Bruno_Petronio
Contributor

Hi Jack,

I've done the config in GUI, but re-done in clish 🙂

I was thinking redistributing was about different protocols and not inside the same protocol (in same instance). 

 

The ospf output config as the show route output 

ospf_cfg.PNG

The router outputs:

ospf_router_output.PNG

Thanks in advance!

0 Kudos
JackPrendergast
Advisor
Advisor

Hi Bruno,

 

To advertise the routes to the different area, you need to do a 'set ospf area xxxx range xxx.xxx.xxx.xx on

Then, as you have done above, to restrict routes, you need to do a 'set ospf area xxx range xxx.xx.xxx.xxx restrict on'

 

Let me know how you get on 🙂 

0 Kudos
Bruno_Petronio
Contributor

Hi Jack,

 

Without doing the "set ospf instance default area 0 range xxx.xxx.xxx.xx on", im still getting in Router_2 all the networks belonging from Router_1 and all networks defined in the Firewall as belonging in Area0.

I give it the chance to try, and even if i allow the range 10.0.0.0/7 and then restrict the 11.11.11.0/24, (in area 0 configuration) i still see both (10.10.10.0/24 and 11.11.11.0/24) in my Router_2 learned by OSPF.

 

What i could see as different was when i did the same for 20.0.0.0/6, without restrict any i got a summarized route instead 3 individual.

Restriction still don't restrict from Area0 to Area 1.

In Admin guide they always mention add and restrict networks from other areas to Backbone... I'm wondering if this is a limitation ?! 

 

😞

0 Kudos
Bruno_Petronio
Contributor

Just for the sake of sharing, i ended up creating a different instance with Area 1 and then redistributing what i needed.

0 Kudos
genisis__
Leader Leader
Leader

One thing I would like to do is:
Ensure the Checkpoint is advertising only a default route into an OSPF area (NSSA), but learns other routes in that area, would the above achieve this?

So on the switch the only route it should pickup is a default route via the Checkpoint.
On the Checkpoint learn any connected routes and advertised routes from the switch.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events