This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bruno_Petronio
Contributor
‎2021-02-10 10:45 AM
Jump to solution

Filtering networks between OSPF Areas

Hello Mates 🙂

 

I'm testing an OSPF configuration in a CheckPoint Firewall cluster with 2 different routers.

I'm not able to avoid to announce all networks from Area0 (the ones directly connected in the Firewall but also the ones learned by OSPF in Backbone Area "0") to Area 1.

 

I attached a simple network diagram for better understanding.

ospf_test.PNG

 

My Configuration:

  • FW has only 1 instance (default);
  • Both Areas in FW are Normal Type;
  • FW has all interfaces except Transit 2 in Area 0 (Backbone);
  • FW has Transit 2 interface in Area 1;
  • Net20, Net 21 and Net 22 are in passive mode;
  • FW config is restricting Net 30 and Net31 from being advertised from Area 1 to Area 0;


My Goal:

  • Only advertise Net22 from Area 0 to Area 1 (Only see Net22 in Router_2 routing table from OSPF);


My failed attempts:

  • Restrict all networks except Net 22 in FW Area 1 config;
  • Add all networks except Net 22 in address range in Area 0 config;

 

My understanding: Open to clarifications 🙂

  • Restrictions and Ranges inside Area configuration is always into Area Backbone. (At least from the R80.30 Advanced Routing Admin Guide);
  • Is my only option to create a different Instance and use redistribution between OSPF instances ?

 

Thanks in advance for your help !

Bruno Petrónio

0 Kudos
1 Solution

Accepted Solutions
Bruno_Petronio
Contributor
‎2021-02-26 10:05 AM
In response to Bruno_Petronio
Jump to solution

Just for the sake of sharing, i ended up creating a different instance with Area 1 and then redistributing what i needed.

View solution in original post

0 Kudos
6 Replies
JackPrendergast
Advisor
Advisor
‎2021-02-11 05:11 AM
Jump to solution

Hi Bruno.

 

Thank you for your detailed post.

 

Have you configured the ospf areas in cli?

 

Sometimes I find configuring OSPF is better in CLI.

This way, you can set the redistribution options for OSPF areas and also restrict to apply restrictions to areas.

 

A copy of your OSPF configuration maybe handy here - blanking out any ip addresses if you so wish to.

 

Please get this from running show configuration on the firewall CLI

0 Kudos
Bruno_Petronio
Contributor
‎2021-02-11 10:45 AM
In response to JackPrendergast
Jump to solution

Hi Jack,

I've done the config in GUI, but re-done in clish 🙂

I was thinking redistributing was about different protocols and not inside the same protocol (in same instance). 

 

The ospf output config as the show route output 

ospf_cfg.PNG

The router outputs:

ospf_router_output.PNG

Thanks in advance!

0 Kudos
JackPrendergast
Advisor
Advisor
‎2021-02-12 01:41 AM
In response to Bruno_Petronio
Jump to solution

Hi Bruno,

 

To advertise the routes to the different area, you need to do a 'set ospf area xxxx range xxx.xxx.xxx.xx on

Then, as you have done above, to restrict routes, you need to do a 'set ospf area xxx range xxx.xx.xxx.xxx restrict on'

 

Let me know how you get on 🙂 

0 Kudos
Bruno_Petronio
Contributor
‎2021-02-12 04:03 AM
In response to JackPrendergast
Jump to solution

Hi Jack,

 

Without doing the "set ospf instance default area 0 range xxx.xxx.xxx.xx on", im still getting in Router_2 all the networks belonging from Router_1 and all networks defined in the Firewall as belonging in Area0.

I give it the chance to try, and even if i allow the range 10.0.0.0/7 and then restrict the 11.11.11.0/24, (in area 0 configuration) i still see both (10.10.10.0/24 and 11.11.11.0/24) in my Router_2 learned by OSPF.

 

What i could see as different was when i did the same for 20.0.0.0/6, without restrict any i got a summarized route instead 3 individual.

Restriction still don't restrict from Area0 to Area 1.

In Admin guide they always mention add and restrict networks from other areas to Backbone... I'm wondering if this is a limitation ?! 

 

😞

0 Kudos
Bruno_Petronio
Contributor
‎2021-02-26 10:05 AM
In response to Bruno_Petronio
Jump to solution

Just for the sake of sharing, i ended up creating a different instance with Area 1 and then redistributing what i needed.

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2023-09-14 02:53 AM
In response to Bruno_Petronio
Jump to solution

One thing I would like to do is:
Ensure the Checkpoint is advertising only a default route into an OSPF area (NSSA), but learns other routes in that area, would the above achieve this?

So on the switch the only route it should pickup is a default route via the Checkpoint.
On the Checkpoint learn any connected routes and advertised routes from the switch.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events