OSPF filtering

Unanswered Question

Hello guys,


I have two Cisco 3560 CAT/s connecting two locations with 10Mb Ethernet line between them. OSPF is enabled across the domain. I have failover link over Internet VPN with 2 ASA/s 5510 that are connected to both 3560 respectivly at any location. OSPF is enabled over the VPN too. Everything is running ok but when I am logged one of the CAT/s and I issue sh ip route ospf, I see in the routing table the public IP network that is attached to the outside Interface on the ASA (it happens on both sides) because it has been learned by OSPF which is normal. I want to avoid these public IP networks to be installed in the routing tables in my internal CAT Switches on both sides. Tried with distribute-list and route-map matching access-list, it works but only on the CAT Switch, the rest of the networking devices (OSPF enabled) behind of the CAT Switches are still learning the public IP subnets.


How to remove these ISP ranges from my internal network? Any help would be highly appreciated!


Regards,


rvr


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Burts Sat, 09/20/2008 - 11:21

rvr


What you are experiencing is normal behavior for OSPF. Once an OSPF router generates an LSA for a subnet (as your ASAs are doing) then the LSA gets flooded to every router in the domain.


While it might seem logical to use distribute lists (or route maps) to filter the routes it turns out to not be very successful (as you experience). The reason for this is that distribute lists (and route maps) are filtering on route information. OSPF advertises LSAs (not routes) and then calculates routes based on the content of the Link State Data Base. So the distribute list can control the route information from OSPF that goes into the local routing table. But the LSA is still in the data base and will still be advertised to peers behind it because distribute lists can not control LSAs.


If you do not want the public networks in the routing table of your internal network would it be possible to just take out the network statement in OSPF on the ASA so that the ASA will not generate LSAs for these addresses?


Or if having the ASA not advertise the ISP ranges is not feasible there is another possibility to consider. You might configure 2 OSPF processes on each 3560. One process would include the interfaces toward the ASA and would process advertisements including the ISP ranges. The other process would include the interfaces to internal resources. You would need to redistribute between processes and in redistribution you have an opportunity to filter and could deny the ISP ranges in the redistribution.


HTH


Rick

Hello Rick,


I tried to remove the network statements from the ospf processes but didn't work. If I remove them there are no OSPF adjacencies formed over the VPN tunnel.

I tried with two different processes per ASA with redistribution but didn't see any option to filter OSPF out. Please, can you refer me to a Cisco document how it's completed? Thank you in advance!


Regards,


rvr


Richard Burts Sun, 09/21/2008 - 14:24

rvr


here is a link that discusses using 2 OSPF processes and filtering the redistribution between the processes. I hope that you find it helpful.


HTH


Rick

Actions

This Discussion