cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3708
Views
5
Helpful
7
Replies

Block unwanted OSPF advertisement

kevin.hu
Level 3
Level 3

Hi,

We have a hub and spoke typology and running OSPF. I would like to implement route filter at the hub so that spoke can't just advertise any unauthorized network to the hub. I read up the SAFE white paper and it stated that distributed-list won't stop the OSPF advertisement; it just won't install the route in the routing table on that hub router. Is there any other way to filter unwanted network advertisement?

Thanks.

1 Accepted Solution

Accepted Solutions

Dear Kevin,

Use the below design,

20 hub router each hub router join the backbone area and acting as ABR router to all connected spokes, then configure all spokes as NSSA areas, then on each spoke router make the OSPF network command to only cover serial interfaces that connect the spoke to the ABR router (Network 1.1.1.1 0.0.0.0 area 1), then redistribute the LAN address using route-map, so new subnets must be explicit configured on the route-map to be advertised.

and if you concerned about the redistributed route type which is by default will be E2(each spoke router will send the LSA-7 which is translated to LSA-5 at the ABR level) you can rout-map to change the route type at the ABR.

Please rate helpful posts

Best Regards,

Mounir Mohamed

View solution in original post

7 Replies 7

Kevin,

You are correct. Distribute-list in will only stop routes from getting installed in the routing table. OSPF would still have that LSA in the database. As you may know, OSPF doesn't support distribute-list out as it doesn't send routing updates rather LSAs to neighbors. One of the basic requirements of OSPF is every router in an area should have identical OSPF database. Hence, filtering has to be done individually on every OSPF router in that area.

However, you can workaround this by configuring every spoke to be in a different area and thus the only router you would need to apply the distribute-list would be the hub router itself.

HTH

Sundar

Thanks. I was hoping there is an easier way to do this.

Hi Kevin,

Can u elaborate how many spoke routers you have?

YOu can also consider turning your sites to stubby area.

Regards,

Prince

I have about 20 hubs within area 0 and each hub has 30 spokes. I just want to control what spoke can advertise back to the hub for security purpose so no one from the spoke can advertise a unauthorized network through OSPF. I don't see how a stubby area can prevent this from happening.

Dear Kevin,

Use the below design,

20 hub router each hub router join the backbone area and acting as ABR router to all connected spokes, then configure all spokes as NSSA areas, then on each spoke router make the OSPF network command to only cover serial interfaces that connect the spoke to the ABR router (Network 1.1.1.1 0.0.0.0 area 1), then redistribute the LAN address using route-map, so new subnets must be explicit configured on the route-map to be advertised.

and if you concerned about the redistributed route type which is by default will be E2(each spoke router will send the LSA-7 which is translated to LSA-5 at the ABR level) you can rout-map to change the route type at the ABR.

Please rate helpful posts

Best Regards,

Mounir Mohamed

This is a good idea. Thank you. I will give a thought on this idea. Any drawback on doing redistribution on LAN networks on all 300 spokes?

Dear Kevin,

With my pleasure, i believe there is no drawbacks for redistributions , actually redistribution will reduce the router overhead as it's only inject some routes into the link-state topology table instead of use network command to cover the interfaces and using passive-interface to stop adjacency on such non-ospf aware interfaces.

Best Regards,

Mounir Mohamed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: