Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Block unwanted OSPF advertisement

Hi,

We have a hub and spoke typology and running OSPF. I would like to implement route filter at the hub so that spoke can't just advertise any unauthorized network to the hub. I read up the SAFE white paper and it stated that distributed-list won't stop the OSPF advertisement; it just won't install the route in the routing table on that hub router. Is there any other way to filter unwanted network advertisement?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Block unwanted OSPF advertisement

Dear Kevin,

Use the below design,

20 hub router each hub router join the backbone area and acting as ABR router to all connected spokes, then configure all spokes as NSSA areas, then on each spoke router make the OSPF network command to only cover serial interfaces that connect the spoke to the ABR router (Network 1.1.1.1 0.0.0.0 area 1), then redistribute the LAN address using route-map, so new subnets must be explicit configured on the route-map to be advertised.

and if you concerned about the redistributed route type which is by default will be E2(each spoke router will send the LSA-7 which is translated to LSA-5 at the ABR level) you can rout-map to change the route type at the ABR.

Please rate helpful posts

Best Regards,

Mounir Mohamed

7 REPLIES

Re: Block unwanted OSPF advertisement

Kevin,

You are correct. Distribute-list in will only stop routes from getting installed in the routing table. OSPF would still have that LSA in the database. As you may know, OSPF doesn't support distribute-list out as it doesn't send routing updates rather LSAs to neighbors. One of the basic requirements of OSPF is every router in an area should have identical OSPF database. Hence, filtering has to be done individually on every OSPF router in that area.

However, you can workaround this by configuring every spoke to be in a different area and thus the only router you would need to apply the distribute-list would be the hub router itself.

HTH

Sundar

New Member

Re: Block unwanted OSPF advertisement

Thanks. I was hoping there is an easier way to do this.

New Member

Re: Block unwanted OSPF advertisement

Hi Kevin,

Can u elaborate how many spoke routers you have?

YOu can also consider turning your sites to stubby area.

Regards,

Prince

New Member

Re: Block unwanted OSPF advertisement

I have about 20 hubs within area 0 and each hub has 30 spokes. I just want to control what spoke can advertise back to the hub for security purpose so no one from the spoke can advertise a unauthorized network through OSPF. I don't see how a stubby area can prevent this from happening.

Re: Block unwanted OSPF advertisement

Dear Kevin,

Use the below design,

20 hub router each hub router join the backbone area and acting as ABR router to all connected spokes, then configure all spokes as NSSA areas, then on each spoke router make the OSPF network command to only cover serial interfaces that connect the spoke to the ABR router (Network 1.1.1.1 0.0.0.0 area 1), then redistribute the LAN address using route-map, so new subnets must be explicit configured on the route-map to be advertised.

and if you concerned about the redistributed route type which is by default will be E2(each spoke router will send the LSA-7 which is translated to LSA-5 at the ABR level) you can rout-map to change the route type at the ABR.

Please rate helpful posts

Best Regards,

Mounir Mohamed

New Member

Re: Block unwanted OSPF advertisement

This is a good idea. Thank you. I will give a thought on this idea. Any drawback on doing redistribution on LAN networks on all 300 spokes?

Re: Block unwanted OSPF advertisement

Dear Kevin,

With my pleasure, i believe there is no drawbacks for redistributions , actually redistribution will reduce the router overhead as it's only inject some routes into the link-state topology table instead of use network command to cover the interfaces and using passive-interface to stop adjacency on such non-ospf aware interfaces.

Best Regards,

Mounir Mohamed

351
Views
5
Helpful
7
Replies