cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
425
Views
0
Helpful
3
Replies

OSPF Filtering IP on a routed subnet

utawakevou
Level 4
Level 4

I have already got OSPF setup with area 0 for my backbone and area 1 for my WAN sites. Got one of the my remote site which have a static default route that points to their firewall. On my remote site router I need to filter out a certain ip address off the 192.168.0.0/16 route that OSPF create so I  can block users from that remote site to connect to that particular IP.

Thanks for your help

1 Accepted Solution

Accepted Solutions

mgalazka
Level 1
Level 1

If I am understanding your request correctly, the remote site is learning a 192.168.0.0/16 route from the "headend" router. There is one particular host address within 192.168.0.0/16 that you want to block as a destination from the remote site?

Like most problems in IT, there are several ways to solve this. Commonly, IP access control lists are used for traffic 'policy enforcement'. By implementing an ACL to deny the source of remote-site IP's to a destination of this particular host IP, the remote site users would no longer be able to communicate with the particular IP.

A less polished, but also effective way, to make this happen: you could null route the particular host address on your remote site router. This means that the remote site router, when it looks up the next-hop for that particular destination, it sees the next hop as the 'bit bucket' and traffic is dropped in your routing logic. This is nice and efficient, but you lose any logging/visibility.

View solution in original post

3 Replies 3

mgalazka
Level 1
Level 1

If I am understanding your request correctly, the remote site is learning a 192.168.0.0/16 route from the "headend" router. There is one particular host address within 192.168.0.0/16 that you want to block as a destination from the remote site?

Like most problems in IT, there are several ways to solve this. Commonly, IP access control lists are used for traffic 'policy enforcement'. By implementing an ACL to deny the source of remote-site IP's to a destination of this particular host IP, the remote site users would no longer be able to communicate with the particular IP.

A less polished, but also effective way, to make this happen: you could null route the particular host address on your remote site router. This means that the remote site router, when it looks up the next-hop for that particular destination, it sees the next hop as the 'bit bucket' and traffic is dropped in your routing logic. This is nice and efficient, but you lose any logging/visibility.

You mean to say I just create a static route to that host with the next hop as Null ?

Thanks. I manage to ge that sorted

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: