Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

OSPF Filtering IP on a routed subnet

I have already got OSPF setup with area 0 for my backbone and area 1 for my WAN sites. Got one of the my remote site which have a static default route that points to their firewall. On my remote site router I need to filter out a certain ip address off the 192.168.0.0/16 route that OSPF create so I  can block users from that remote site to connect to that particular IP.

Thanks for your help

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

OSPF Filtering IP on a routed subnet

If I am understanding your request correctly, the remote site is learning a 192.168.0.0/16 route from the "headend" router. There is one particular host address within 192.168.0.0/16 that you want to block as a destination from the remote site?

Like most problems in IT, there are several ways to solve this. Commonly, IP access control lists are used for traffic 'policy enforcement'. By implementing an ACL to deny the source of remote-site IP's to a destination of this particular host IP, the remote site users would no longer be able to communicate with the particular IP.

A less polished, but also effective way, to make this happen: you could null route the particular host address on your remote site router. This means that the remote site router, when it looks up the next-hop for that particular destination, it sees the next hop as the 'bit bucket' and traffic is dropped in your routing logic. This is nice and efficient, but you lose any logging/visibility.

3 REPLIES
Bronze

OSPF Filtering IP on a routed subnet

If I am understanding your request correctly, the remote site is learning a 192.168.0.0/16 route from the "headend" router. There is one particular host address within 192.168.0.0/16 that you want to block as a destination from the remote site?

Like most problems in IT, there are several ways to solve this. Commonly, IP access control lists are used for traffic 'policy enforcement'. By implementing an ACL to deny the source of remote-site IP's to a destination of this particular host IP, the remote site users would no longer be able to communicate with the particular IP.

A less polished, but also effective way, to make this happen: you could null route the particular host address on your remote site router. This means that the remote site router, when it looks up the next-hop for that particular destination, it sees the next hop as the 'bit bucket' and traffic is dropped in your routing logic. This is nice and efficient, but you lose any logging/visibility.

Community Member

OSPF Filtering IP on a routed subnet

You mean to say I just create a static route to that host with the next hop as Null ?

Community Member

OSPF Filtering IP on a routed subnet

Thanks. I manage to ge that sorted

146
Views
0
Helpful
3
Replies
CreatePlease to create content