How to Suppress OSPF Route

How to Suppress OSPF Route

46743
Created On 09/25/18 19:20 PM - Last Modified 12/16/19 21:55 PM


Symptom


There are instances when there is a need to selectively suppress the routes that are being learned from OSPF neighbors. This document describes how to suppress routes that are learned from OSPF adjacent peers or within the Autonomous System (AS).
 

As of now only the inter-area routes can be suppressed. The suppression of routes learned within the same area is not supported.

Environment


  • Any PAN-OS.
  • Any Palo Alto Firewall.

Resolution


By default, the Palo Alto Networks firewall advertises all the OSPF routes (both intra-area and inter-area).Follow the steps below to suppress inter-area routes:

  1. Open the appropriate virtual router configuration at Network > Virtual Routers > (configured VR)
  2. Go to the OSPF > Areas tab
  3. Select the appropriate Area and go to the Range tab.
range-4.JPG.jpg
 
 
  1. Specify the networks that you want to suppress and select "Suppress" as the Action value. Then Click on OK and commit the configuration.
Note: Route suppression is always done at the ingress area.
 
range-6.JPG.jpg

 

Example scenario

Upstream device "A" (area 0.0.0.1) ==> (Area 0.0.0.1) PaloAltoNetworks-Firewall "B" (Area 0.0.0.0)==> Downstream Device "C".

We need to configure route suppression on ingress area (Area 0.0.0.1 on PaloAltoNetworks-Firewall) to prevent routes learnt from device "A", from being advertised into backbone area (To device "C")

 

Troubleshooting

  1. Since the suppression is always performed on the ABR, the user can verify if the routes are being suppressed by looking under the LSDBs of the normal area routers (router that advertises the networks) and the ABRs (router where the routes are suppressed).

    The LSDB under the advertising router will have all the routes that it has learned and is currently advertising to its peer. The LSDB under the ABR (and on the routers behind it), will not have the routing information about the suppressed routes.
    >show routing protocol ospf lsdb
     
  2. Route suppression is not directly processed in a sequential order, and the largest supernet (least number of bits ) always takes the precedence. If you have the following range configuration as shown below, the bottom prefix will suppress the "advertise" action even though it's the first action from top to bottom:
    1. 10.9.32.0/21 Advertise
    2. 10.9.0.0/16 Suppress

 

10.9.0.0/16 Suppress - This entry will prevent 10.9.32.0/21 from being advertised since the range 10.9.0.0/16 encompasses 10.9.32.0/21. Therefore, 10.9.32.0/21 is superseded and has an action of Suppress.

 

  1. A route that has a subnet smaller than the network being advertised cannot be suppressed. For example, if the Palo Alto Networks device is advertising 10.9.32.0/21, then 10.9.32.0/22, /23, /24, /25 etc.) cannot be suppressed. However, an equal to or bigger subnet (such as, 10.9.32.0/21 or 10.9.32.0/19, /18, /17 etc.) can be suppressed.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVlCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language