https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28313#M20690 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I am working on a network design and have a palo alto firewall that has two areas, 0 inside and 1 outside on the same virtual router.&nbsp; Area 1 has the outside interface of firewall, two routers and then the edge router.&nbsp; OSPF runs on the inside of the internet edge router and BGP with the internet provider.&nbsp; We receive a default route from the carrier and distribute it into OSPF.&nbsp; Area 0 has the inside interface of the firewall, some core switches and an MPLS router running OSPF in area 0 and BGP with MPLS provider.&nbsp; They are redistributing BGP from MPLS back into OSPF area 0. I have everything working properly in the lab except for the OSPF Type-5 LSA's being passed into area 1. Meaning routes from the internal network are being passed into the outside of my firewall.&nbsp; I am able to suppress the inter-area routes or type-3 LSA's from one area to the next but don't know how to suppress or filter out the type-5 LSA's. </P><P></P><P>Can't use a stub or nssa area either because I have to allow external routes into each area, just not pass them through to the opposite area.&nbsp; Has anyone else run in to this problem or know of a solution?&nbsp; I thought about using two virtual routers but don't know how to share OSPF routes between the two virtual routers or how the virtual routers would work together either.&nbsp; Any ideas or help would be appreciated. </P><P></P><P>Thank you!</P></BODY></HTML> Thu, 05 Mar 2015 20:15:15 GMT prestonhartley 2015-03-05T20:15:15Z https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28313#M20690 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I am working on a network design and have a palo alto firewall that has two areas, 0 inside and 1 outside on the same virtual router.&nbsp; Area 1 has the outside interface of firewall, two routers and then the edge router.&nbsp; OSPF runs on the inside of the internet edge router and BGP with the internet provider.&nbsp; We receive a default route from the carrier and distribute it into OSPF.&nbsp; Area 0 has the inside interface of the firewall, some core switches and an MPLS router running OSPF in area 0 and BGP with MPLS provider.&nbsp; They are redistributing BGP from MPLS back into OSPF area 0. I have everything working properly in the lab except for the OSPF Type-5 LSA's being passed into area 1. Meaning routes from the internal network are being passed into the outside of my firewall.&nbsp; I am able to suppress the inter-area routes or type-3 LSA's from one area to the next but don't know how to suppress or filter out the type-5 LSA's. </P><P></P><P>Can't use a stub or nssa area either because I have to allow external routes into each area, just not pass them through to the opposite area.&nbsp; Has anyone else run in to this problem or know of a solution?&nbsp; I thought about using two virtual routers but don't know how to share OSPF routes between the two virtual routers or how the virtual routers would work together either.&nbsp; Any ideas or help would be appreciated. </P><P></P><P>Thank you!</P></BODY></HTML> Thu, 05 Mar 2015 20:15:15 GMT https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28313#M20690 prestonhartley 2015-03-05T20:15:15Z https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28314#M20691 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/32704">prestonhartley</A></P><P></P><P>I don't think you can suppress type 5 LSA on the firewall.</P></BODY></HTML> Thu, 05 Mar 2015 21:15:43 GMT https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28314#M20691 bat 2015-03-05T21:15:43Z https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28315#M20692 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Have you tried changing the area 0 to something else so those two areas won't talk because there is no backbone area?</P><P></P><P>Regards,</P><P>Hari Yadavalli</P></BODY></HTML> Thu, 05 Mar 2015 23:18:41 GMT https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28315#M20692 hyadavalli 2015-03-05T23:18:41Z https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28316#M20693 <HTML><HEAD></HEAD><BODY><P>Hi Preston,</P><P></P><P>In all vendors Type-5 can not be filtered, basically LSAs can not be filtered.</P><P></P><P>Now there are two options.</P><P>1. Do filtering based on Network address, follow OSPF filtering document mentioned bellow.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-5284">Understanding Route Redistribution and Filtering</A></P><P>2. As Hyadavalli suggested, create non-backbone area instead of backbone area.</P><P></P><P>Let me know for additional queries.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 06 Mar 2015 00:40:10 GMT https://live.paloaltonetworks.com/t5/general-topics/filtering-or-suppressing-ospf-type-5-lsa-s/m-p/28316#M20693 hshah 2015-03-06T00:40:10Z