https://live.paloaltonetworks.com/t5/general-topics/ospf-preventing-ext1-inter-area-route-redistribution/m-p/366444#M88710 <P>I am trying to minimize some router's routing table, in a multi-area OSPF setup. As you can see in the attached diagram, my PA firewall is an ABR. It's also the core router of the entire network, DR on each OSPF area with no BDR (it's an HA active/standby setup).</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OSPF-trim.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28880iEDAF37B62DD7712C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="OSPF-trim.png" alt="OSPF-trim.png" /></span></P><P>PA Firewall's routing table is built by the routes advertised by each area, with very little statics. Each area has a couple of routers (Cisco L3 switches, HSRP client-side) and interacts with the firewall on a dedicated subnet (a /24 where the firewall is .1 and the two routers are .2 and .3, OSPF costs set to direct traffic to the HSRP active node). On some areas I have additional devices in charge of their own subnets (e.g. load balancers, vpn appliances). These devices get their traffic via static routes redistributed by the Cisco devices, so that the firewall knows that the specific subnet is down that link.<BR /><BR />Now, the question: while the router in Area 3 does not receive all the Area 2 connected routes, I can't prevent it to receive the static ones. Is there a way to accomplish this? Should I turn the leaf areas to NSSA? Of course, "no redistribute static" on the leaf router is not an option here, since I still need the firewall to know where that subnet is. I'd also avoid configuring it as a "chain of static routes".<BR /><BR />On our network, this would remove 67 unnecessary Ext-1 routes from each of our 28 "leaf" routers.</P> Tue, 01 Dec 2020 13:32:19 GMT michelealbrigo 2020-12-01T13:32:19Z https://live.paloaltonetworks.com/t5/general-topics/ospf-preventing-ext1-inter-area-route-redistribution/m-p/366444#M88710 <P>I am trying to minimize some router's routing table, in a multi-area OSPF setup. As you can see in the attached diagram, my PA firewall is an ABR. It's also the core router of the entire network, DR on each OSPF area with no BDR (it's an HA active/standby setup).</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OSPF-trim.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28880iEDAF37B62DD7712C/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="OSPF-trim.png" alt="OSPF-trim.png" /></span></P><P>PA Firewall's routing table is built by the routes advertised by each area, with very little statics. Each area has a couple of routers (Cisco L3 switches, HSRP client-side) and interacts with the firewall on a dedicated subnet (a /24 where the firewall is .1 and the two routers are .2 and .3, OSPF costs set to direct traffic to the HSRP active node). On some areas I have additional devices in charge of their own subnets (e.g. load balancers, vpn appliances). These devices get their traffic via static routes redistributed by the Cisco devices, so that the firewall knows that the specific subnet is down that link.<BR /><BR />Now, the question: while the router in Area 3 does not receive all the Area 2 connected routes, I can't prevent it to receive the static ones. Is there a way to accomplish this? Should I turn the leaf areas to NSSA? Of course, "no redistribute static" on the leaf router is not an option here, since I still need the firewall to know where that subnet is. I'd also avoid configuring it as a "chain of static routes".<BR /><BR />On our network, this would remove 67 unnecessary Ext-1 routes from each of our 28 "leaf" routers.</P> Tue, 01 Dec 2020 13:32:19 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-preventing-ext1-inter-area-route-redistribution/m-p/366444#M88710 michelealbrigo 2020-12-01T13:32:19Z https://live.paloaltonetworks.com/t5/general-topics/ospf-preventing-ext1-inter-area-route-redistribution/m-p/367594#M88854 <P>I found an excellent video about OSPF "non-normal" area types and solved my problem: <A href="https://www.youtube.com/watch?v=V986z5ltPDg" target="_blank">https://www.youtube.com/watch?v=V986z5ltPDg</A><BR />The answer to my question was to convert all the leaf areas to totally-nssa (area ### nssa on cisco core switches, area type NSSA with flag removed on "accept summary", and added on "advertise default route" on PanOS).</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Schermata 2020-12-07 alle 10.12.14.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/28979iEB672F6D7ED4C074/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Schermata 2020-12-07 alle 10.12.14.png" alt="Schermata 2020-12-07 alle 10.12.14.png" /></span></P><P>&nbsp;</P><P>This led to minimal routing tables on core switches, with a default route learnt via OSPF. The firewall, by being the DR of all areas, including Area 0, still knows all the routes to everywhere, as intended.</P> Mon, 07 Dec 2020 09:15:39 GMT https://live.paloaltonetworks.com/t5/general-topics/ospf-preventing-ext1-inter-area-route-redistribution/m-p/367594#M88854 michelealbrigo 2020-12-07T09:15:39Z