I need to filter OSPF areas so that area 188.8.131.52 only sees his routes and area 0.0.0.0. I do not want him to see area 184.108.40.206.
Is this possible?
Solved! Go to Solution.
We don't support filtering routes from OSPF into the routing table or LSA filtering.
You could get fancy and make Area 1 and Area 2 Totally Stubby so they only see a default route to Area 0. Even fancier, make Area 1 and 2 Not-so-Stubby and inject all the area routes from another protocol. Then those Areas will filter all external LSA's, which means they won't see each other's routes but will see Area 0 local routes. (you could accomplish something similar by simply redistributing from other routing protocols into the Area 0 ASBR in place of using multiple OSPF Areas) Pretty hairy configuration, though.
Other routers have some OSPF route filtering features, but take care when using them as it is easy to cause black-holes unless you are very careful.
My areas 1 and 2 are complete networks with many end points. Each network has two head-end environments that VPN to each remote site. There is then a management zone that is area 0. The head-ends VPN to it. The entire environment is sealed with IPSec being the only connectivity. OSPF is the IGP where EIGRP is the routing protocol on the host network. They will never redistribute.
Each tunnel has a /30 for its PtP. So, each remote adds 3 networks to the routing table. We expect to grow to 150 - 200 remote sites per network and will be adding an area 3 and 4 in the near future.
The problem is that we are starting to use PA200's as the remote appliance (the head-ends are all PA5020 HA pairs). Documentation that we found on the website says the PA200 can only support 1000 OSPF routes. This will be a problem as we grow. I have set them up with full OSPF routes so they can get to either head-end. I would like to continue to use them because the traffic is low and their cost is less than the Juniper SSG 550M's that we have been using.
So my thought was to try to filter the areas from one another. The remotes need to get to the management zone so they need area 0. However, area 1 will never talk to area 2.
Would using two VRs at the area head-ends allow me to control redistribution between the two? I am having a hard time finding documentation other than basic setup, which I have.
The 1000 route limit is really a data-plane Forwarding Table limitation and not an OSPF-LSDB or Routing Table limitation. Unfortunately this distinction really works more to your advantage with BGP on our boxes since you can manipulate the routes as they enter and exit the Routing Table from the routing protocol. We don't provide those filtering functions for OSPF today.
I would recommend one of two approaches:
I would probably go with #1 since it is the easiest to configure and leaves the smallest routing table on the smaller boxes. You essentially keep your specific local routes within the local area and then just get a nice default route out to area 0 and all other areas.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!