How to Suppress OSPF Route

Printer Friendly Page

Overview

There are instances when there is a need for more control over the routes that are being learned from OSPF neighbors, and be able to selectively suppress them. This document describes how to suppress routes that are learned from OSPF adjacent peers or within the Autonomous System (AS).

Details

As of now only the inter-area routes can be suppressed. The suppression of routes learned within the same area is not supported.

Steps

Follow the steps below to suppress inter-area routes:

  1. Open the appropriate virtual router configuration at Network > Virtual Routers
  2. Go to the OSPF > Areas tab
  3. Select the appropriate Area and go to the Range tab.
    range-4.JPG.jpg
    Note: By default, the Palo Alto Networks firewall advertises all the OSPF routes (both intra-area and inter-area).
  4. Specify the networks that you want to suppress and select "Suppress" as the Action value.
    Note: Route suppression is always done at the ingress area.
    range-6.JPG.jpg

Example scenario

Upstream device "A" (area 0.0.0.1) ==> (Area 0.0.0.1) PaloAltoNetworks-Firewall "B" (Area 0.0.0.0)==> Downstream Device "C".

We need to configure route suppression on ingress area (Area 0.0.0.1 on PaloAltoNetworks-Firewall) to prevent routes learnt from device "A", from being advertized into backbone area (To device "C")

Troubleshooting

  1. Since the suppression is always performed on the ABR, the user can verify if the routes are being suppressed by looking under the LSDBs of the normal area routers (router that advertises the networks) and the ABRs (router where the routes are suppressed).

    The LSDB under the advertising router will have all the routes that it has learned and is currently advertising to its peer. The LSDB under the ABR (and on the routers behind it), will not have the routing information about the suppressed routes.
    >show routing protocol ospf lsdb

  2. Route suppression is not directly processed in a sequential order, and the largest supernet (least number of bits ) always takes the precedence. If you have the following range configuration as shown below, the bottom prefix will suppress the "advertise" action even though it's the first action from top to bottom:
    1. 10.9.32.0/21 Advertise
    2. 10.9.0.0/16 Suppress

10.9.0.0/16 Suppress - This entry will prevent 10.9.32.0/21 from being advertised since the range 10.9.0.0/16 encompasses 10.9.32.0/21. Therefore, 10.9.32.0/21 is superseded and has an action of Suppress.

  1. A route that has a subnet equal to or smaller than the network being advertised cannot be suppressed. For example, if the Palo Alto Networks device is advertising 10.9.32.0/21, then 10.9.32.0/21 (or 10.9.32.0/22, /23, /24, /25 etc.) cannot be suppressed. However, a bigger subnet (such as, 10.9.32.0/20 or 10.9.32.0/19, /18, /17 etc.) can be suppressed.

owner: kprakash

Tags (7)
Comments

This is very useful article. Thanks a lot. 

Should be reviewed and updated!  Thanks!