Configuring multiple OSPF areas with a single L3 interface

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Configuring multiple OSPF areas with a single L3 interface

I am trying to redistribute EIGRP routes from two AS numbers into OSPF so that my PA can learn the proper routes to the rest of the network, but I am running into a stumbling block since I only have one L3 interface connected to my internal network and the PA firewall will only allow a single OSPF area per interface. 

 

The PA is at a remote, unmanned location so I don't have the option of configuring a second interface.  Is there a way I can still accomplish my goal without configuring another L3 interface?

 

Here are the details of what I am trying to accomplish.  I have two Cisco routers and a PA firewall connected on the same VLAN to a switch.  Router #1 has EIGRP 100 configured, which needs to be redistributed to OSPF for the PA to learn.  Router #2 has EIGRP 100 and EIGRP 101 configured.  The routes from both of these AS numbers need to be redistributed to OSPF for the PA to learn, but I do not want router #1 to learn about the routes from AS 101.  I had no problem configuring area 0 to create an OSPF neighbor with router #2 and to have the routes from AS 101 redistributed.  When I try to create a new area to distribute the routes from AS 100, the PA requires a different interface than the one used for area 0. 

 

I'm using a PA3020 with PANOS 7.1.

Highlighted
Cyber Elite

Hello,

Since router#2 has both AS numbers, cant you within that router redistributed both 100 and 101 to OSPF? That way the  PAN should learn all the routes and then you can filter on what to distribute back out?

 

Obvisously I dont know the full topology so its just a guess on my part.

 

Regards,

Highlighted
L1 Bithead

One option is multi-area adjacency, but I highly doubt PA supports it.

https://tools.ietf.org/html/rfc5185

 

Barring that, filtering within the same OSPF area is tough. Generally it's not something that you want to do, since the LSAs of every device in the area have to match. Is BGP an option for you? There's far more granularity in policy available.

 

Another option is to not filter the LSAs, but to modify the distance per neighbor, so that any routes from AS101 will not be installed into the RIB on R1.

Here's an article showing how you could do that but still have all three in the same area:

https://lpmazariegos.com/2016/04/02/ospf-filtering-with-administrative-distance/

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!