Filtered OSPF

cancel
Showing results for 
Search instead for 
Did you mean: 

Filtered OSPF

L3 Networker

I would like my PAN 5060 to learn one route from my OSPF infrastructure generally - but no others. The idea is that when this route is availalbe traffic would flow to the inside trusted interface of the PAN. But if that route drops out due to WAN circuit outage then a higher cost static route on the PAN would send the traffic down an IPSec tunnel. The group here has been relucant to have the PAN partipate in OSPF for design reasons I'm not sure of. But should my limited use of OSPF as in this example work? Thank you.

3 REPLIES 3

L4 Transporter

Hi,

 

More details on design and network topology would help to suggest better. In general, it is hard for you to decide which route to accept in OSPF. You can ofcourse put your PA as a Total Stub so that it wont accept any Type3,4,5. However you need to design it properly as other OSPF speaking neghbors will also be affected.

 

-BR

 

 

L2 Linker

 

This goes against the designed functionality of OSPF. BGP would be a more appropriate protocol to use for this scenario.

Cyber Elite
Cyber Elite

Hello,

As another option, this could be accomplished with Polciy Based Routing and a monitor. 

 

Have a static route that points all traffic out the secondary ISP.

 

Since PBF takes place prior to static routing, everything will go down the primary ISP via the PBF rule. If the IP in the Montior is unreachable, then the PBF is disabled and traffic will follow the static route you have defined to send down the secondary ISP. 

 

Once the primary ISP is available again, the monitor will notice and reenable the PBF so then all traffic will flow down the primary ISP path.

 

Additional detailed info:

 

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/80/pan-os/pan-os/sectio...

 

 

Hope that helps.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!