Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How to ignore routes learned by OSPF

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to ignore routes learned by OSPF

L1 Bithead

I would like to ignore some of the routes learned by OSFP so they don't install in the forwarding table. Important, I'm not talking about suppress/filter routes that my PA announce through OSPF.

 

For explaining me better, I'm looking for "OSPF Inbound Filtering" in the language of Cisco:

http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/routmap.html

 

Thanks in advance!!!

7 REPLIES 7

L4 Transporter

That should be a feature requests. As workaround you may want to use BGP or create static routes with less admin distance.

 

Regards,

Gerardo.

Gerardo, thanks for your answer. I will look for the way to make that suggestion to Palo Alto Team.

 

Meanwhile, I've to found a way to prioritize static routes over dynamic routes. The administrative distance works when the prefix length of the routes are equal but it appears that longer prefix length routes take precedence over shorter independent of administrative distance.

Yes, that's expected behavior shorther prefix lenghts will take over. Admin distance will only matter when you have the same route (including prefix lenght) coming from different routing protocols (static, ospf, bgp...). In adittion OSPF is an internal gateway protocol so is asummed that the the routes are coming from controled sources (where only the requiered routes are advertised), the only options left are changing to BGP (EGP) or configure static routes using the same prefix lenght.

 

As side note to check the installed routes in the dataplane you can use the following command,

>show routing fib 

 

regards,

Gerardo.

L7 Applicator

Your other option here is to switch to BGP for route distribution.  This would then give you full control of import and export policies throughout the enterprise to handle this cases as you desire.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Gerardo and Steve, thank you for your suggestions. The problem is that OSPF is forced by my provider and I can't change this 😞

 

Gerardo, you're right I shouldn't receive these routes through OSPF. The plan B is that my provider filter these routes.

 

Steve, I see that you found this other thread by yourself 😉

You could perhaps move your provider peering via OSPF into a separate virtual router.  Then use BGP from this VR to your main VR with the controls you need to have in place.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Steve, thank you for your last solution. Perhaps it could be worked.

Finally I solved my problem changing the type of OSPF area from standard to NSSA. This way we only receive the default route from our OSPF peer and at the same we announce our routes.

  • 7604 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!