Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
01-25-2017 05:40 AM - edited 01-25-2017 05:58 AM
I would like to ignore some of the routes learned by OSFP so they don't install in the forwarding table. Important, I'm not talking about suppress/filter routes that my PA announce through OSPF.
For explaining me better, I'm looking for "OSPF Inbound Filtering" in the language of Cisco:
http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/routmap.html
Thanks in advance!!!
01-26-2017 08:26 PM
That should be a feature requests. As workaround you may want to use BGP or create static routes with less admin distance.
Regards,
Gerardo.
02-07-2017 12:45 AM - edited 02-07-2017 12:45 AM
Gerardo, thanks for your answer. I will look for the way to make that suggestion to Palo Alto Team.
Meanwhile, I've to found a way to prioritize static routes over dynamic routes. The administrative distance works when the prefix length of the routes are equal but it appears that longer prefix length routes take precedence over shorter independent of administrative distance.
02-08-2017 01:12 PM
Yes, that's expected behavior shorther prefix lenghts will take over. Admin distance will only matter when you have the same route (including prefix lenght) coming from different routing protocols (static, ospf, bgp...). In adittion OSPF is an internal gateway protocol so is asummed that the the routes are coming from controled sources (where only the requiered routes are advertised), the only options left are changing to BGP (EGP) or configure static routes using the same prefix lenght.
As side note to check the installed routes in the dataplane you can use the following command,
>show routing fib
regards,
Gerardo.
02-08-2017 03:49 PM
Your other option here is to switch to BGP for route distribution. This would then give you full control of import and export policies throughout the enterprise to handle this cases as you desire.
02-09-2017 12:43 AM - edited 02-09-2017 12:50 AM
Gerardo and Steve, thank you for your suggestions. The problem is that OSPF is forced by my provider and I can't change this 😞
Gerardo, you're right I shouldn't receive these routes through OSPF. The plan B is that my provider filter these routes.
Steve, I see that you found this other thread by yourself 😉
02-12-2017 06:03 AM
You could perhaps move your provider peering via OSPF into a separate virtual router. Then use BGP from this VR to your main VR with the controls you need to have in place.
03-14-2017 06:01 AM
Steve, thank you for your last solution. Perhaps it could be worked.
Finally I solved my problem changing the type of OSPF area from standard to NSSA. This way we only receive the default route from our OSPF peer and at the same we announce our routes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
