- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-01-2020 05:32 AM
I am trying to minimize some router's routing table, in a multi-area OSPF setup. As you can see in the attached diagram, my PA firewall is an ABR. It's also the core router of the entire network, DR on each OSPF area with no BDR (it's an HA active/standby setup).
PA Firewall's routing table is built by the routes advertised by each area, with very little statics. Each area has a couple of routers (Cisco L3 switches, HSRP client-side) and interacts with the firewall on a dedicated subnet (a /24 where the firewall is .1 and the two routers are .2 and .3, OSPF costs set to direct traffic to the HSRP active node). On some areas I have additional devices in charge of their own subnets (e.g. load balancers, vpn appliances). These devices get their traffic via static routes redistributed by the Cisco devices, so that the firewall knows that the specific subnet is down that link.
Now, the question: while the router in Area 3 does not receive all the Area 2 connected routes, I can't prevent it to receive the static ones. Is there a way to accomplish this? Should I turn the leaf areas to NSSA? Of course, "no redistribute static" on the leaf router is not an option here, since I still need the firewall to know where that subnet is. I'd also avoid configuring it as a "chain of static routes".
On our network, this would remove 67 unnecessary Ext-1 routes from each of our 28 "leaf" routers.
12-07-2020 01:15 AM
I found an excellent video about OSPF "non-normal" area types and solved my problem: https://www.youtube.com/watch?v=V986z5ltPDg
The answer to my question was to convert all the leaf areas to totally-nssa (area ### nssa on cisco core switches, area type NSSA with flag removed on "accept summary", and added on "advertise default route" on PanOS).
This led to minimal routing tables on core switches, with a default route learnt via OSPF. The firewall, by being the DR of all areas, including Area 0, still knows all the routes to everywhere, as intended.
12-07-2020 01:15 AM
I found an excellent video about OSPF "non-normal" area types and solved my problem: https://www.youtube.com/watch?v=V986z5ltPDg
The answer to my question was to convert all the leaf areas to totally-nssa (area ### nssa on cisco core switches, area type NSSA with flag removed on "accept summary", and added on "advertise default route" on PanOS).
This led to minimal routing tables on core switches, with a default route learnt via OSPF. The firewall, by being the DR of all areas, including Area 0, still knows all the routes to everywhere, as intended.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!