Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
I am trying to minimize some router's routing table, in a multi-area OSPF setup. As you can see in the attached diagram, my PA firewall is an ABR. It's also the core router of the entire network, DR on each OSPF area with no BDR (it's an HA active/standby setup).
PA Firewall's routing table is built by the routes advertised by each area, with very little statics. Each area has a couple of routers (Cisco L3 switches, HSRP client-side) and interacts with the firewall on a dedicated subnet (a /24 where the firewall is .1 and the two routers are .2 and .3, OSPF costs set to direct traffic to the HSRP active node). On some areas I have additional devices in charge of their own subnets (e.g. load balancers, vpn appliances). These devices get their traffic via static routes redistributed by the Cisco devices, so that the firewall knows that the specific subnet is down that link.
Now, the question: while the router in Area 3 does not receive all the Area 2 connected routes, I can't prevent it to receive the static ones. Is there a way to accomplish this? Should I turn the leaf areas to NSSA? Of course, "no redistribute static" on the leaf router is not an option here, since I still need the firewall to know where that subnet is. I'd also avoid configuring it as a "chain of static routes".
On our network, this would remove 67 unnecessary Ext-1 routes from each of our 28 "leaf" routers.
I found an excellent video about OSPF "non-normal" area types and solved my problem: https://www.youtube.com/watch?v=V986z5ltPDg
The answer to my question was to convert all the leaf areas to totally-nssa (area ### nssa on cisco core switches, area type NSSA with flag removed on "accept summary", and added on "advertise default route" on PanOS).
This led to minimal routing tables on core switches, with a default route learnt via OSPF. The firewall, by being the DR of all areas, including Area 0, still knows all the routes to everywhere, as intended.
I found an excellent video about OSPF "non-normal" area types and solved my problem: https://www.youtube.com/watch?v=V986z5ltPDg
The answer to my question was to convert all the leaf areas to totally-nssa (area ### nssa on cisco core switches, area type NSSA with flag removed on "accept summary", and added on "advertise default route" on PanOS).
This led to minimal routing tables on core switches, with a default route learnt via OSPF. The firewall, by being the DR of all areas, including Area 0, still knows all the routes to everywhere, as intended.
