Hi there, An old post, but certainly worth unearthing! The behaviour you are seeing is to be expected in an OSPF topology. For OSPF to function correctly each participating router in an area needs to have same LSDB contents. This, as you have seen can give sub-optimal routing paths as prefixes are advertised by seemingly distant routers. You mention route suppression, but that will only work on an ABR, and as you said, all of the routers are in the same OSPF Area. However using redistribution profiles in this topology would be the wrong approach as to stop HA-B learning HA-A prefixes, HA-A would need to filter those routes. You end up in the paradox where all of the External routes are being filtered by HA-A (and HA-B) leaving the branch with no External routes in its LSDB The remaining OSPF solution would be to place the branch firewall in a stub area. A stub area will not receive External routes (Type-5) and instead the HA firewalls will advertise a default route. The branch will continue to advertise Types 1,2 and 3 to the HA firewalls. This solution will result in the HA firewalls not viewing the branch router as a transit path. Another option would be to use eBGP. The BGP path selection would ensure that prefixes being received by the HA firewalls which originate from the opposing HA firewall via the branch firewall would be ignored due to the local AS appearing the AS_PATH. cheers, Seb.
... View more