01-19-2007 01:47 PM - edited 03-03-2019 03:25 PM
Hi,
We have a hub and spoke typology and running OSPF. I would like to implement route filter at the hub so that spoke can't just advertise any unauthorized network to the hub. I read up the SAFE white paper and it stated that distributed-list won't stop the OSPF advertisement; it just won't install the route in the routing table on that hub router. Is there any other way to filter unwanted network advertisement?
Thanks.
Solved! Go to Solution.
01-20-2007 10:48 AM
Dear Kevin,
Use the below design,
20 hub router each hub router join the backbone area and acting as ABR router to all connected spokes, then configure all spokes as NSSA areas, then on each spoke router make the OSPF network command to only cover serial interfaces that connect the spoke to the ABR router (Network 1.1.1.1 0.0.0.0 area 1), then redistribute the LAN address using route-map, so new subnets must be explicit configured on the route-map to be advertised.
and if you concerned about the redistributed route type which is by default will be E2(each spoke router will send the LSA-7 which is translated to LSA-5 at the ABR level) you can rout-map to change the route type at the ABR.
Please rate helpful posts
Best Regards,
Mounir Mohamed
01-19-2007 02:11 PM
Kevin,
You are correct. Distribute-list in will only stop routes from getting installed in the routing table. OSPF would still have that LSA in the database. As you may know, OSPF doesn't support distribute-list out as it doesn't send routing updates rather LSAs to neighbors. One of the basic requirements of OSPF is every router in an area should have identical OSPF database. Hence, filtering has to be done individually on every OSPF router in that area.
However, you can workaround this by configuring every spoke to be in a different area and thus the only router you would need to apply the distribute-list would be the hub router itself.
HTH
Sundar
01-19-2007 05:24 PM
Thanks. I was hoping there is an easier way to do this.
01-20-2007 03:09 AM
Hi Kevin,
Can u elaborate how many spoke routers you have?
YOu can also consider turning your sites to stubby area.
Regards,
Prince
01-20-2007 10:12 AM
I have about 20 hubs within area 0 and each hub has 30 spokes. I just want to control what spoke can advertise back to the hub for security purpose so no one from the spoke can advertise a unauthorized network through OSPF. I don't see how a stubby area can prevent this from happening.
01-20-2007 10:48 AM
Dear Kevin,
Use the below design,
20 hub router each hub router join the backbone area and acting as ABR router to all connected spokes, then configure all spokes as NSSA areas, then on each spoke router make the OSPF network command to only cover serial interfaces that connect the spoke to the ABR router (Network 1.1.1.1 0.0.0.0 area 1), then redistribute the LAN address using route-map, so new subnets must be explicit configured on the route-map to be advertised.
and if you concerned about the redistributed route type which is by default will be E2(each spoke router will send the LSA-7 which is translated to LSA-5 at the ABR level) you can rout-map to change the route type at the ABR.
Please rate helpful posts
Best Regards,
Mounir Mohamed
01-21-2007 06:52 AM
This is a good idea. Thank you. I will give a thought on this idea. Any drawback on doing redistribution on LAN networks on all 300 spokes?
01-21-2007 09:57 AM
Dear Kevin,
With my pleasure, i believe there is no drawbacks for redistributions , actually redistribution will reduce the router overhead as it's only inject some routes into the link-state topology table instead of use network command to cover the interfaces and using passive-interface to stop adjacency on such non-ospf aware interfaces.
Best Regards,
Mounir Mohamed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide