Filter ospf routes out to firewall.

inderjit21 · ‎08-10-2015

I have a cisco 3560 connected to Palo alto firewall. There is ospf neigborship established between 3560 and the firewall.

3560 injects all the ospf database routes to firewall. I want to filter out routes which firewall is receiving. There is no option on

the firewall how can I do it on 3560.

Mark Malone · ‎08-10-2015

Are both devices in the same ospf area?

You could try this, filter with route-map and distribute-list if type 3

http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/routmap.html

or if there type 5 lsa you could filter with summary-address x.x.x.x no advertise

http://www.getnetworking.net/ospf/ospf-external-route-summarization

just some options may help

inderjit21 · ‎08-10-2015

Both devices are in same area.

The cisco link talks about filtering inbound. But i need outbound filtering. Not sure

if ospf routes can be filtered outbound.

Mark Malone · ‎08-11-2015

Yes theres an issue around filtering outbound with ospf when in the same area due to the LSDB , from what i remember it only allows outbound filtering on ASBRs , this is because of it being link-state and every ospof device knowing about each other , one other way but i have never needed to test this so i cannot be sure of the results there is a neighbor command that allows you to filter out all LSAs neighbor x.x.x.x database-filter all out

Thats all i have if its in the same area maybe someone else has some other way im not aware of