Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can I prevent OSPF from distributing WAN subnet

Bill Roland

Hi all,

I have an XG firewall (v21) that I would like to use OSPF to distribute a couple of routes to my main network which is also using OSPF.  I configured it and it is passing routes but it is also passing the subnet for the WAN interface, which I don't want.  I made sure that "dynamic routing" was turned off on the WAN zone, but this route is still being included.  

Any way I can prevent the WAN subnet from being distributed?  Perhaps I'm missing something simple.  



This thread was automatically locked due to age.
  • 0

    Hi Bill Roland,

    Remove network and areas  by going to Routing > OSPF might help

    Refer doc : https://support.sophos.com/support/s/article/KBA-000004359?language=en_US 

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

    • 0

      ACLs only stop "some peer" to communicate OSFP with the firewall, not what OSPF is doing. (ACL is only a firewall rule to protect the service).

      I think you need to configure it on the CLI for restricting the routes.

      __________________________________________________________________________________________________________________

      • +1

        Lets say we have the following in the device:

        Interface-1 : 10.1.1.0/24

        Interface-2 : 10.1.2.0/24

        If, in OSPF, we configure the network entry as 10.1.0.0/16, then both Interface-1 and Interface-2 would be included in OSPF.

        A simple solution to enable OSPF only on Interface-1 and not on Interface-2 would be to configure OSPF network entry to match the exact prefix configured in the interface - here, 10.1.1.0/24. 

        OSPF network configuration of only 10.1.1.0/24 would include Interface-1 in OSPF and not Interface-2. 

        Another solution would be to configure route-filtering via the CLI which would restrict the unwanted prefix from being advertised.

        Thanks,

        • 0 in reply to Mahalakshmi S

          How would I configure route-filtering via CLI?  I haven't been able to find a command.

          I am thinking the issue is that I have "Redistribute connected" enabled which is what I want to push the RED and VLAN interfaces automatically, it never occurred that it would also publish the network entry on a WAN zone.  

          • +1 in reply to Bill Roland

            Hi  , 

            Yes, "redistribute connected" would include the prefixes of all the interfaces in the OSPF advertisements. To restrict the advertisement of one of the prefix, as in your case, we should use route-maps along with the redistribution. 

            Example: 

            Let one of the interfaces be configured with an ip in the subnet 10.255.0.0/24 and we want to prevent this prefix from being advertised.  In the backend CLI configuration, use the following: 

            ospf> enable

            ospf# config t

            ospf(config)#

            ospf(config)# access-list acl1 deny 10.255.0.0/24

            ospf(config)# access-list acl1 permit any

            ospf(config)# route-map map1 permit 5

            ospf(config-route-map)# match ip address acl1

            ospf(config-route-map)# exit

            ospf(config)# router ospf

            ospf(config-router)# redistribute connected route-map map1

            ospf(config-router)# exit

            ospf(config)# write

            Configuration saved to /conf/routing/ospfd.conf

            ospf(config)#

            With the above configuration, the prefixes of all the connected interfaces but 10.255.0.0/24 would be included in the OSPF advertisements. 

            Thanks, 

            • 0 in reply to Mahalakshmi S

              Hi,

              I think you may need to redistribute static subnets, not connected.
              And your subnets needs to be defined in an acl.

              I would try

              access-list 1 permit 192.168.1.0/24(your subnet)

              reoute-map RM1 permit 5

              match ip addres 1

              router ospf 100

              redistribute static subnets route-map RM1

              I have not tested this, but it think something like this will meet your requirement.

              Regards,

              • 0 in reply to Mahalakshmi S

                This worked perfectly.  Thanks!