Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

How can I prevent OSPF from distributing WAN subnet

Hi all,

I have an XG firewall (v21) that I would like to use OSPF to distribute a couple of routes to my main network which is also using OSPF.  I configured it and it is passing routes but it is also passing the subnet for the WAN interface, which I don't want.  I made sure that "dynamic routing" was turned off on the WAN zone, but this route is still being included.  

Any way I can prevent the WAN subnet from being distributed?  Perhaps I'm missing something simple.  



Edited TAGs
[edited by: Erick Jan at 1:03 AM (GMT -8) on 24 Dec 2024]
Parents
  • Lets say we have the following in the device:

    Interface-1 : 10.1.1.0/24

    Interface-2 : 10.1.2.0/24

    If, in OSPF, we configure the network entry as 10.1.0.0/16, then both Interface-1 and Interface-2 would be included in OSPF.

    A simple solution to enable OSPF only on Interface-1 and not on Interface-2 would be to configure OSPF network entry to match the exact prefix configured in the interface - here, 10.1.1.0/24. 

    OSPF network configuration of only 10.1.1.0/24 would include Interface-1 in OSPF and not Interface-2. 

    Another solution would be to configure route-filtering via the CLI which would restrict the unwanted prefix from being advertised.

    Thanks,

  • How would I configure route-filtering via CLI?  I haven't been able to find a command.

    I am thinking the issue is that I have "Redistribute connected" enabled which is what I want to push the RED and VLAN interfaces automatically, it never occurred that it would also publish the network entry on a WAN zone.  

Reply Children
  • Hi  , 

    Yes, "redistribute connected" would include the prefixes of all the interfaces in the OSPF advertisements. To restrict the advertisement of one of the prefix, as in your case, we should use route-maps along with the redistribution. 

    Example: 

    Let one of the interfaces be configured with an ip in the subnet 10.255.0.0/24 and we want to prevent this prefix from being advertised.  In the backend CLI configuration, use the following: 

    ospf> enable

    ospf# config t

    ospf(config)#

    ospf(config)# access-list acl1 deny 10.255.0.0/24

    ospf(config)# access-list acl1 permit any

    ospf(config)# route-map map1 permit 5

    ospf(config-route-map)# match ip address acl1

    ospf(config-route-map)# exit

    ospf(config)# router ospf

    ospf(config-router)# redistribute connected route-map map1

    ospf(config-router)# exit

    ospf(config)# write

    Configuration saved to /conf/routing/ospfd.conf

    ospf(config)#

    With the above configuration, the prefixes of all the connected interfaces but 10.255.0.0/24 would be included in the OSPF advertisements. 

    Thanks, 

  • Hi,

    I think you may need to redistribute static subnets, not connected.
    And your subnets needs to be defined in an acl.

    I would try

    access-list 1 permit 192.168.1.0/24(your subnet)

    reoute-map RM1 permit 5

    match ip addres 1

    router ospf 100

    redistribute static subnets route-map RM1

    I have not tested this, but it think something like this will meet your requirement.

    Regards,