Junos
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 10
Registered: ‎12-20-2013
0 Kudos
Accepted Solution

OSPF Route Filter - Seeing Unexpected Route

Hello,

 

I'm trying to configure a SRX firewall with a route filter to filter incoming OSPF routes. The following is the route filter config:

 

policy-statement Greenland-OPSF-import {
term allow {
from {
protocol ospf;
route-filter 10.18.254.240/29 exact;
route-filter 10.18.95.0/24 exact;
route-filter 10.18.70.0/24 exact;
}
then accept;
}
term reject {
then reject;
}
}

 

I've applied this to OSPF:

 

user@FW# show protocols ospf
import Greenland-OPSF-import;

area 30.30.30.30 {
interface irb.50 {
passive;
}
interface st0.1;
}

 

Besides the 3 routes that I've put in the route filter list I'm also seeing a 10.118.95.0/24 route. Where is that coming from? 

 

user@FW> show route protocol ospf

inet.0: 23 destinations, 26 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.18.70.0/24 *[OSPF/150] 00:12:30, metric 1, tag 209
> via st0.1
10.18.95.0/24 [OSPF/10] 00:12:30, metric 3
> via st0.1
10.18.254.240/29 *[OSPF/10] 00:12:30, metric 2
> via st0.1
10.118.95.0/24 [OSPF/10] 00:12:30, metric 3
> via st0.1
172.17.0.0/30 [OSPF/10] 00:12:30, metric 1
> via st0.1
224.0.0.5/32 *[OSPF/10] 01:55:37, metric 1
MultiRecv

Distinguished Expert
Posts: 4,762
Registered: ‎03-30-2009

Re: OSPF Route Filter - Seeing Unexpected Route

OSPF import policies only allow the filtering of external routes. 

 

In the import statement, you list the name of the routing policy used to filter OSPF external routes from being installed into the routing tables of OSPF neighbors. You can filter the routes, but not link-state address (LSA) flooding. An external route is a route that is outside the OSPF Autonomous System (AS). The import policy does not impact the OSPF database. This means that the import policy has no impact on the link-state advertisements.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/ospf-routing-policy-understanding.h...

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/ospf-routing-policy-understanding.h...

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 16
Registered: ‎06-16-2016

Re: OSPF Route Filter - Seeing Unexpected Route

Like spuluka said, you can only filter external routes, so your existing policy only applies to the 10.18.70.0/24 route. The other subnets mentioned in your "allow" term will still show up in your table even if you remove them from the term because they are not external routes.

Contributor
Posts: 10
Registered: ‎12-20-2013
0 Kudos

Re: OSPF Route Filter - Seeing Unexpected Route

Thanks guys, that is helpful. So if I only wanted to see internal OSPF routes and nothing external I'd simply use a deny all route filter?

Contributor
Posts: 16
Registered: ‎06-16-2016
0 Kudos

Re: OSPF Route Filter - Seeing Unexpected Route

If you just want to do it to that one specific router, then yes. You can also just turn the area into a stub and not have to deal with policies. Of course this affects all the routers in that area.

Contributor
Posts: 10
Registered: ‎12-20-2013
0 Kudos

Re: OSPF Route Filter - Seeing Unexpected Route

I'm playing around with stub areas. It has the desired effect of external routes not prorogating. The problem is that the routes from the stub area aren't being prorogated to the main area. For devices in the main area, I'm seeing a summary route to the interface on the adjacent device in the stub area but none of the routes in the stub area. Is there something I need to do to get stub area routes advertised into the main area?

Highlighted
Distinguished Expert
Posts: 4,762
Registered: ‎03-30-2009
0 Kudos

Re: OSPF Route Filter - Seeing Unexpected Route

On the ABR where you connect to the stub area add the "no summaries" option to your OSPF area setup.

 

example

 

set protocols ospf area 0.0.0.128 stub no-summaries

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home