Junos
Highlighted
Junos

OSPF Route Filter - Seeing Unexpected Route

05.01.17   |  
‎05-01-2017 10:54 AM

Hello,

 

I'm trying to configure a SRX firewall with a route filter to filter incoming OSPF routes. The following is the route filter config:

 

policy-statement Greenland-OPSF-import {
term allow {
from {
protocol ospf;
route-filter 10.18.254.240/29 exact;
route-filter 10.18.95.0/24 exact;
route-filter 10.18.70.0/24 exact;
}
then accept;
}
term reject {
then reject;
}
}

 

I've applied this to OSPF:

 

user@FW# show protocols ospf
import Greenland-OPSF-import;

area 30.30.30.30 {
interface irb.50 {
passive;
}
interface st0.1;
}

 

Besides the 3 routes that I've put in the route filter list I'm also seeing a 10.118.95.0/24 route. Where is that coming from? 

 

user@FW> show route protocol ospf

inet.0: 23 destinations, 26 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.18.70.0/24 *[OSPF/150] 00:12:30, metric 1, tag 209
> via st0.1
10.18.95.0/24 [OSPF/10] 00:12:30, metric 3
> via st0.1
10.18.254.240/29 *[OSPF/10] 00:12:30, metric 2
> via st0.1
10.118.95.0/24 [OSPF/10] 00:12:30, metric 3
> via st0.1
172.17.0.0/30 [OSPF/10] 00:12:30, metric 1
> via st0.1
224.0.0.5/32 *[OSPF/10] 01:55:37, metric 1
MultiRecv

6 REPLIES
Junos
Solution
Accepted by topic author mdhtbm
‎05-03-2017 09:55 AM

Re: OSPF Route Filter - Seeing Unexpected Route

05.01.17   |  
‎05-01-2017 04:20 PM

OSPF import policies only allow the filtering of external routes. 

 

In the import statement, you list the name of the routing policy used to filter OSPF external routes from being installed into the routing tables of OSPF neighbors. You can filter the routes, but not link-state address (LSA) flooding. An external route is a route that is outside the OSPF Autonomous System (AS). The import policy does not impact the OSPF database. This means that the import policy has no impact on the link-state advertisements.

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/ospf-routing-policy-understanding.h...

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/ospf-routing-policy-understanding.h...

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Junos

Re: OSPF Route Filter - Seeing Unexpected Route

05.03.17   |  
‎05-03-2017 09:51 AM

Like spuluka said, you can only filter external routes, so your existing policy only applies to the 10.18.70.0/24 route. The other subnets mentioned in your "allow" term will still show up in your table even if you remove them from the term because they are not external routes.

Junos

Re: OSPF Route Filter - Seeing Unexpected Route

05.03.17   |  
‎05-03-2017 09:57 AM

Thanks guys, that is helpful. So if I only wanted to see internal OSPF routes and nothing external I'd simply use a deny all route filter?

Junos

Re: OSPF Route Filter - Seeing Unexpected Route

05.03.17   |  
‎05-03-2017 11:20 AM

If you just want to do it to that one specific router, then yes. You can also just turn the area into a stub and not have to deal with policies. Of course this affects all the routers in that area.

Junos

Re: OSPF Route Filter - Seeing Unexpected Route

05.12.17   |  
‎05-12-2017 08:41 AM

I'm playing around with stub areas. It has the desired effect of external routes not prorogating. The problem is that the routes from the stub area aren't being prorogated to the main area. For devices in the main area, I'm seeing a summary route to the interface on the adjacent device in the stub area but none of the routes in the stub area. Is there something I need to do to get stub area routes advertised into the main area?

Junos

Re: OSPF Route Filter - Seeing Unexpected Route

05.13.17   |  
‎05-13-2017 09:31 AM

On the ABR where you connect to the stub area add the "no summaries" option to your OSPF area setup.

 

example

 

set protocols ospf area 0.0.0.128 stub no-summaries

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home