Tuesday, October 19, 2021

OSPF Route Filtering

This weekend I was working with a managed customer to help somewhat re-design their network. We ran into a problem however with routes propagation in OSPF and as it's been a long time since I had to tune OSPF to any degree I couldn’t workshop a solution before the change window ran out and we reversed everything.

Basic network topology:

Meraki VPN concentrator (site A) - SRX FW (site A) - SRX FW (site B) - Cisco 4500 (site B) - Meraki VPN concentrator (site B)

I manage the SRX's, the customer manages the Meraki's and the 4500. The whole thing will be in area 0 and doing OSPF between the SRX and 4500 at site B is new, currently it's just statics. The issue is that the customer connects site to site and end user VPN's into the Meraki's and the same subnets are dished out at either location. These subnets are advertised via OSPF into the network, meaning the routing can get confused. The customer wants us to filter the routes on the SRX's, but as I've learnt it seems you can't filter internal routes, only external on the SRX's. So, there's no way on the SRX's to block routes in or stop advertising the routes.

What I'm looking for is specifically a way on the SRX's of blocking the routes from the site A Meraki device, assuming changing the OSPF area is not possible.

In my head I can't see a way, and I think the customer needs to sort out how the Meraki's handle the subnets that are handed out, or how they are advertised in OSPF. That or the area needs changing so I can filter external routes. But that doesn't seem ideal as then the network will never route traffic back to that Meraki (site A one). Or we don't do OSPF between the SRX and 4500 and add in high cost static routes that are installed in the routing table if the OSPF routes are ever lost.



No comments:

Post a Comment