Can OSPF Route Suppression Address Range Include a Default Route?

Issue

A user is using a default route 0.0.0.0/0 to suppress all the routes learnt from one area (for this scenario, it is Area 1) from being sent to another area (Area 0). But route suppression does not occur and the routes are still advertised to Area 0.

 

Resolution

The Palo Alto Networks device only does Type 3 summary-LSA  summarization, for example, users can either advertise or suppress only Inter-Area routes. The receiving area will see the LSA as a Type 3 summary-LSA with the Link State ID as the summarized link State ID. Hence, the address range used on the ABR is always of the type "IP address/mask" of the routes learnt from the receiving area. It cannot be a default route 0.0.0.0/0, and the default route does not play any role with route suppression or advertisement. The address range used for route suppression must always be a supernet address that contains the actual or learnt IP address that needs to be suppressed.

 

"Per RFC 2328, (RFC uses the term DoNotAdvertise and Palo Alto Networks uses the term Suppress)

 

List of address ranges: An OSPF area is defined as a list of address ranges. It describes the collection of IP addresses contained in the address range. Remember that an area has a configured list of address ranges, each range consisting of an [address,mask] pair and a status indication of either; Advertise or DoNotAdvertise.  At most, a single Type 3 summary-LSA is originated for each range. When the range's status indicates DoNotAdvertise, the Type 3 summary-LSA is suppressed and the component networks remain hidden from other areas."

 

Note: Route Summarization (route suppression or advertisement) is always configured on the ABR of the ingress area where the routes are learnt. Here the ingress area is Area 1, 0.0.0.1.

 

Review the following example:

Firewall A (Router ID 1.1.1.1) and Firewall B (Router ID 2.2.2.2) belong to the backbone Area 0. Firewall C (Router ID 3.3.3.3) is in Area 1 with one of its interfaces connected to Firewall B. Firewall B is an ABR which needs to suppress the routes 192.168.32.0/24 and 7.7.7.0/24 learnt from Firewall C and not advertise them to Firewall A.

 

Non-working scenario: Default route 0.0.0.0/0 is used for route suppression.

 

The address range used for route suppression on Firewall B is 0.0.0.0/0 is shown below. The following screenshot is from Firewall B, the ABR, which has to suppress the routes learnt from Firewall C in Area 1. Rather than using an address range, 0.0.0.0/0 is used to suppress the routes learnt from Area 1.

 

Now, the link state database on Firewall A still shows the routes 192.168.32.0/24 and 7.7.7.0/24 advertised as a Type 3 summary-LSA from the ABR:

 

> show routing protocol ospf lsdb

 

VIRTUAL ROUTER: default (id 1)

  ==========

VR Area ID          Orig RTR ID    LS ID              LSA Type            Seq Number CheckSum    Age    Size

  1 0.0.0.0        1.1.1.1        1.1.1.1            type-1 (Router)      0x80000003 0x00004EAF  1163    48

  1 0.0.0.0        2.2.2.2        2.2.2.2            type-1 (Router)      0x80000003 0x0000CF61  1164    48

  1 0.0.0.0        2.2.2.2        7.7.7.0/24        type-3 (Summary)    0x80000002 0x000094A0  1194    28

  1 0.0.0.0        2.2.2.2        192.168.32.0/24    type-3 (Summary)    0x80000001 0x0000E4D2  674    28

  1 0.0.0.0        2.2.2.2        3.3.3.3            type-4 (AS summary)  0x80000002 0x0000F844  1180    28

 

> show routing route type ospf

 

VIRTUAL ROUTER: default (id 1)

  ==========

destination                                nexthop                                metric flags      age  interface          next-AS

7.7.7.0/24                                  10.66.24.31                            20    A Oo      3048  ethernet1/3

10.66.24.0/23                              0.0.0.0                                10      Oi      3048  ethernet1/3

192.168.32.0/24                            10.66.24.31                            30    A Oo       769  ethernet1/3

 

Working Scenario: Address range, a supernet address is used for route suppression.

 

Use a supernet address that contains the routes to be suppressed. The following screenshot is from Firewall B, which has to suppress the routes learnt from Firewall C in Area 1. Supernet address 192.168.32.0/23 is used to suppress 192.168.32.0/24 and 7.7.7.0/23 is used to suppress 7.7.7.0/24:

 

Now, the link state database on Firewall A does not show the routes 192.168.32.0/24 and 7.7.7.0/24:

 

> show routing protocol ospf lsdb

 

VIRTUAL ROUTER: default (id 1)

  ==========

VR Area ID        Orig RTR ID    LS ID              LSA Type            Seq Number CheckSum    Age  Size

  1 0.0.0.0        1.1.1.1        1.1.1.1            type-1 (Router)      0x80000004 0x00004CB0  251    48

  1 0.0.0.0        2.2.2.2        2.2.2.2            type-1 (Router)      0x80000004 0x0000CD62  251    48

  1 0.0.0.0        2.2.2.2        3.3.3.3            type-4 (AS summary)  0x80000003 0x0000F645  267    28

 

> show routing route type ospf

 

VIRTUAL ROUTER: default (id 1)

  ==========

destination                                nexthop                                metric flags      age  interface          next-AS

10.66.24.0/23                              0.0.0.0                                10      Oi      4003  ethernet1/3

total routes shown: 1

 

owner: gchandrasekaran