Filtering LSA's (OSPF)

  • I’m having some design issues with the following setup.

    70 remote sites connected to one central site through GRE tunnels. OSPF (Point to Point) is used for routing between the remote sites and the central site. Everything is in Area 0.

    what I would like is for each site to only have knowledge about it’s own networks and the networks at the central site… or in other words there should be no routing from on remote site to another.

    Is this possible somehow ??  :?

    EDIT: the central site has a SSG520M - the remote sites are Cisco 7200 series.

  • Global Moderator

    sorry (I)BGP ofcourse

  • Global Moderator

    Or as an alternative, use (e)BGP wich allows filtering as you like.

  • As MaxPipeline mentioned you cannot filter LSAs as this will break the fundamental properties of OSPF.  The only way to prevent the LSA from being flooded is to prevent it from being injected on the device in which is originating the LSA in the first place…

    On the other hand, you probably could do some interesting things by breaking the network into multiple areas (a separate non backbone area for each remote site) and making the central site a backbone router in area 0 and also an ABR in the respective areas connected to each remote site.  Between areas it is essentially distance-vector rather than link-state, and there are more options for aggregating, summarizing, and filtering routes which are passed between areas.

  • With OSPF you cannot filter LSAs. This will fundamentally break OSPF as every OSPF device in the area has to have the entire LSA database to properly calculate SPF and prevent loops.

    You can, however, use security policies to prevent traffic to and from different sites.