Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Blocking interarea routes or Type 3 network summary LSAs in OSPF

0

0

Article ID: KB30352 KB Last Updated: 05 Jun 2015Version: 1.0
Summary:

This article provides an example of blocking the Type 3 OSPF LSAs or interarea routes on the SRX series.

Symptoms:

There are situations when it is required in the network to block the interarea routes from being learned by other areas. For example, in the following setup we have three devices that are running OSPF and using the policy-options statement (called in the OSPF area using instance import/export). This doesn't work for inter-area routes.

   SRX1(ge-0/0/0.0)---------------(ge-0/0/0.0)SRX2(ge-0/0/1.0)---------------(ge-0/0/1.0)SRX3
           area 0 (192.168.1.0/24)                         area 10(192.168.4.0/24)

Router-IDs:
SRX1 : 1.1.1.1
SRX2 : 2.2.2.2
SRX3 : 3.3.3.3

root@SRX1# show protocols
ospf {
      export pol1;
      area 0.0.0.0 {
                       interface ge-0/0/0.0;
                       interface lo0.1;       >>>> lo0.1 (11.11.11.11/32) interface route which would be Type 3 LSA, for other areas will be blocked at SRX2
                            }
        }

root@SRX2# show protocols
ospf {
   area 0.0.0.0 {
                interface ge-0/0/0.0;
                        }
  area 0.0.0.10 {
              interface ge-0/0/1.0;
                          }
     }

root@SRX3# show protocols
ospf {
    area 0.0.0.10 {
               interface ge-0/0/1.0;
                           }
       }

On the SRX3, we see the Network Summary LSA being sent and learned in the OSPF routes:

root@SRX3# run show ospf route 11.11.11.11 extensive
Topology default Route Table:

Prefix Path Route NH Metric NextHop Nexthop
Type           Type          Type Interface Address/LSP
11.11.11.11/32 Inter Network IP 2 ge-0/0/1.0 192.168.4.2
area 0.0.0.10, origin 2.2.2.2, priority medium

On the SRX2 (it being the ABR) applied the policy-options statement to reject the route from being exported to Area 10:

root@SRX2# show policy-options
policy-statement pol1 {
                   term 1 {
                       from {
                          protocol ospf;
                          route-filter 11.11.11.11/32 exact;
                            }
                       then reject;
                      }
                  term 2 {
                      then reject;
                         }
                     }


root@SRX2# show protocols
ospf {
   export pol1;
   area 0.0.0.0 {
           interface ge-0/0/0.0;
                }
  area 0.0.0.10 {
          interface ge-0/0/1.0;
                }
     }

However checking OSPF database of Area 10 , we still see LSA being sent and hence Type 3 LSAs are not blocked using policy-options.

root@SRX3# run show ospf database

OSPF database, Area 0.0.0.10
Type     ID         Adv Rtr     Seq    Age  Opt   Cksum Len
Router  2.2.2.2     2.2.2.2 0x80000010 113  0x22 0x81b0 36
Router *3.3.3.3     3.3.3.3 0x80000006 614  0x22 0x4ee7 36
Network 192.168.4.2 2.2.2.2 0x80000003 2045 0x22 0x4864 32
Summary 11.11.11.11 2.2.2.2 0x80000001 440  0x22 0x5bac 28  >>> LSA still being sent to SRX3
Summary 192.168.1.0 2.2.2.2 0x80000003 2473 0x22 0x9631 28
ASBRSum 1.1.1.1     2.2.2.2 0x80000003 1188 0x22 0x1716 28

Cause:

The policy-options statement, when used with instance import/export in the OSPF protocol configuration, is only meant to block the external routes. Type 3 LSAs, being interarea routes, cannot be blocked using the same method.

Solution:

In order to block the interarea routes, Type 3, or network summary LSAs on the SRX, use the network-summary-export/network-summary-import option under the specific area. In the example above , we want the Type 3 LSA from area 0 not to be sent to area 10. On SRX1, lo0.1 has IP 11.11.11.11/32 configured as participating in the OSPF and hence it will be advertised as a Type 3 LSA (interarea route) by SRX2 (ABR) to area 10.

To stop the advertisement of the Type 3 LSA or interarea route to area 10, block the network summary export to area 10 on the ABR.

On SRX2, it being the ABR, we give the following config:

root@SRX2# show policy-options
policy-statement pol1 {
  term 1 {
      from {
        protocol ospf;
        route-filter 11.11.11.11/32 exact;
           }
     then reject;
      }
 term 2 {
  then reject;
    }

root@SRX2# show protocols
ospf {
export pol1;
area 0.0.0.0 {
    interface ge-0/0/0.0;
    }
area 0.0.0.10 {
   network-summary-export pol1;  >>> Used the same policy-option term under area 10
   interface ge-0/0/1.0;
   }
 }



On SRX3, the OSPF database, we don't see the summary LSA for 11.11.11.11 :

root@SRX3# run show ospf database  >>No summary present for 11.11.11.11 on SRX3 database

OSPF database, Area 0.0.0.10
Type      ID        Adv Rtr    Seq     Age  Opt  Cksum Len
Router  2.2.2.2     2.2.2.2 0x80000013 24   0x22 0x7bb3 36
Router *3.3.3.3     3.3.3.3 0x80000006 1538 0x22 0x4ee7 36
Network 192.168.4.2 2.2.2.2 0x80000004 526  0x22 0x4665 32
ASBRSum 1.1.1.1     2.2.2.2 0x80000003 2112 0x22 0x1716 28



root@SRX3# run show ospf route    >>> No route present for 11.11.11.11/32
Topology default Route Table:

Prefix         Path  Route      NH  Metric NextHop    Nexthop
               Type  Type      Type        Interface  Address/LSP
1.1.1.1        Inter AS BR       IP  2     ge-0/0/1.0 192.168.4.2
2.2.2.2        Intra Area/AS BR  IP  1     ge-0/0/1.0 192.168.4.2
192.168.3.0/24 Ext2  Network     IP  0     ge-0/0/1.0 192.168.4.2
192.168.4.0/24 Intra Network     IP  1     ge-0/0/1.0

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search