How to filter incoming OSPF routes

Description

This document explains the steps to filter out incoming OSPF routes from appearing in the Routing table of Dell SonicWall Security Appliance. 

Scenario:

Two Dell SonicWall Security Appliances TZ 210 (5.9.1.5) and TZ215 (5.9.1.1) are being used to demonstrate OSPF route filtering.

Resolution

In this example, 10.10.11.0/24 and 10.10.21.0/24 networks will be filtered from routing table using Distribute-list and access rules OSPF CLI commands from TZ 210:

Login to the CLI via SSH or Console and type the admin username and password.

admin@TZ210@5-9-1-5> configure terminal
config(TZ210@5-9-1-5)# routing
(config-routing)# nsm
ZebOS version 7.7.0 IPIRouter 7/2009
ARS NSM>show ip route
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
O E2    10.10.11.0/24 [110/20] via 10.71.252.14, X1, 00:02:03
O E2    10.10.21.0/24 [110/20] via 10.71.252.14, X1, 00:02:03
C       10.71.252.0/24 is directly connected, X1
O E2    10.200.200.0/24 [110/20] via 10.71.252.14, X1, 00:02:03
C       127.0.0.0/8 is directly connected, lo0
C       172.19.125.0/24 is directly connected, X0
ARS NSM>exit
(config-routing)#
Enter to OSPF CLI configuration:

(config-routing)# ospf

ZebOS version 7.7.0 IPIRouter 7/2009

Create named access list as Filter-Routes-in and add the following deny statements:

ARS OSPF>configure terminal

ARS OSPF(config)>access-list Filter-Routes-In deny 10.10.11.0/24

ARS OSPF(config)>access-list Filter-Routes-In deny 10.10.21.0/24

ARS OSPF(config)>access-list Filter-Routes-In permit any 

ARS OSPF(config)>exit

To view the access list created above:

ARS OSPF>show access-list

ZebOS IP access list Filter-Routes-In

    deny   10.10.11.0/24

    deny   10.10.21.0/24

Apply the access list with distribute-list command by navigating to the OSPF process.

ARS OSPF>configure terminal

ARS OSPF(config)>router ospf

ARS OSPF(config-router)>distribute-list Filter-Routes-In in

Verify the configuration with show ip ospf route command on TZ210:

ARS OSPF(config-router)>exit

ARS OSPF(config)>exit

ARS OSPF>show ip ospf route

C  10.71.252.0/24 [1] is directly connected, X1, Area 0.0.0.0

C  172.19.125.0/24 [1] is directly connected, X0, Area 0.0.0.10

To save the above configuration:

ARS OSPF>write

Configuration saved to OSPF
ARS OSPF>

To enable the routes back in the routing table:

ARS OSPF(config)>router ospf

ARS OSPF(config-router)>no distribute-list Filter-Routes-In in

ARS OSPF(config-router)>exit

ARS OSPF(config)>exit

ARS OSPF>show ip ospf route

E2 10.10.11.0/24 [1/20] via 10.71.252.14, X1

E2 10.10.21.0/24 [1/20] via 10.71.252.14, X1

C  10.71.252.0/24 [1] is directly connected, X1, Area 0.0.0.0

E2 10.200.200.0/24 [1/20] via 10.71.252.14, X1

C  172.19.125.0/24 [1] is directly connected, X0, Area 0.0.0.10

ARS OSPF>

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community