[c-nsp] Is there any way to prevent transit traffic through OSPF ABR/ASBR?

Peter Olsson pol at leissner.se
Wed Oct 11 04:22:39 EDT 2006 

We manage a network consisting of 8 central nodes and about 30 remote
sites. The remote sites are each connected to two different central
nodes for redundancy. Some of the remote sites do this with dual
external lines in the same border router, but most of them have two
border routers, with one external line each, for hardware redundancy.
Most of the sites with dual border routers run HSRP on the LAN side.

The lines between nodes are OSPF area 0, and the lines from node to
remote site are OSPF area X, with a different X for each site. Some
of the remote sites still use an old area design, where they had area 0
stretching out to the border router.

Node-to-node lines are 4-8 Mbps. Node-to-remote-site lines are 2 Mbps,
with upgrades to 4 Mbps scheduled for some sites.

Remote sites that have two border routers run OSPF on the inside LAN,
with the same area X that is used on the WAN lines to the site.

Most of the remote sites have smaller remote sites of their own, and
some of that WAN equipment isn't OSPF capable. This means that some of
the border routers redistribute static routes into OSPF.

Our problem is that we cannot allow transit traffic of any kind to
pass the WAN lines to remote sites. Only traffic to/from the site
can be allowed to pass the WAN lines. In the normal case this works
fine, but we have sometimes experienced site transit traffic being
caused by certain node-to-node lines going down. Besides that, now
when some sites upgrade to 4 Mbps they will have the same bandwidth
as most of the node-to-node lines, which could cause OSPF to choose
those site lines instead of the node-to-node lines.

Is there a way to make sure that the WAN lines to remote sites are
never used for transit traffic?

Could nssa be used as a solution to this problem in our scenario?

And a perhaps too general/philosophical question: How do you make
OSPF do exactly what you want in a changing/assymetric environment? :)

Thanks!

-- 
Peter Olsson                    pol at leissner.se

More information about the cisco-nsp mailing list