[c-nsp] Is there any way to prevent transit traffic through OSPF ABR/ASBR?
Phil Mayers
p.mayers at imperial.ac.uk
Wed Oct 11 04:54:23 EDT 2006
Peter Olsson wrote:
>
> Is there a way to make sure that the WAN lines to remote sites are
> never used for transit traffic?
Use BGP with appropriate filtering so that the site routers NEVER
re-advertise core routes. It sounds like a confederation may suit your
purposes (which is uncommon) as it's somewhat safer and easier to filter
routes on the eiBGP links between sub-ASes than it is to filter iBGP
routes between a route-reflector and rr client, *and* it avoids the need
to extend the OSPF into the remote sites at all (they can run their own
local OSPF)
Having said that, this is not a configuration I've tried.
>
> Could nssa be used as a solution to this problem in our scenario?
To be honest, I'm a bit puzzled - given the area structure you've
detailed I would not expect transit via sites to ever occur (except in
those cases where the core->site links are in area 0, which you should
remove for this exact reason).
I don't think NSSA is relevant here - NSSA allows you to reduce the size
of the area routing table but still advertise externals (e.g. your
statics) which is a worth goal in some peoples opinions, but not others.
The trivial way to do this is to set the ospf cost on *both* core->site
routes to be a very large number indeed, larger than any conceivable
intra-core path. Of course if your core becomes partitioned then traffic
*will* transit that pair of links, but a) so what, at least your network
isn't down and b) you are in a disaster scenario anyway so a sluggish
remote site is surely not an issue?
>
> And a perhaps too general/philosophical question: How do you make
> OSPF do exactly what you want in a changing/assymetric environment? :)
You can't always force it to do certain things. The fact the link state
database must be uniform forces certain types of behaviour. The two
solutions you may see are distribute lists and area filter lists, but
both are EXTREMELY DANGEROUS and SHOULD NOT BE USED.
>
> Thanks!
>
More information about the cisco-nsp
mailing list