Problem and solution when an OSPF route filtering policy does not take effect

The reason that an OSPF route filtering policy does not take effect is as follows:
For example:
User ---------- MA5200F ---------- Firewall---------- NE80 ---------- Internet
Open Shortest Path First (OSPF) is run on three devices, and the firewall acts as the NAT device. The NE80E cannot learn routes to private network segments. Firewall configurations are as follows:
acl number 2999
rule 5 deny source 10.0.0.0 0.255.255.255 /*Filtered private network segments*/
rule 10 deny source 192.168.0.0 0.0.255.255 /*Filtered private network segments*/
rule 15 permit
ospf 1
filter-policy export 2999
area 0.0.0.0
network 218.206.107.220 0.0.0.3
The routing table of the NE80 still has routes to private network segments.
[JSNJ-MB-CMNET-RT01-HJL_NE80]display ip routing-table 10.33.16.192
Destination/Mask Protocol Pre Cost Nexthop Interface
10.33.16.192/26 O_ASE 50 1 218.206.97.234 Ethernet5/0/13
0.0.0.0/0 STATIC 40 0 218.206.97.109 GigabitEthernet1/0/
The route policy in the OSPF view of the firewall that uses the VRP3.30 platform takes effect only for local routes, not the LSA transmitted by the firewall to the NE80.
In conclusion, because OSPF is a dynamic routing protocol based on link status and routing information is expressed through link status, OSPF cannot filter advertised or received LSAs. The filter-policy import command filters the routes calculated by OSPF. Only routes that match the filtering conditions are added to the routing table. The filter-policy export command enables a device to filter routes advertised by the device. Only routes that match the filtering conditions can be advertised.

Scroll to top