FTD - OSPF Route Filtering, Summarization, & Redistribution

Now for this post I am going to walkthrough configuring redistribution between OSPF & RIP. I will also cover route filtering config options between the two OSPF areas. At this point all routed connections between the routed FTD instance & the 4 CSRs are configured and working as expected.


Again, sharing the topology:


First I want to cover OSPF route filtering options before diving into examples of how to configure them on FTD. Covering the basics, there are 3 ways to conduct route filtering with OSPF:

  1. Filter routes between different areas via a filter list with an ACL

  2. Filter routes from getting installed in the route table via a distribute list

  3. Filter routes from another protocol via redistribution configuration

It is important to know that a distribute list is not an actual list. It is the command used to enable the ability to filter routes. The filtering is actually performed via a prefix-list or ACL. Prefix-lists allow you to filter networks based on their subnet mask. Whereas an ACL in a route filtering example allows filtering on network addresses and not subnet masks.


So before diving into the FTD configuration with FMC I want to share a few things relating to route filtering. With no filtering in place on FTD, OSPF area 1 (connected on outside interface of FTD) can see OSPF area 0 routes learned on FTD from its dmz_1 interface OSPF adjacency (10.10.10.0/24). Here are snippets from the CSR connected to FTD outside interface:

We can see the 1.1.1.1 loopback emulating a LAN appear in the route table. We also see the same scenario where both the area 1 network and loopback appear between the other OSPF enabled area which contains the CSR connected to area 0 on the dmz_1 interface of FTD:

Since FTD is connected to both CSRs in different areas OSPF creates a type 3 summary LSA which gets flooded into each respective area. This type 3 LSA lets the CSRs know about prefixes from the other area/s. Lastly, the OSPF routes appearing in the route table with O IA means that those are type 3 summary LSAs which are the inter-area prefixes.


Ok so know that we have some background I want to focus on route filtering so that FTD filters the dmz_1 CSR loopback 1.1.1.1 from being advertised in the type 3 LSA to the CSR connected to the FTD outside interface. To do this I used the following in FMC for FTD route filtering:

  1. OSPF Inter-Area (IA) Filtering = uses prefix lists; only the specified prefixes are sent from one area to another. All other prefixes are restricted. Can be applied out or into an area.

I will now share how to configure and verify (Inter-Area filtering via prefix-list) configuration with FTD & then share the updated route table from the respective CSR.


Step 1 is to create the prefix-list object (Objects->Object Management->Prefix-List->IPv4 Prefix-Lists):

So here I am preventing/restricting the dmz_1 CSR local loopback from being advertised & allowing all other prefixes.


Step 2 is to assign the prefix-list to the OSPF configuration (Devices->Device Management->Routing->OSPF->InterArea):

Under the OSPF routing configuration within FMC you assign the prefix-list object under the InterArea tab. It is enabled on process 1 & configured with/on inbound to area 1.

Final step is to deploy the configuration changes & verify.


FTD CLI verification:


Above we can see FTD hit counts on the prefix-list


Outside CSR verification:

We no longer see the dmz_1 loopback interface in the OSPF database or route table as expected :)


Ok so now I want to cover FTD route summarization. Utilizing route summarization allows you to decrease the size of the OSPF LSA database. Instead of advertising multiple type 3 or type 5 LSAs we can advertise a single route to summarize multiple routes.


To provide this example I created several additional loopbacks on the CSR connected to dmz_1 interface (note I did remove the OSPF Inter-Area filter from the previous example). The CSR on connected to the FTD outside interface has several type 3 LSAs in its database due to the creation/advertisement of the loopbacks with no summarization involved yet:

To configure route summarization on an OSPF area within FMC for FTD (Devices->Device Management->Routing->OSPF->Area->Range):

The dmz1_loop_summary object I created is a summary range = 1.1.0.0/22. Once this is created and applied to the area that the routes belong to. So in this case area 0 on dmz_1 side.


FTD route summarization verification:

We can see that the outside CSR LSA database is smaller than before:

The route table also depicts the summarized route for all loopbacks:


Ok, now for the last section of this blog, I will cover OSPF redistribution. A few things to cover/understand are:

Prefixes being redistributed into OSPF from another protocol create type 5 LSAs. These types of advertisements appear in the route table via O E1 or O E2.


My goal here is to advertise the loopback address on the CSR connected to the dmz_2 FTD interface (4.4.4.4). There are a few configuration steps required to make this happen.

Step 1: Configure standard access-list (Objects->Object Management->Access-list->Standard)

The overview of the configuration:

Step 2: Configure route-map

You now need to configure a route-map & assign the acl and additional parameters. Note that this route map will get added in the OSPF routing configuration.

Route map overview:

We assign the ACL as our match clause:

Step 3: Tying it all together and deploying with OSPF config:

Devices->Device Management->Routing->OSPF->Redistribution

Configuring redistribution on OSPF process 1, since the route is coming from RIP the type needs to be set to RIP, enable use subnets, set metric type, & tie in the route map so that only the loopback (4.4.4.4) is redistributed.


FTD OSPF redistribution verification on OSPF CSR:

Above we can see the dmz_2 CSR loopback 4.4.4.4 being advertised into OSPF due to the FTD configuration.


FTD verification:

Additional RIP routes are hitting the deny (6 hits) & we can see the dmz_2 loop (4.4.4.4) hit count incremented.


Alright, so that wraps up this post covering OSPF route filtering, summarization, & redistribution on FTD. See more via the FTD tag. Cheers!


0 comments

Recent Posts

See All

Understanding FTD Multi-Instance Capability Mode

In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/

Configuring & Verifying FTD NAT

"The What?" - In this post I will cover configuring NAT on Cisco FTD. Then I will walkthrough how to verify deployment with successful translations. The topology used to demo is below: "The Why?" -

Securing Routing Protocols on FTD

"The What?" - In this post I will be covering how to configure several routing protocols on FTD via FMC, how to secure the protocols, how to verify routing authentication, & how to simply verify that