Can Next-Generation Firewall virtual routers be configured OSPF AS-External LSA(Type-5) summarization?

Question

ASBRs can redistribute their own external routes to the OSPF area as a summarized external route.

Without this summarization, all external routes are redistributed to the OSPF area as individual AS-External LSA(Type-5).

Can Next-Generation Firewall virtual routers be configured OSPF AS-External LSA(Type-5) summarization?

Present Condition

A screenshot of a computer AI-generated content may be incorrect.

OSPF ASBR redistributes external routes.

Request

A diagram of a diagram AI-generated content may be incorrect.

Need to redistribute summarized route of the external routes.

Test Environment

A blue circular object with white arrows AI-generated content may be incorrect.

OSPF AS-External LSA(Type-5) is configured as follows.

1. Connected Interfaces configuration

A screenshot of a computer AI-generated content may be incorrect.

2. Virtual routers configuration

A screenshot of a computer AI-generated content may be incorrect.

3. OSPF-Router2(VR id 2) OSPF area configuration

A screenshot of a computer AI-generated content may be incorrect.

4. Redistribution profile of OSPF-Router2(VR id 2) configuration

A screenshot of a computer AI-generated content may be incorrect.

5. Export rule of OSPF-Router2(VR id 2) configuration

A screenshot of a computer AI-generated content may be incorrect.

6. Advertised type-5 LSAs in "show routing protocol ospf lsdb" CLI command

<OSPF LSDB> admin@Lab98-13-PA-820> show routing protocol ospf lsdb VIRTUAL ROUTER: OSPF-Router1 (id 1) ========== VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size 1 0.0.0.0 100.0.0.1 100.0.0.1 type-1 (Router) 0x80000035 0x00008EEE 1671 36 1 0.0.0.0 100.0.0.2 100.0.0.2 type-1 (Router) 0x80000035 0x00008CED 1672 36 1 0.0.0.0 100.0.0.2 100.0.0.2/24 type-2 (Network) 0x80000034 0x00008FFE 1677 32 1 100.0.0.2 192.168.0.0/24 type-5 (External) 0x80000001 0x0000245E 60 1 100.0.0.2 192.168.1.0/24 type-5 (External) 0x80000001 0x00001968 60 1 100.0.0.2 192.168.2.0/24 type-5 (External) 0x80000001 0x00000E72 60 1 100.0.0.2 192.168.3.0/24 type-5 (External) 0x80000001 0x0000037C 60 VIRTUAL ROUTER: OSPF-Router2 (id 2) ========== VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size 2 0.0.0.0 100.0.0.1 100.0.0.1 type-1 (Router) 0x80000035 0x00008EEE 1672 36 2 0.0.0.0 100.0.0.2 100.0.0.2 type-1 (Router) 0x80000035 0x00008CED 1671 36 2 0.0.0.0 100.0.0.2 100.0.0.2/24 type-2 (Network) 0x80000034 0x00008FFE 1676 32 2 100.0.0.2 192.168.0.0/24 type-5 (External) 0x80000001 0x0000245E 59 2 100.0.0.2 192.168.1.0/24 type-5 (External) 0x80000001 0x00001968 59 2 100.0.0.2 192.168.2.0/24 type-5 (External) 0x80000001 0x00000E72 59 2 100.0.0.2 192.168.3.0/24 type-5 (External) 0x80000001 0x0000037C 59

7. Routing table in "show routing route" CLI command

<Routing table> admin@Lab98-13-PA-820> show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast VIRTUAL ROUTER: OSPF-Router1 (id 1) ========== destination nexthop metric flags age interface next-AS 100.0.0.0/24 0.0.0.0 10 Oi 93545 ethernet1/5 100.0.0.0/24 100.0.0.1 0 A C ethernet1/5 100.0.0.1/32 0.0.0.0 0 A H 192.168.0.0/24 100.0.0.2 11 A O1 107 ethernet1/5 192.168.1.0/24 100.0.0.2 11 A O1 107 ethernet1/5 192.168.2.0/24 100.0.0.2 11 A O1 107 ethernet1/5 192.168.3.0/24 100.0.0.2 11 A O1 107 ethernet1/5 total routes shown: 7 VIRTUAL ROUTER: OSPF-Router2 (id 2) ========== destination nexthop metric flags age interface next-AS 100.0.0.0/24 0.0.0.0 10 Oi 93545 ethernet1/6 100.0.0.0/24 100.0.0.2 0 A C ethernet1/6 100.0.0.2/32 0.0.0.0 0 A H 192.168.0.0/24 192.168.0.100 0 A C ethernet1/1.1 192.168.0.100/32 0.0.0.0 0 A H 192.168.1.0/24 192.168.1.100 0 A C ethernet1/1.2 192.168.1.100/32 0.0.0.0 0 A H 192.168.2.0/24 192.168.2.100 0 A C ethernet1/1.3 192.168.2.100/32 0.0.0.0 0 A H 192.168.3.0/24 192.168.3.100 0 A C ethernet1/1.4 192.168.3.100/32 0.0.0.0 0 A H total routes shown:

Need the summarized route 192.168.0.0/22 redistributed from OSPF-Router2(id2).

Answer

Next-Generation Firewall virtual routers does not have OSPF AS-External LSA(Type-5) summarization feature.

The following is a workaround for the configuration of the summarized AS-External LSA(Type5) for the test environment.

Step 1. Create a lookback port as a dummy.

A screenshot of a computer AI-generated content may be incorrect.

Step 2. Add the loopback.1 to the OSPF-Router2 interface.

A screenshot of a computer AI-generated content may be incorrect.

Step 3. Create a summarized static route of 192.168.0.0/22 with a high metric value(Metric=100).

A screenshot of a computer AI-generated content may be incorrect.

Step 4. Remove the connected interfaces, then add the created static route without a next hop in the Redistribution Profile.

A screenshot of a computer AI-generated content may be incorrect.

Step 5. Remove the connected interfaces and add the created static route in the OSPF Export Rules.

A screenshot of a computer AI-generated content may be incorrect.

Step 6. Run commit. Then only the static route is advertised. Check the OSPF LSDB and the routing table.

<OSPF LSDB> admin@Lab98-13-PA-820> show routing protocol ospf lsdb VIRTUAL ROUTER: OSPF-Router1 (id 1) ========== VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size 1 0.0.0.0 100.0.0.1 100.0.0.1 type-1 (Router) 0x80000036 0x00008CEF 1218 36 1 0.0.0.0 100.0.0.2 100.0.0.2 type-1 (Router) 0x80000036 0x00008AEE 1219 36 1 0.0.0.0 100.0.0.2 100.0.0.2/24 type-2 (Network) 0x80000035 0x00008DFF 1224 32 1 100.0.0.2 192.168.0.0/22 type-5 (External) 0x80000002 0x00001371 447 VIRTUAL ROUTER: OSPF-Router2 (id 2) ========== VR Area ID Orig RTR ID LS ID LSA Type Seq Number CheckSum Age Size 2 0.0.0.0 100.0.0.1 100.0.0.1 type-1 (Router) 0x80000036 0x00008CEF 1219 36 2 0.0.0.0 100.0.0.2 100.0.0.2 type-1 (Router) 0x80000036 0x00008AEE 1218 36 2 0.0.0.0 100.0.0.2 100.0.0.2/24 type-2 (Network) 0x80000035 0x00008DFF 1223 32 2 100.0.0.2 192.168.0.0/22 type-5 (External) 0x80000002 0x00001371 446
<Routing table> admin@Lab98-13-PA-820> show routing route flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast VIRTUAL ROUTER: OSPF-Router1 (id 1) ========== destination nexthop metric flags age interface next-AS 100.0.0.0/24 0.0.0.0 10 Oi 94917 ethernet1/5 100.0.0.0/24 100.0.0.1 0 A C ethernet1/5 100.0.0.1/32 0.0.0.0 0 A H 192.168.0.0/22 100.0.0.2 11 A O1 519 ethernet1/5 total routes shown: 4 VIRTUAL ROUTER: OSPF-Router2 (id 2) ========== destination nexthop metric flags age interface next-AS 1.1.1.1/32 0.0.0.0 0 A H 100.0.0.0/24 0.0.0.0 10 Oi 94917 ethernet1/6 100.0.0.0/24 100.0.0.2 0 A C ethernet1/6 100.0.0.2/32 0.0.0.0 0 A H 192.168.0.0/22 1.1.1.1 100 A S loopback.1 192.168.0.0/24 192.168.0.100 0 A C ethernet1/1.1 192.168.0.100/32 0.0.0.0 0 A H 192.168.1.0/24 192.168.1.100 0 A C ethernet1/1.2 192.168.1.100/32 0.0.0.0 0 A H 192.168.2.0/24 192.168.2.100 0 A C ethernet1/1.3 192.168.2.100/32 0.0.0.0 0 A H 192.168.3.0/24 192.168.3.100 0 A C ethernet1/1.4 192.168.3.100/32 0.0.0.0 0 A H total routes shown: 13