Scribd
Upload
187 views5 pages

OSPF Route Maps: Exclude Default Gateway

The document discusses using route maps in OSPF to distribute static routes from a VPN gateway to a transport VRF, except for the default gateway route. Several route map configurations are attempted but do not exclude the default route as intended. The solution is to use a "refines" match instead of an "exact" match to exclude only the 0.0.0.0/0 route. The poster is unhappy that technical support closed the issue without providing an explanation for why the initial configurations did not work as expected.

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
187 views5 pages

OSPF Route Maps: Exclude Default Gateway

The document discusses using route maps in OSPF to distribute static routes from a VPN gateway to a transport VRF, except for the default gateway route. Several route map configurations are attempted but do not exclude the default route as intended. The solution is to use a "refines" match instead of an "exact" match to exclude only the 0.0.0.0/0 route. The poster is unhappy that technical support closed the issue without providing an explanation for why the initial configurations did not work as expected.

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

https://community.checkpoint.

com/t5/Security-Gateways/OSPF-and-routemaps/td-p/100694#

OSPF and routemaps


OSPF routemaps are a bit curious and I cannot understand why these two configurations do
not exclude the default gateway.

The goal is to distribute all static routes into a transport VRF, except the default gateway.
This is a VPN-Gateway with a couple cores, the main GW is an appliance with a lot more
capacity, though we do not want to terminate VPN tunnels due to compatibility issues. The
main GW will also announce itself as the default GW with OSPF into the transport VRF.

The network should only know the routes that are going into the VPN enc domains, defined
by statically routing them towards the default gw on the gateway external side.

set routemap ospfout id 9 on


set routemap ospfout id 9 restrict
set routemap ospfout id 9 match network 0.0.0.0/0 exact
set routemap ospfout id 10 on
set routemap ospfout id 10 allow
set routemap ospfout id 10 match nexthop <default-gw> on
set routemap ospfout id 10 match protocol static
set ospf instance default export-routemap ospfout preference 10 on

The above does not work even if the order is reversed.

set routemap ospfout id 10 on


set routemap ospfout id 10 allow
set routemap ospfout id 10 match nexthop <default gw> on
set routemap ospfout id 10 match protocol static
set routemap ospfoutrestrict id 10 on
set routemap ospfoutrestrict id 10 restrict
set routemap ospfoutrestrict id 10 match network 0.0.0.0/0 exact
set ospf instance default export-routemap ospfout preference 10 on
set ospf instance default export-routemap ospfoutrestrict preference 9 on

This version didn't exclude the default route either, I also tested variants of the above with no
luck.

I ended up with a trick, which works since this is a simple setup:

set routemap ospfout id 10 on


set routemap ospfout id 10 allow
set routemap ospfout id 10 match nexthop <default-gw> on
set routemap ospfout id 10 match network 0.0.0.0/0 refines
set routemap ospfout id 10 match protocol static

The trick is that refines is "less than", it covers all routes that are not 0.0.0.0/0, which is the
widest mask possible.

Do you have any insight in why the Cisco way in my first couple examples don't work with
CP routed? I've seen configuration examples with my second configuration, though is there
something new with R80.40 OSPF? 

I tried to get some help from TAC, though they closed the issue as soon as I reported the
workaround above. Not at all happy with getting no answers, especially on a premium
support contract.

 Tags:

 ospf
0 Kudos

Share

Reply

 All forum topics

  Previous Topic
 Next Topic 

4 Replies

funkylicious

Advisor

2020-10-3009:48 PM

Hi,
A simpler solution would be to just configure in the routemap the exact routes that you are
trying to advertise into OSPF and this way you can be more granular and exempt the default
route 0.0.0.0 . 
0 Kudos

Share

Reply

Harald_Hansen

Advisor

2020-10-3103:01 AM

In response to funkylicious

Hi,

That is not simpler. In stead of doing `set static-route x/y next-hop gateway address <default-
gw>` you have to add the static-route (since a larger route could exist from the other peers)
and the ospf routemap. That will be 5 times the number of lines in clish, which bloats the
database. 

PS! I also noticed the last code snippet was lost, the editor is not good with safari.
Br,
Harald
0 Kudos

Share

Reply

 RoyS

Employee

2020-11-0101:58 AM

Hi ,

Please add “match protocol static “ into ID 9 and retest .

set routemap ospfout id 9 restrict

set routemap ospfout id 9 match protocol static

set routemap ospfout id 9 match network 0.0.0.0/0 exact

set routemap ospfout id 10 on

set routemap ospfout id 10 allow

set routemap ospfout id 10 match nexthop <default-gw> on

set routemap ospfout id 10 match protocol static

set ospf instance default export-routemap ospfout preference 10 on

Thanks

Roy
0 Kudos
Share

Reply

Harald_Hansen

Advisor

2020-11-0111:55 PM

In response to RoyS

Hi,

If it is a requirement to have a match on protocol as well as network, why is that not part of
your documentation? I think this document
(https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Gaia_Ad
vanced_Routing_AdminG...) should be the sole source of truth regarding routemaps.

How do I request revisions/suggest improvements to the documentation package like one can
do on SKs? The only way to respond to the page above is a yes/no question way down on the
page. 

Br,
Harald

You might also like