You want to isolate a group of firewalls from the burden of processing External LSAs.
Configure those firewalls into a stub area:
set vrouter "trust-vr"FIREWALL-A(trust-vr)->
set protocol ospfFIREWALL-A(trust-vr/ospf)->
set area 3 stubFIREWALL-A(trust-vr/ospf)->
Although External LSAs have AS-wide flooding scope, they are not flooded into areas designated as "stub areas." Instead of multiple External LSAs, an ABR originates one Summary LSA with the default network
0.0.0.0/0. As discussed in the introduction to this chapter, External LSAs are originated from ASBRs through redistribution. Often, topologies dictate the redistribution of hundreds or thousands of routes, which can cause a significant burden on the devices in the network from a processing perspective. The problem can be amplified when those routes are originating from remote sites and there is instability in the network.
It is recommended to configure areas without an ASBR as stub areas. A stub area cannot contain ASBRs (because then it would have external routes; see Recipe 16.6 for alternatives) and the backbone area can never be a stub area. In a stub area, all devices need to be configured as being in a stub area. This is enforced through the
E bit (see Recipe 16.1) in the OSPF Hello packet header. Two devices become adjacent only when both have the
E bit set, or not set, but not when one has it set and the other does not. ...