OSPF Route Filtering [Options Explained & Configuration GNS3 Lab]

OSPF Route Filtering [Options Explained & Configuration GNS3 Lab]

I- Filtering LSA-5 at the ASBR level

Topology:


Option-1: Distributelist (outbound)

We can use the outbound distribute-list for LSA type 5 filtering:

access-list 1 deny   5.5.5.5
access-list 1 permit any

router ospf 10
 redistribute connected subnets
 distribute-list 1 out connected

Note

the distribute-list inbound will only restrict the route from being installed in the routing table and will not block type 5 LSAs from being forwarded.


Verification:

we can check that R2 didn’t receive the route 5.5.5.5/32 from R1 after applying the filter.

R2#show ip ospf database

            OSPF Router with ID (172.17.0.1) (Process ID 10)

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
1.1.1.1         9.9.9.9         1445        0x80000001 0x00AACD 0
9.9.9.9         9.9.9.9         1445        0x80000001 0x00391F 0

------------------


R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 172.17.0.2, 00:23:20, FastEthernet0/1
      9.0.0.0/32 is subnetted, 1 subnets
O E2     9.9.9.9 [110/20] via 172.17.0.2, 00:23:20, FastEthernet0/1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, FastEthernet0/0
L        172.16.0.2/32 is directly connected, FastEthernet0/0
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.0.0/30 is directly connected, FastEthernet0/1
L        172.17.0.1/32 is directly connected, FastEthernet0/1


Option-2: Route-map (In the process of redistribution)

when redistributing an IGP into OSPF, a route-map can be used to stop the TYPE 5 LSA from being generated on the ASBR:

router ospf 10
 redistribute connected subnets route-map stop-five

access-list 1 deny   5.5.5.5
access-list 1 permit any

route-map stop-five permit 10
 match ip address 1


Verification on R2:

R2#show ip ospf database 
               Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
1.1.1.1         9.9.9.9         289         0x80000002 0x00A8CE 0
9.9.9.9         9.9.9.9         289         0x80000002 0x003720 0


R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 172.17.0.2, 00:35:19, FastEthernet0/1
      9.0.0.0/32 is subnetted, 1 subnets
O E2     9.9.9.9 [110/20] via 172.17.0.2, 00:35:19, FastEthernet0/1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, FastEthernet0/0
L        172.16.0.2/32 is directly connected, FastEthernet0/0
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.0.0/30 is directly connected, FastEthernet0/1
L        172.17.0.1/32 is directly connected, FastEthernet0/1


Option-3: Summary-address

summary-address subnet mask not-advertise” command can be used to block advertising LSA-5:

  • Configuration:
R1(config)#router ospf 10
R1(config-router)#summary-address 5.5.5.5 255.255.255.255 not-advertise
  • Verification:

we can see that the 5.5.5.5/32 subnet was filtered and not advertised to the R2 router.

R2#show ip route

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 172.17.0.2, 00:08:01, FastEthernet0/1
      9.0.0.0/32 is subnetted, 1 subnets
O E2     9.9.9.9 [110/20] via 172.17.0.2, 00:08:01, FastEthernet0/1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, FastEthernet0/0
L        172.16.0.2/32 is directly connected, FastEthernet0/0
      172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.17.0.0/30 is directly connected, FastEthernet0/1
L        172.17.0.1/32 is directly connected, FastEthernet0/1

II- Filtering LSA-3 at the ABR level

Filter-list:

In order to filter Inter-Area LSA type 3, we will use the “filter-list” feature.

We will use filter-list on the R2 router to filter 6.6.6.6 LSA.

R1 config:

router ospf 10
 redistribute connected subnets
 network 6.6.6.6 0.0.0.0 area 0
 network 172.17.0.0 0.0.0.255 area 0

R2 config, Filtering 6.6.6.6/32 LSA-3:

ip prefix-list no-six-prefix seq 5 deny 6.6.6.6/32
ip prefix-list no-six-prefix seq 10 permit 0.0.0.0/0 le 32

router ospf 10
 area 0 filter-list prefix no-six-prefix out

area 0 filter-list prefix no-six-prefix out: This command means that the OSPF router will match the prefix “no-six-prefix” and apply it on the type 3 LSAs advertisement out of Area 0.

Verifications:

We can check on the router R3 that the 6.6.6.6 LSA route is no longer in the routing table or the ospf database.

R3# show ip ospf database

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
172.17.0.0      172.17.0.1      273         0x80000004 0x004976

--------------

R3# show ip route

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 172.16.0.2, 00:05:57, FastEthernet0/0
      5.0.0.0/32 is subnetted, 1 subnets
O E2     5.5.5.5 [110/20] via 172.16.0.2, 00:05:57, FastEthernet0/0
      9.0.0.0/32 is subnetted, 1 subnets
O E2     9.9.9.9 [110/20] via 172.16.0.2, 00:05:57, FastEthernet0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, FastEthernet0/0
L        172.16.0.1/32 is directly connected, FastEthernet0/0
      172.17.0.0/30 is subnetted, 1 subnets
O IA     172.17.0.0 [110/2] via 172.16.0.2, 00:05:57, FastEthernet0/0


III- OSPF Database to Routing-table Filtering

Topology:

On the router R3, we will prevent 9.9.9.9 from being installed in the routing table (even if it’s present in the OSPF Database). We can achieve this by utilizing the distribute-list command in (the inbound direction).

Configuration:

router ospf 10
 distribute-list route-map no-nine in
!
access-list 20 deny   9.9.9.9
access-list 20 permit any
!
route-map no-nine permit 10
 match ip address 20


Verification:

we can check that the LSA 9.9.9.9 is present in the OSPF database of the router R3:

R3#show ip ospf  database

            OSPF Router with ID (172.16.0.1) (Process ID 10)

                Router Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum Link count
172.16.0.1      172.16.0.1      759         0x80000004 0x003BFD 1
172.17.0.1      172.17.0.1      1026        0x80000009 0x002E02 1

                Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
172.16.0.1      172.16.0.1      759         0x80000002 0x00EC57

                Summary Net Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
6.6.6.6         172.17.0.1      1021        0x80000001 0x00E77C
172.17.0.0      172.17.0.1      1021        0x80000001 0x004F73

                Summary ASB Link States (Area 1)

Link ID         ADV Router      Age         Seq#       Checksum
9.9.9.9         172.17.0.1      1021        0x80000001 0x004513

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
1.1.1.1         9.9.9.9         652         0x80000002 0x00A8CE 0
5.5.5.5         9.9.9.9         652         0x80000002 0x00EF77 0
9.9.9.9         9.9.9.9         652         0x80000002 0x003720 0


But it’s not present in the routing table of R3:

R3#show ip route

      1.0.0.0/32 is subnetted, 1 subnets
O E2     1.1.1.1 [110/20] via 172.16.0.2, 00:04:28, FastEthernet0/0
      5.0.0.0/32 is subnetted, 1 subnets
O E2     5.5.5.5 [110/20] via 172.16.0.2, 00:04:28, FastEthernet0/0
      6.0.0.0/32 is subnetted, 1 subnets
O IA     6.6.6.6 [110/3] via 172.16.0.2, 00:04:28, FastEthernet0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/30 is directly connected, FastEthernet0/0
L        172.16.0.1/32 is directly connected, FastEthernet0/0
      172.17.0.0/30 is subnetted, 1 subnets
O IA     172.17.0.0 [110/2] via 172.16.0.2, 00:04:28, FastEthernet0/0


The previous Lab can be summarized in the following picture by Kevin Wallace:

arahanand:

In OSPF, you can only filter LSAs on the devices that generate them. For example, You can only filter Type-3 LSAs on an ABR because ABRs generate Type-3 LSAs.

Similarly, you can only filter Type-5 LSAs on ASBRs because ASBRs generate type-5 LSAs. However, there is a special case where an ABR generates a Type-5 LSA as a “psuedo-ASBR”.

This happens whenever the NSSA ABR translates the type-7 LSA into a Type-5 LSA. Because the NSSA ABR is generating the Type-5 LSA, you can then filter the type-5 generation on the NSSA ABR by using the “summary-address x.x.x.x x.x.x.x not-advertise” command.

This prevents the NSSA ABR from sending the Type-5 LSA to the rest of the OSPF domain while allowing the external prefix to exist in the NSSA. However, this wouldn’t work if the ASBR is located in Area 0 itself.



Author: Bilel-A

Bilel Ameur

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x