OSPF Route Filtering [Options Explained & Configuration GNS3 Lab]
![OSPF Route Filtering [Options Explained & Configuration GNS3 Lab]](https://learnduty.com/wp-content/uploads/2022/08/image-2.png)
Contents
I- Filtering LSA-5 at the ASBR level
Topology:
Option-1: Distribute–list (outbound)
We can use the outbound distribute-list for LSA type 5 filtering:
access-list 1 deny 5.5.5.5
access-list 1 permit any
router ospf 10
redistribute connected subnets
distribute-list 1 out connectedNote
the distribute-list inbound will only restrict the route from being installed in the routing table and will not block type 5 LSAs from being forwarded.
Verification:
we can check that R2 didn’t receive the route 5.5.5.5/32 from R1 after applying the filter.
R2#show ip ospf database
OSPF Router with ID (172.17.0.1) (Process ID 10)
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
1.1.1.1 9.9.9.9 1445 0x80000001 0x00AACD 0
9.9.9.9 9.9.9.9 1445 0x80000001 0x00391F 0
------------------
R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 172.17.0.2, 00:23:20, FastEthernet0/1
9.0.0.0/32 is subnetted, 1 subnets
O E2 9.9.9.9 [110/20] via 172.17.0.2, 00:23:20, FastEthernet0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, FastEthernet0/0
L 172.16.0.2/32 is directly connected, FastEthernet0/0
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.17.0.0/30 is directly connected, FastEthernet0/1
L 172.17.0.1/32 is directly connected, FastEthernet0/1Option-2: Route-map (In the process of redistribution)
when redistributing an IGP into OSPF, a route-map can be used to stop the TYPE 5 LSA from being generated on the ASBR:
router ospf 10
redistribute connected subnets route-map stop-five
access-list 1 deny 5.5.5.5
access-list 1 permit any
route-map stop-five permit 10
match ip address 1
Verification on R2:
R2#show ip ospf database
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
1.1.1.1 9.9.9.9 289 0x80000002 0x00A8CE 0
9.9.9.9 9.9.9.9 289 0x80000002 0x003720 0
R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 172.17.0.2, 00:35:19, FastEthernet0/1
9.0.0.0/32 is subnetted, 1 subnets
O E2 9.9.9.9 [110/20] via 172.17.0.2, 00:35:19, FastEthernet0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, FastEthernet0/0
L 172.16.0.2/32 is directly connected, FastEthernet0/0
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.17.0.0/30 is directly connected, FastEthernet0/1
L 172.17.0.1/32 is directly connected, FastEthernet0/1
Option-3: Summary-address
“summary-address subnet mask not-advertise” command can be used to block advertising LSA-5:
- Configuration:
R1(config)#router ospf 10
R1(config-router)#summary-address 5.5.5.5 255.255.255.255 not-advertise- Verification:
we can see that the 5.5.5.5/32 subnet was filtered and not advertised to the R2 router.
R2#show ip route
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 172.17.0.2, 00:08:01, FastEthernet0/1
9.0.0.0/32 is subnetted, 1 subnets
O E2 9.9.9.9 [110/20] via 172.17.0.2, 00:08:01, FastEthernet0/1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, FastEthernet0/0
L 172.16.0.2/32 is directly connected, FastEthernet0/0
172.17.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.17.0.0/30 is directly connected, FastEthernet0/1
L 172.17.0.1/32 is directly connected, FastEthernet0/1
II- Filtering LSA-3 at the ABR level
Filter-list:
In order to filter Inter-Area LSA type 3, we will use the “filter-list” feature.
We will use filter-list on the R2 router to filter 6.6.6.6 LSA.
R1 config:
router ospf 10
redistribute connected subnets
network 6.6.6.6 0.0.0.0 area 0
network 172.17.0.0 0.0.0.255 area 0R2 config, Filtering 6.6.6.6/32 LSA-3:
ip prefix-list no-six-prefix seq 5 deny 6.6.6.6/32
ip prefix-list no-six-prefix seq 10 permit 0.0.0.0/0 le 32
router ospf 10
area 0 filter-list prefix no-six-prefix outarea 0 filter-list prefix no-six-prefix out: This command means that the OSPF router will match the prefix “no-six-prefix” and apply it on the type 3 LSAs advertisement out of Area 0.
Verifications:
We can check on the router R3 that the 6.6.6.6 LSA route is no longer in the routing table or the ospf database.
R3# show ip ospf database
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
172.17.0.0 172.17.0.1 273 0x80000004 0x004976
--------------
R3# show ip route
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 172.16.0.2, 00:05:57, FastEthernet0/0
5.0.0.0/32 is subnetted, 1 subnets
O E2 5.5.5.5 [110/20] via 172.16.0.2, 00:05:57, FastEthernet0/0
9.0.0.0/32 is subnetted, 1 subnets
O E2 9.9.9.9 [110/20] via 172.16.0.2, 00:05:57, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, FastEthernet0/0
L 172.16.0.1/32 is directly connected, FastEthernet0/0
172.17.0.0/30 is subnetted, 1 subnets
O IA 172.17.0.0 [110/2] via 172.16.0.2, 00:05:57, FastEthernet0/0III- OSPF Database to Routing-table Filtering
Topology:
On the router R3, we will prevent 9.9.9.9 from being installed in the routing table (even if it’s present in the OSPF Database). We can achieve this by utilizing the distribute-list command in (the inbound direction).
Configuration:
router ospf 10
distribute-list route-map no-nine in
!
access-list 20 deny 9.9.9.9
access-list 20 permit any
!
route-map no-nine permit 10
match ip address 20
Verification:
we can check that the LSA 9.9.9.9 is present in the OSPF database of the router R3:
R3#show ip ospf database
OSPF Router with ID (172.16.0.1) (Process ID 10)
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
172.16.0.1 172.16.0.1 759 0x80000004 0x003BFD 1
172.17.0.1 172.17.0.1 1026 0x80000009 0x002E02 1
Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
172.16.0.1 172.16.0.1 759 0x80000002 0x00EC57
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
6.6.6.6 172.17.0.1 1021 0x80000001 0x00E77C
172.17.0.0 172.17.0.1 1021 0x80000001 0x004F73
Summary ASB Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
9.9.9.9 172.17.0.1 1021 0x80000001 0x004513
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
1.1.1.1 9.9.9.9 652 0x80000002 0x00A8CE 0
5.5.5.5 9.9.9.9 652 0x80000002 0x00EF77 0
9.9.9.9 9.9.9.9 652 0x80000002 0x003720 0
But it’s not present in the routing table of R3:
R3#show ip route
1.0.0.0/32 is subnetted, 1 subnets
O E2 1.1.1.1 [110/20] via 172.16.0.2, 00:04:28, FastEthernet0/0
5.0.0.0/32 is subnetted, 1 subnets
O E2 5.5.5.5 [110/20] via 172.16.0.2, 00:04:28, FastEthernet0/0
6.0.0.0/32 is subnetted, 1 subnets
O IA 6.6.6.6 [110/3] via 172.16.0.2, 00:04:28, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/30 is directly connected, FastEthernet0/0
L 172.16.0.1/32 is directly connected, FastEthernet0/0
172.17.0.0/30 is subnetted, 1 subnets
O IA 172.17.0.0 [110/2] via 172.16.0.2, 00:04:28, FastEthernet0/0The previous Lab can be summarized in the following picture by Kevin Wallace:
In OSPF, you can only filter LSAs on the devices that generate them. For example, You can only filter Type-3 LSAs on an ABR because ABRs generate Type-3 LSAs.
Similarly, you can only filter Type-5 LSAs on ASBRs because ASBRs generate type-5 LSAs. However, there is a special case where an ABR generates a Type-5 LSA as a “psuedo-ASBR”.
This happens whenever the NSSA ABR translates the type-7 LSA into a Type-5 LSA. Because the NSSA ABR is generating the Type-5 LSA, you can then filter the type-5 generation on the NSSA ABR by using the “summary-address x.x.x.x x.x.x.x not-advertise” command.
This prevents the NSSA ABR from sending the Type-5 LSA to the rest of the OSPF domain while allowing the external prefix to exist in the NSSA. However, this wouldn’t work if the ASBR is located in Area 0 itself.
Author: Bilel-A
