OSPF Filtering
Today we are going to cover a topic that almost sent a DoS to my brain 🙂 some times back: OSPF Filtering. Today, that’s my favorite OSPF topic.
With dynamic routing protocols many prefixes are exchanged. Some are needed in certain location of the network and others are not need or should not be reachable from a given location. It is where filtering comes to help to control the prefixes announcement in the network.
This post will focus on filtering with OSPF.
All over this post we will work with the following topology:
We have area 0 connected to area 1 and area 2 which is NSSA. R2 redistributes its lo1 IP as External type 1 and R5 redistribute its lo1 IP as external 2 (default).
INITIAL CONFIGURATIONS
Â
R1:
ip address 10.1.1.1 255.255.255.0
!
interface Loopback1
ip address 10.11.11.11 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.13.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 10.1.1.1
log-adjacency-changes
network 10.1.1.1 0.0.0.0 area 0
network 10.11.11.11 0.0.0.0 area 1
network 192.168.12.1 0.0.0.0 area 1
network 192.168.13.1 0.0.0.0 area 0
Â
R2:
ip address 10.2.2.2 255.255.255.0
!
interface Loopback1
ip address 10.22.22.22 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.12.2 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 10.2.2.2
log-adjacency-changes
redistribute connected metric-type 1 subnets route-map RM_lOOPBACK0->OSPF
network 192.168.12.2 0.0.0.0 area 1
!
!
route-map RM_lOOPBACK0->OSPF permit 10
match interface Loopback1
!
R3:
ip address 10.3.3.3 255.255.255.0
!
interface Loopback1
ip address 10.33.33.33 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.13.3 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.34.3 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 10.3.3.3
log-adjacency-changes
network 10.3.3.3 0.0.0.0 area 0
network 10.33.33.33 0.0.0.0 area 0
network 192.168.13.3 0.0.0.0 area 0
network 192.168.34.3 0.0.0.0 area 0
!
R4:
ip address 10.4.4.4 255.255.255.0
!
interface Loopback1
ip address 10.44.44.44 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.34.4 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.45.4 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 10.4.4.4
log-adjacency-changes
area 2 nssa
network 10.4.4.4 0.0.0.0 area 0
network 10.44.44.44 0.0.0.0 area 2
network 192.168.34.4 0.0.0.0 area 0
network 192.168.45.4 0.0.0.0 area 2
!
R5:
ip address 10.5.5.5 255.255.255.0
!
interface Loopback1
ip address 10.55.55.55 255.255.255.0
!
interface Loopback2
ip address 10.52.52.52 255.255.255.0
!
interface FastEthernet0/0
ip address 192.168.45.5 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 10.5.5.5
log-adjacency-changes
area 2 nssa
redistribute connected subnets route-map RM_LOOPBACK1->OSPF
network 10.5.5.5 0.0.0.0 area 2
network 192.168.45.5 0.0.0.0 area 2
!
route-map RM_LOOPBACK1->OSPF permit 10
match interface Loopback1 Loopback2
!
OSPF filtering can only occur between areas. As stated in RFC 2328, “Two routers in the same area have, for that area, identical area link-state databases” that is why there is no database filtering inside an area. What is possible is to filter OSPF routes entering the routing table.
In OSPF multiple areas we may need to have control on which routes are sent outside the area and which routes are entering the area. Here comes inter-area filtering.
Before jumping to inter-area filtering, lets see how to filter routes entering to the routing table.
CONTROLING ROUTES ENTERING THE ROUTING TABLE
Let’s take some examples:
– Filter R5 loopback0 IP address (10.5.5.5) from R4 routing table.
On R4 we have 10.5.5.5 as summary LSA in the database and as inter-area route in the routing table.
R4#sh ip ospf data summ 10.5.5.5
OSPF Router with ID (10.4.4.4) (Process ID 1)
Summary Net Link States (Area 0)
LS age: 1759
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.5.5.5 (summary Network Number)
Advertising Router: 10.4.4.4
LS Seq Number: 80000002
Checksum: 0x1FE2
Length: 28
Network Mask: /32
TOS: 0 Metric: 11
R4#sh ip ro 10.5.5.5
Routing entry for 10.5.5.5/32
Known via "ospf 1", distance 110, metric 11, type intra area
Last update from 192.168.45.5 on FastEthernet0/1, 00:05:12 ago
Routing Descriptor Blocks:
* 192.168.45.5, from 10.5.5.5, 00:05:12 ago, via FastEthernet0/1
Route metric is 11, traffic share count is 1
To filter a prefix entering the routing table use the following command:
# distribute-list {acl# | acl_name | prefix | route-map} in [interface]
In our case, the configuration below is used on R4:
access-list 1 deny 10.5.5.5 0.0.0.0 access-list 1 permit any router ospf 1 distribute-list 1 in
The prefix is not anymore in the routing table.
R4(config-router)#do sh ip ro 10.5.5.5 % Subnet not in table
We can confirm that the prefix is still in the database with the following:
R4(config-router)#do sh ip ospf data summ 10.5.5.5
OSPF Router with ID (10.4.4.4) (Process ID 1)
Summary Net Link States (Area 0)
LS age: 1894
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.5.5.5 (summary Network Number)
Advertising Router: 10.4.4.4
LS Seq Number: 80000002
Checksum: 0x1FE2
Length: 28
Network Mask: /32
TOS: 0 Metric: 11
Let’s check if R3 has the prefix 10.5.5.5 in its Routing table:
R3#sh ip ro 10.5.5.5
Routing entry for 10.5.5.5/32
Known via "ospf 1", distance 110, metric 21, type inter area
Last update from 192.168.34.4 on FastEthernet0/1, 01:05:37 ago
Routing Descriptor Blocks:
* 192.168.34.4, from 10.4.4.4, 01:05:37 ago, via FastEthernet0/1
Route metric is 21, traffic share count is 1
R3 is learning the prefix 10.5.5.5/32 through R4, even though this prefix is not present in R4 routing table.
The prefix is filtered from R4 routing table but it is still in the OSPF database, thus sent to other routers.
Keep in mind this has effect only on the router where it is configured on, except if the prefix that is being filtered is coming from area 0, in which case the prefix will be filtered from the database.
INTER-AREA FILTERING
– Filter R1 lo1 address (10.11.11.11) to enter area 2
On R5:
R5#sh ip ro 10.11.11.11
Routing entry for 10.11.11.11/32
Known via "ospf 1", distance 110, metric 31, type inter area
Last update from 192.168.45.4 on FastEthernet0/0, 00:30:28 ago
Routing Descriptor Blocks:
* 192.168.45.4, from 10.4.4.4, 00:30:28 ago, via FastEthernet0/0
Route metric is 31, traffic share count is 1
On the ABR R4, we have 10.11.11.11/32 prefix in area 0 and area 2:
R4(config-router)#do sh ip ospf data summ 10.11.11.11
OSPF Router with ID (10.4.4.4) (Process ID 1)
Summary Net Link States (Area 0)
Routing Bit Set on this LSA
LS age: 1724
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.11.11.11 (summary Network Number)
Advertising Router: 10.1.1.1
LS Seq Number: 80000003
Checksum: 0x31D0
Length: 28
Network Mask: /32
TOS: 0 Metric: 1
Summary Net Link States (Area 2)
LS age: 28
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.11.11.11 (summary Network Number)
Advertising Router: 10.4.4.4
LS Seq Number: 80000002
Checksum: 0x627D
Length: 28
Network Mask: /32
TOS: 0 Metric: 21
The following command is used to filter a prefix from an area, this should be configured only on the ABR and only works for LSA type 3.
# area <id> filter-list prefix <prefix_name> {in|out}
In our example the configuration below is used on R4:
ip prefix-list PL_R1_LOOPBACK1 deny 10.11.11.11/32 ip prefix-list PL_R1_LOOPBACK1 permit 0.0.0.0/0 le 32 router ospf 1 area 2 filter-list prefix PL_R1_LOOPBACK1 in
Now the prefix 10.11.11.11/32 is only present in area 0 database, thus it will not appear in R5 routing table.
R4(config-router)#do sh ip ospf data summary 10.11.11.11
OSPF Router with ID (10.4.4.4) (Process ID 1)
Summary Net Link States (Area 0)
Routing Bit Set on this LSA
LS age: 176
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.11.11.11 (summary Network Number)
Advertising Router: 10.1.1.1
LS Seq Number: 80000004
Checksum: 0x2FD1
Length: 28
Network Mask: /32
TOS: 0 Metric: 1
R5#sh ip ro 10.11.11.11
% Subnet not in table
We could also use the following command to filter LSA type 1, and only type 1, from being injected into a given area.
Example: Filter R3 lo1 IP prefix from being injected into area 1.
The output below shows that the prefix 10.33.33.33/32 is in Area 0 and Area 1 as LSA type 1 and type 3 respectively.
R1#sh ip ospf data router | inc Area 0 | 10.33.33.33
(Link ID) Network/subnet number: 10.33.33.33
R1#sh ip ospf data summ 10.33.33.33
OSPF Router with ID (10.1.1.1) (Process ID 1)
Summary Net Link States (Area 1)
LS age: 1671
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.33.33.33 (summary Network Number)
Advertising Router: 10.1.1.1
LS Seq Number: 80000004
Checksum: 0xBAF9
Length: 28
Network Mask: /32
TOS: 0 Metric: 11
Also, R2 sees the prefix through R1:
R2#sh ip ro 10.33.33.33
Routing entry for 10.33.33.33/32
Known via "ospf 1", distance 110, metric 21, type inter area
Last update from 192.168.12.1 on FastEthernet0/0, 00:00:02 ago
Routing Descriptor Blocks:
* 192.168.12.1, from 10.1.1.1, 00:00:02 ago, via FastEthernet0/0
Route metric is 21, traffic share count is 1
To filter the prefix to enter area 1, lets configure the following on R1:
router ospf 1 area 0 range 10.33.33.33 255.255.255.255 not-advertise
Now the prefix is not present in Area 1 database and we can note R2 does not have anymore the route in its routing table.
R1(config-router)#do sh ip ospf data summ 10.33.33.33
OSPF Router with ID (10.1.1.1) (Process ID 1)
R2#sh ip ro 10.33.33.33
% Subnet not in table
R2#
– Filtering LSA type 5s or 7s from the OSPF database.
We can use distribute-list command with the “out” option on the ASBR only (else it will not have any effect whatsoever) to filter LSA type 5 or 7 from the OSPF database.
Another solution, is to use summary-address command with the option “not-advertise”.
To see how this works, lets filter the prefix 10.22.22.0/24 from the database on R2.
Using distribute-list
We can note that R1 has the prefix in its database as external.
R1(config-router)#do sh ip ospf data ex 10.22.22.0
OSPF Router with ID (10.1.1.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA
LS age: 894
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 10.22.22.0 (External Network Number )
Advertising Router: 10.2.2.2
LS Seq Number: 80000005
Checksum: 0x597D
Length: 36
Network Mask: /24
Metric Type: 1 (Comparable directly to link state metric)
TOS: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0
On the ASBR, R2, the configuration below is applied:
ip access-list standard AL_R2_LOOPBACK1 deny 10.22.22.0 0.0.0.255 permit any ! router ospf 1 distribute-list AL_R2_LOOPBACK1 out
The prefix disappeared from R1 database and routing table.
R1(config-router)#do sh ip ospf data ex 10.22.22.0 OSPF Router with ID (10.1.1.1) (Process ID 1) R1(config-router)#do sh ip ro 10.22.22.0 % Subnet not in table
Using summary-address
The previous configuration should be deleted.
On the ASBR, R2, the configuration below is applied:
router ospf 1 summary-address 10.22.22.0 255.255.255.0 not-advertise
The same effect as the previous section will be noticed.
SUMMARY
For sure this post is not explicit regarding the theory, this latter can be found in the Doc CD or in the links below.
FURTHER READINGS:
OSPF Route Filtering Demystified
Toward The Triumph 