OSPF Filtering

Intra-routing-protocol filtering presents some special challenges with link-state routing protocols like OSPF. Link-state protocols do not advertise routes—they advertise topology information. Also, SPF loop prevention relies on each router in the same area having an identical copy of the LSDB for that area. Filtering could conceivably make the LSDBs differ on different routers, causing routing irregularities.

IOS supports three variations of what could loosely be categorized as OSPF route filtering. These three major types of OSPF filtering are as follows:

■ Filtering routes, not LSAs—Using the distribute-list in command, a router can filter the routes its SPF process is attempting to add to its routing table, without affecting the LSDB.

■ ABR type 3 LSA filtering—A process of preventing an ABR from creating particular type 3 summary LSAs.

■ Using the area range no-advertise option—Another process to prevent an ABR from creating specific type 3 summary LSAs.

Each of these three topics is discussed in sequence in the next few sections.

Filtering Routes Using the distribute-list Command

For RIP and EIGRP, the distribute-list command can be used to filter incoming and outgoing routing updates. The process is straightforward, with the distribute-list command referring to ACLs or prefix lists. With OSPF, the distribute-list command filters what ends up in the IP routing table, and on only the router on which the distribute-list command is configured.

NOTE The distribute-list command, when used for route distribution between OSPF and other routing protocols, does control what enters and leaves the LSDB. Chapter 11 covers more on route redistribution.

The following rules govern the use of distribute lists for OSPF, when not used for route redistribution with other routing protocols:

Key ■ Distribute lists can be used only for inbound filtering, because filtering any outbound OSPF POINT information would mean filtering LSAs, not routes.

■ The inbound logic does not filter inbound LSAs; it instead filters the routes that SPF chooses to add to that one router's routing table.

■ If the distribute list includes the incoming interface parameter, the incoming interface is checked as if it were the outgoing interface of the route.

That last bullet could use a little clarification. For example, if R2 learns routes via RIP or EIGRP updates that enter R2's s0/0 interface, those routes typically use R2's s0/0 interface as the outgoing interface of the routes. The OSPF LSAs may have been flooded into a router on several interfaces, so an OSPF router checks the outgoing interface of the route as if it had learned about the routes via updates coming in that interface.

Example 10-10 shows an example of two distribute lists on R5 from Figure 10-6. The example shows two options to achieve the same goal. In this case, R5 will filter the route to 10.4.8.0/24 via R5's S0.2 subinterface (to R2), instead using the route learned from R1. Later, it uses a route map to achieve the same result.

Example 10-10 Filtering Routes with OSPF distribute-list Commands on R5

! R5 has a route to 10.4.8.0/24 through R2 (10.5.25.2, s0.2) R5# sh ip route ospf | incl 10.4.8.0

O IA 10.4.8.0/24 [110/1623] via 10.5.25.2, 00:00:28, Serial0.2 ! Next, the distribute-list command refers to a prefix list that permits 10.4.8.0 ! /24.

ip prefix-list prefix-10-4-8-0 seq 5 deny 10.4.8.0/24 ip prefix-list prefix-10-4-8-0 seq 10 permit 0.0.0.0/0 le 32

Router ospf 1

distribute-list prefix prefix-10-4-8-0 in Serial0.2

! Below, note that R5's route through R2 is gone, and instead R5 uses its route ! through R1 (s0.1). But the LSDB is unchanged! R5# sh ip route ospf | incl 10.4.8.0

O IA 10.4.8.0/24 [110/1636] via 10.5.15.1, 00:00:03, Serial0.1 Not shown: the earlier distribute-list command is removed.

Below, note that the distribute-list command with the route-map option does not have an option to refer to an interface, so the route map itself has been configured to refer to the advertising router's RID (2.2.2.2).

Example 10-10 Filtering Routes with OSPF distribute-list Commands on R5 (Continued) Router ospf 1

distribute-list route-map lose-10-4-8-0 in

! Next, ACL 48 matches the 10.4.8.0/24 prefix, with ACL 51 matching R2's RID. access-list 48 permit 10.4.8.0 access-list 51 permit 2.2.2.2

! Below, the route map matches the prefix (based on ACL 48) and the advertising

! RID (ACL 51, matching R2's 2.2.2.2 RID). Clause 20 permits all other prefixes.

route-map lose-10-4-8-0 deny 10

match ip address 48

match ip route-source 51

route-map lose-10-4-8-0 permit 20

! Above, note the same results as the previous distribute list. R5# sh ip route ospf | incl 10.4.8.0

O IA 10.4.8.0/24 [110/1636] via 10.5.15.1, 00:01:18, Serial0.1

Example 10-10 shows only two ways to filter the routes. The distribute-list route-map option, added in Cisco IOS Software Release 12.2(15)T, allows a much greater variety of matching parameters, and much more detailed logic with route maps. For instance, this example showed matching a prefix as well as the RID that advertised the LSA to R5, namely 2.2.2.2 (R2). Refer to Chapter 11 for a more complete review of route maps and the match command.

OSPF ABR LSA Type 3 Filtering

ABRs do not forward type 1 and 2 LSAs from one area into another, but instead create type 3 LSAs for each subnet defined in the type 1 and 2 LSAs. Type 3 LSAs do not contain detailed information about the topology of the originating area; instead, each type 3 LSA represents a subnet, and a cost from the ABR to that subnet. The earlier section "LSA Type 3 and Inter-Area Costs" covers the details and provides an example.

The OSPF ABR type 3 LSA filtering feature allows an ABR to filter type 3 LSAs at the point where the LSAs would normally be created. By filtering at the ABR, before the type 3 LSA is injected into another area, the requirement for identical LSDBs inside the area can be met, while still filtering LSAs.

To configure type 3 LSA filtering, you use the area number filter-list prefix name in | out command under router ospf. The referenced prefix list is used to match the subnets and masks to be filtered. The area number and the in | out option of the area filter-list command work together, as follows:

■ When in is configured, IOS filters prefixes going into the configured area.

■ When out is configured, IOS filters prefixes coming out of the configured area.

Example 10-11 should clarify the basic operation. ABR R1 will use two alternative area filter-list commands, both to filter subnet 10.3.2.0/23, the subnet that exists between R3 and R33 in Figure 10-6. Remember that R1 is connected to areas 0, 3, 4, and 5. The first area filter-list command shows filtering the LSA as it goes out of area 3; as a result, R2 will not inject the LSA into any of the other areas. The second case shows the same subnet being filtered going into area 0, meaning that the type 3 LSA for that subnet still gets into the area 4 and 5 LSDBs.

Example 10-11 Type 3 LSA Filtering on R1 with the area filter-list Command

! The command lists three lines of extracted output. One line is for the ! type 3 LSA in area 0, one is for area 4, and one is for area 5. R1# show ip ospf data summary | include 10.3.2.0

Link State ID: 10.3.2.0 (summary Network Number) Link State ID: 10.3.2.0 (summary Network Number) Link State ID: 10.3.2.0 (summary Network Number) ! Below, the two-line prefix list denies subnet 10.3.2.0/23, and then permits ! all others.

ip prefix-list filter-type3-10-3-2-0 seq 5 deny 10.3.2.0/23 ip prefix-list filter-type3-10-3-2-0 seq 10 permit 0.0.0.0/0 le 32 Next, the area filter-list command filters type 3 LSAs going out of area 3. R1# conf t

Enter configuration commands, one per line. End with CNTL/Z. R1(config)# router ospf 1

R1(config-router)# area 3 filter-list prefix filter-type3-10-3-2-0 out

R1(config-router)# *Z

! Below, R1 no longer has any type 3 LSAs, in areas 0, 4, and 5. For ! comparison, this command was issued a few commands ago, listing 1 line ! of output for each of the other 3 areas besides area 3. R1# show ip ospf data | include 10.3.2.0

! Below, the previous area filter-list command is replaced by the next command ! below, which filters type 3 LSAs going into area 0, with the same prefix list, area 0 filter-list prefix filter-type3-10-3-2-0 in

! Next, only 2 type 3 LSAs for 10.3.2.0 are shown — the ones in areas 4 and 5. R1# show ip ospf data | include 10.3.2.0

Link State ID: 10.3.2.0 (summary Network Number) Link State ID: 10.3.2.0 (summary Network Number) ! Below, the configuration for filtering type 3 LSAs with the area range command, ! which is explained following this example. The existing area filter-list ! commands from earlier in this chapter have been removed at this point. R1(config-router)# area 3 range 10.3.2.0 255.255.254.0 not-advertise R1# show ip ospf data summary | include 10.3.2.0 R1#

Filtering Type 3 LSAs with the area range Command

The third method to filter OSPF routes is to filter type 3 LSAs at an ABR using the area range command. The area range command performs route summarization at ABRs, telling a router to cease advertising smaller subnets in a particular address range, instead creating a single type 3 LSA whose address and prefix encompass the smaller subnets.

When the area range command includes the not-advertise keyword, not only are the smaller component subnets not advertised as type 3 LSAs, the summary route is not advertised as a type 3 LSA either. As a result, this command has the same effect as the area filter-list command with the out keyword, filtering the LSA from going out to any other areas. An example area range command is shown at the end of Example 10-11.

Was this article helpful?

+1 0
Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook


Post a comment