Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
OSPF supports several methods to filter routes. However, the OSPF’s internal logic restricts
most filtering, requiring that the filtering be done either on an ABR or ASBR. This
same internal logic dictates what each type of filtering can do and what it cannot do. So,
when thinking about OSPF route filtering, you need to go beyond the concept of matching
IP prefix/length information and consider OSPF internals as well. This first major section
begins with a discussion of the OSPF internals that impact OSPF route filtering,
followed by information about two of OSPF’s route filtering tools.
First, consider the difference in how OSPF chooses intra-area versus interarea routes. For
intra-area routes, OSPF uses pure link state logic, with full topology information about the
area, piecing together the topology map from the Type 1 and Type 2 LSAs. This logic relies
on all routers inside the area having an identical copy of the LSDB for that area. With
the full topology, the SPF algorithm can be run, finding all possible routes to each subnet.
For interarea routes, OSPF uses distance vector logic. The intra-area SPF calculation includes
the calculation of the metric of the best route to reach each ABR in the area. To
choose the best interarea route, a router uses distance vector logic of taking its known
metric to reach the ABR and adds the metric for that subnet as advertised by the ABR. In
particular, no additional SPF calculation is required to find all interarea routes for a given
prefix/length, making this logic more like distance vector logic.
Keeping these thoughts in mind, next consider the concept of route filtering inside one
area. First, OSPF routers do not advertise routes; instead, they advertise LSAs. Any filtering
applied to OSPF messages would need to filter the transmission of LSAs. However, inside
one area, all routers must know all LSAs, or the whole SPF concept fails, and routing
loops could occur. As a result, OSPF cannot and does not allow the filtering of LSAs inside
an area, specifically the Type 1 and Type 2 LSAs that describe the intra-area topology.
OSPF does allow some route filtering, however, taking advantage that OSPF uses distance
vector logic with Type 3 LSAs (and the Type 5 LSAs used for external routes). Because of
the underlying distance vector logic, an OSPF ABR can be configured to filter Type 3
LSAs, with no risk of creating routing loops. (The same applies for autonomous system
border routers [ASBRs] filtering the Type 5 LSAs created for external routes.) As a result
of these related concepts, IOS limits OSPF route filtering to the following:
■ Filtering Type 3 LSAs on ABRs
■ Filtering Type 5 LSAs on ASBRs
■ Filtering the routes OSPF would normally add to the IP routing table on a single router
Of these, the second option occurs as an option of the route redistribution process as explained
in Chapter 9, “Basic IGP Redistribution,” so it will not be covered further in this
chapter. The other two topics will be examined next.
www.CareerCert.info
226 CCNP ROUTE 642-902 Official Certification Guide
Area 1 Area 0
ABR1
ABR2
Subnet 1
Subnet 2
Subnet 3
Type 3
Subnet 1
Type 3
Subnet 2
Type 3
Subnet 1
Figure 7-1 Generic View of Type 3 LSA Filtering
Type 3 LSA Filtering
ABRs, by definition, connect to the backbone area and at least one other area. ABRs, as a
fundamental part of their role as ABR, create and flood Type 3 Summary LSAs into one
area to represent the subnets in the other areas connected to that ABR. Type 3 LSA filtering
tells the ABR to filter the advertisement of these Type 3 LSAs.
For example, consider Figure 7-1, which shows a generalized design with two ABR routers.
The figure focuses on three subnets in area 0 for which each ABR would normally create
and flood a Type 3 Summary LSA into area 1. However, in this case, the engineer has
made the following choices:
■ On ABR1, filter subnet 3 from being advertised.
■ On ABR2, filter both subnet 2 and 3 from being advertised.
The goal of such a filtering plan could be to prevent all area 1 users from reaching subnet 3
and to allow access to subnet 2–but only through ABR1. If ABR1 were to fail, none of the
area 1 routers could calculate a route for subnet 2 through ABR2, because ABR2 has not
created and flooded a Type 3 LSA for that subnet. The goal for subnet 1 would be to allow
each area 1 router to choose the best route through either ABR, while having a redundant
route in case one route failed.
To configure type 3 LSA filtering, you use the area number filter-list prefix name in | out
command under router ospf. The referenced prefix-list matches subnets, with subnets
matched by a deny action being filtered, and subnets match with a permit action allowed
through as normal. Then OSPF performs the filtering by not flooding the Type 3 LSAs
into the appropriate areas. (See Chapter 4’s section “IP Prefix List Concepts” for a review
of IP prefix lists.)
www.CareerCert.info
Chapter 7: OSPF Route Summarization, Filtering, and Default Routing 227
Area 0
Subnet 12
ABR1
Stop
Stop
area 2 filter-list... out
Subnet 111 Subnet 10
area 0 filter-list... in
Area 1
Area 2
Figure 7-2 Generic View of Type 3 LSA Filtering
The trickiest part of the configuration relates to the in and out parameters at the end of
the area filter-list router subcommand. These parameters define the direction relative to
the area listed in the command, as follows:
■ When in is configured, IOS filters prefixes being created and flooded into the configured
area.
■ When out is configured, IOS filters prefixes coming out of the configured area.
The need for the in and out parameters makes more sense when you consider an ABR connected
to at least three areas. Figure 7-2 shows just such a sample, with both the in and out
directions represented.
The area 0 filter-list... in command in the figure shows the ABR considers filtering routes
from all other areas (area 1 and 2 in this case) when creating and flooding Type 3 LSAs
into area 0. The area 2 filter-list... out command in the figure shows how the ABR only
considers prefixes that exist in area 2. However, in this case, the ABR filters LSAs regardless
of the area into which the Type 3 LSA would be advertised.
For example, consider the case of subnet 111, in area 1. Assume that all prefix lists happen
to match subnet 111 so that subnet 111 should be filtered. The following list summarizes
what happens on ABR1 regarding the potential advertisement of a Type 3 LSA for this
subnet being flooded into areas 0 and 2.
■ ABR1 filters the subnet 111 LSA from being sent into area 0 due to the area 0 filterlist...
in command.
■ ABR1 does not filter the subnet 111 LSA from being sent into area 2, because there is
no area 1 filter-list... out command nor area 2 filter-list... in command.
As another example, Figure 7-3 shows an example internetwork with three candidate
routes to be filtered by ABRs R1 and R2. ABRs R1 and R2 will play the roles of ABR1 and
www.CareerCert.info
228 CCNP ROUTE 642-902 Official Certification Guide
Area 0
Data Center
10.16.1.0/24
10.16.2.0/24
10.16.3.0/24
R3
R4
R5
Subnets of 10.12.0.0/16
Subnets of
10.11.0.0/16
R2
R1
Subnets of
10.9.x.x/16
Area 34
Area 5
SW3
SW2
SW1
Figure 7-3 Type 3 LSA Filtering Example
ABR2 in Figure 7-1, with R1 filtering one of the three subnets, and R2 filtering two of the
subnets. Note that R1 and R2 will each use different in and out keywords as well.
Example 7-1 shows the configuration on both R1 and R2.
Example 7-1 WAN1’s distribute-list to Filter Manufacturing Routes
! On Router R1:
ip prefix-list filter-into-area-34 seq 5 deny 10.16.3.0/24
ip prefix-list filter-into-area-34 seq 10 permit 0.0.0.0/0 le 32
!
router ospf 1
area 34 filter-list prefix filter-into-area-34 in
! On Router R2:
ip prefix-list filter-out-of-area-0 seq 5 deny 10.16.2.0/23 ge 24 le 24
ip prefix-list filter-out-of-area-0 seq 10 permit 0.0.0.0/0 le 32
!
router ospf 2
area 0 filter-list prefix filter-out-of-area-0 out
First, take a closer look at the specifics of the R1 configuration commands. The prefix list
on R1 matches exactly route 10.16.3.0/24, with a deny action. The second prefix-list command
matches all subnets, because the 0.0.0.0/0 parameter matches all subnet numbers,
and the le 32 parameter, combined with the original /0 prefix length, matches all prefix
www.CareerCert.info
Chapter 7: OSPF Route Summarization, Filtering, and Default Routing 229
lengths from /0 to /32. The area 34... in command tells R1 to apply this filtering to all
Type 3 LSAs that R1 creates and would otherwise flood into area 34. As a result, the area
34 LSDB will not contain a Type 3 LSA for 10.16.3.0/24, as injected by R1.
R2’s configuration uses a slightly different prefix list. The filter examines all Type 3 LSAs
for subnets in area 0. The first prefix-list command matches all prefixes in range
10.16.2.0–10.16.3.255 (per the 10.16.2.0/23 parameter) but specifically for a prefix length
of exactly 24. With a deny action, these routes are filtered. The second prefix-list command
matches all other subnets with the same match all logic seen earlier on R1, using a
permit action. R2’s area 0... out command tells R2 to filter the subnets that R2 learns in
area 0 and for which R2 would normally create Type 3 LSAs to flood into all other areas.
So, neither area 34 nor area 5 will learn these two filtered subnets (10.16.2.0/24 and
10.16.3.0/24) in Type 3 LSAs from R2.
The end result of this added configuration results in the following Type 3 LSAs for the
three subnets shown on the right side of Figure 7-3:
■ Two Type 3 LSAs for 10.16.1.0/24 (created by R1 and R2, respectively)
■ One Type 3 LSA for 10.16.2.0/24 (created by R1)
■ None for 10.16.3.0/24
Example 7-2 confirms the contents of the LSDB in area 34, on Router R3.
Example 7-2 Area 34 LSDB, as Seen on R3
! On Router R3: gather show ip ospf database, and highlight all the Type 3’s.
R3# show ip route 10.16.0.0 255.255.0.0 longer-prefixes
! Legend lines omitted for brevity
10.0.0.0/8 is variably subnetted, 17 subnets, 3 masks
O IA 10.16.2.0/24 [110/658] via 10.10.13.1, 00:00:32, Serial0/0/0.1
O IA 10.16.1.0/24 [110/658] via 10.10.23.2, 00:41:39, Serial0/0/0.2
[110/658] via 10.10.13.1, 00:00:32, Serial0/0/0.1
R3#show ip ospf database | include 10.16
10.16.1.0 1.1.1.1 759 0x80000002 0x008988
10.16.1.0 2.2.2.2 745 0x80000002 0x006BA2
10.16.2.0 1.1.1.1 759 0x80000002 0x007E92
The first command in the example lists R3’s routes for all subnets whose first two octets
are 10.16. Note that R3 has no route to 10.16.3.0/24, because both R1 and R2 filtered the
Type 3 LSA. R3 happens to have equal-cost routes for 10.16.1.0/24, which is possible because
both R1 and R2 permitted the advertisement of the Type 3 LSA for that subnet. R3
has only one route for 10.16.2.0/24, through R1, because R2 filtered its Type 3 LSA for
that prefix.
The second command in Example 7-2 lists all LSAs that include “10.16,” which includes
the two Type 3 LSAs for 10.16.1.0/24, and the single Type 3 LSA for 10.16.2.0/24.
www.CareerCert.info
230 CCNP ROUTE 642-902 Official Certification Guide
IP
Routing
Table
distribute-list
in
SPF
LSDB
R2
IP
Routing
Table
distribute-list
in
SPF
LSDB
R1
IP
Routing
Table
distribute-list
in
SPF
LSDB
R3
Figure 7-4 OSPF Filtering with Distribute Lists
Finally, note that although the configuration in Example 7-1 showed area filter-list commands
with both in and out parameters for variety, the result of R2’s area filter-list... out
command is that does not flood the filtered LSAs to either area 34 or area 5. If the design
goals specifically meant to filter only LSAs from being advertised from Area 0 into Area
34, the area 34 filter-list... in command should have been used on both routers.
Filtering OSPF Routes Added to the Routing Table
In some cases, an engineer may need to filter a route, but the area design does not work
well compared to the filtering goals. For instance, if an area has 20 routers, and the engineer
wants to filter the route so that five of the routers do not learn the route, Type 3 LSA
filtering cannot be used. Type 3 LSA filtering can only filter the LSA from being flooded
throughout the entire area.
The next feature discussed in this section, referenced as filtering with distribute lists
(based the configuration command it uses), allows individual routers to filter OSPF routes
from getting into their respective IP routing tables. This type of filtering injects logic between
the SPF algorithm on a router and that same router’s IP routing table. This feature
does not change the LSDB flooding process, does not change the LSAs added by ABRs or
ASBRs, and does not change the SPF algorithm’s choice of best route. However, when SPF
chooses routes to add to the IP routing table, if a router has been configured with a
distribute-list in OSPF router subcommand, enabling this feature, that router then filters
the routes before adding them to that router’s IP routing table. Figure 7-4 shows the general
idea.
In effect, you could prevent an OSPF route from being added to one or more routers’ routing
tables, but without risking causing routing loops, because the intra-area LSDB topolwww.
CareerCert.info
Chapter 7: OSPF Route Summarization, Filtering, and Default Routing 231
ogy remains intact. By filtering routes from being added to the IP routing table, you prevent
the routers from forwarding packets to the filtered subnets, but presumably that’s the
intended goal of route filtering.
The mechanics of the distribute-list router subcommand has a few surprises, which are
summarized in this list:
■ The command requires either an in or out direction. Only the in direction works for
filtering routes as described in this section.
■ The command must refer to either a numbered ACL, named ACL, prefix list, or route
map. Regardless, routes matched with a permit action are allowed into the routing
table, and routes matched with a deny action are filtered.
■ Optionally, the command can include the interface interface-name-and-number parameters.
The router compares these parameters to the route’s outgoing interface.
Example 7-3 shows a sample configuration on Router R3 from Figure 7-3. In this case, all
filtering listed in Examples 7-1 and 7-2 has been removed, so no routes or LSAs have been
filtered. Then, the engineer adds the distribute-list command on R3 to filter the route for
10.16.1.0/24, based on prefix-list filter-1.
Example 7-3 R3’s distribute-list to Filter 10.16.1.0/24
! On Router R3:
ip prefix-list filter-1 seq 5 deny 10.16.1.0/24
ip prefix-list filter-1 seq 10 permit 0.0.0.0/0 le 32
!
router ospf 3
distribute-list prefix filter-1 in
!
R3#show ip route ospf | include 10.16.1
R3#
R3#show ip ospf database | include 10.16.1.0
10.16.1.0 1.1.1.1 1143 0x80000007 0x007F8D
10.16.1.0 2.2.2.2 1538 0x80000007 0x0061A7
Note that the configuration matches only prefix 10.16.1.0/24 with a deny clause and permits
all other routes. As a result, OSPF on R3 does not add a route for subnet 10.16.1.0/24
to the IP routing table, as implied by the null output of the show ip route ospf | include
10.16.1 command. The show ip ospf database | include 10.16.1 command lists all LSAs
that have 10.16.1 in the text output, showing the two Type 3 LSAs for the subnet.
No comments:
Post a Comment