Tuesday, August 2, 2011

Configuring OSPF inbound route filtering

In this blogtorial we are going to talk about inbound route filtering meaning we will not take a certain "route". We are going to see 4 different ways of doing it -- prefix lists, route-maps, area filtering (LSA type 3), and area summary not-advertise.


We are building on the topology from my previous blogtorials. So let's get started.



Objective: Filter R5 loopback (172.16.5.0/24) from making it into R4 routing table and allow everything else into R4 routing table. Filter R5 loopback (172.16.5.1/32 which is in Area 1) from making it into Area 0.


Relevant configurations are posted below.


R4#sh ip route
<-- output shortened -->
O E2    172.16.5.0/24 [110/20] via 10.1.1.5, 00:00:00, FastEthernet1/1


1st with the prefix-list


R4#sh run | sec prefix-list
ip prefix-list R5LOOPBACK-N-ALL seq 10 deny 172.16.5.0/24 ** Deny R5 loopback. Note that /24 will specifically only match a subnet mask of /24 so if there is a route with 172.16.5.0/25 it will not be matched. You can however use ge (greater than or equal to) 24 le (less than or equal to) 25 to match a /24 and /25 **
ip prefix-list R5LOOPBACK-N-ALL seq 20 permit 0.0.0.0/0 le 32 ** Permit everything else **

R4#sh run | sec ospf
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.0.0.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.255 area 1
 network 192.168.1.0 0.0.0.255 area 0
 distribute-list prefix R5LOOPBACK-N-ALL in ** Filter all incoming routing updates through the prefix list R5LOOPBACK-N-ALL ** 

Notice that R5 loopback (172.16.5.0/24) is no longer in the R4 routing table, however everything else is in there. 

R4#sh ip route

     172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C       172.16.4.0/24 is directly connected, Loopback0
O IA    172.16.7.1/32 [110/1002] via 192.168.1.2, 00:10:44, Tunnel0
O E2    172.16.6.0/24 [110/20] via 10.0.0.2, 00:10:44, FastEthernet1/0
O E2    172.16.1.0/24 [110/20] via 10.0.0.1, 00:10:44, FastEthernet1/0
O E2    172.16.2.0/24 [110/20] via 10.0.0.2, 00:10:44, FastEthernet1/0
O E2    172.16.3.0/24 [110/20] via 10.0.0.3, 00:10:44, FastEthernet1/0
     10.0.0.0/24 is subnetted, 4 subnets
O IA    10.3.3.0 [110/1001] via 192.168.1.2, 00:10:44, Tunnel0
O E2    10.2.2.0 [110/20] via 10.0.0.2, 00:10:44, FastEthernet1/0
C       10.1.1.0 is directly connected, FastEthernet1/1
C       10.0.0.0 is directly connected, FastEthernet1/0
C    192.168.1.0/24 is directly connected, Tunnel0
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 00:10:45, FastEthernet1/0

Now let's see how we can accomplish this using route-maps and access-lists. 
Create an access list to match traffic to be denied. 

R4# sh run | incl access

access-list 1 permit 172.16.5.0 0.0.0.255 


Then create the route-maps deny statement to deny the matched traffic. 

R4#sh run | sec route-map
route-map R5LOOPBACK-N-ALL deny 10 ** Deny sequence 10 **
 match ip address 1 ** Match the access-list 1 and I know it's kind of backwards but we are permitting traffic to be denied :) **
route-map R5LOOPBACK-N-ALL permit 20 ** Make sure you add this at the end so everything else can be permitted. Route-maps have an implicit deny at the end. ** 

R4#sh run | sec ospf
router ospf 1
 log-adjacency-changes
 redistribute connected subnets
 network 10.0.0.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.255 area 1
 network 192.168.1.0 0.0.0.255 area 0
 distribute-list route-map R5LOOPBACK-N-ALL in ** using the route-map we created to filter R5 (172.16.5.0/24) loopback but allow everything else ** 


Now let's do it with area x filter-list prefix in|out command. We can use this command to filter Type 3 LSAs on our ABR (R4) router which is connecting Area 1 and Area 0. 


R2 is in Area 0 and Area 0 only and as you can see it has an IA (Inter-Area) route to 172.16.5.1/32.



R2#sh ip route
<-- output shortened -->
O IA    172.16.5.1/32 [110/3] via 10.0.0.4, 00:00:01, FastEthernet1/0

Let's start the configurations on R4 (ABR)

R4#sh run | sec prefix-list
ip prefix-list R5LOOPBACK-N-ALL seq 10 deny 172.16.5.0/24 le 32
ip prefix-list R5LOOPBACK-N-ALL seq 20 permit 0.0.0.0/0 le 32

R4#sh run | sec ospf
router ospf 1
 log-adjacency-changes
 area 0 filter-list prefix R5LOOPBACK-N-ALL in ** you can also use out option to filter updates sent from an area where as in filters anything sent to an area **
 network 10.0.0.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.255 area 1
 network 192.168.1.0 0.0.0.255 area 0

Now let's take a look at R2 routing table and notice that 172.16.5.1/32 is gone.

R2# sh ip route
     172.16.0.0/24 is subnetted, 4 subnets
D       172.16.6.0 [90/156160] via 10.2.2.6, 12:17:09, FastEthernet1/1
O E2    172.16.1.0 [110/20] via 10.0.0.1, 14:00:10, FastEthernet1/0
C       172.16.2.0 is directly connected, Loopback0
O E2    172.16.3.0 [110/20] via 10.0.0.3, 14:00:39, FastEthernet1/0
     10.0.0.0/24 is subnetted, 3 subnets
C       10.2.2.0 is directly connected, FastEthernet1/1
O IA    10.1.1.0 [110/2] via 10.0.0.4, 00:07:45, FastEthernet1/0
C       10.0.0.0 is directly connected, FastEthernet1/0
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 01:14:39, FastEthernet1/0

Let's do a couple of show commands on R4 to verify the area x filter-list. 

R4#sh ip ospf
<-- output shortened --> 
    Area BACKBONE(0)
        Number of interfaces in this area is 2
        Area has no authentication
        SPF algorithm last executed 00:08:25.452 ago
        SPF algorithm executed 3 times
        Area ranges are
        Area-filter R5LOOPBACK-N-ALL in
        Number of LSA 11. Checksum Sum 0x0ADF5A
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

Now let's configure it with the area x range command. Often area x range command is used to summarize routes on ABRs, however we can also use this to suppress routes. 

R4#sh run | sec ospf
router ospf 1
 log-adjacency-changes
 area 1 range 172.16.5.1 255.255.255.255 not-advertise
 network 10.0.0.0 0.0.0.255 area 0
 network 10.1.1.0 0.0.0.255 area 1
 network 192.168.1.0 0.0.0.255 area 0

Notice R2 routing table is now missing 172.16.5.1/32 route. 

R2# sh ip route
<-- output shortened --> 
     172.16.0.0/24 is subnetted, 4 subnets
D       172.16.6.0 [90/156160] via 10.2.2.6, 12:23:41, FastEthernet1/1
O E2    172.16.1.0 [110/20] via 10.0.0.1, 14:06:42, FastEthernet1/0
C       172.16.2.0 is directly connected, Loopback0
O E2    172.16.3.0 [110/20] via 10.0.0.3, 14:07:12, FastEthernet1/0
     10.0.0.0/24 is subnetted, 3 subnets
C       10.2.2.0 is directly connected, FastEthernet1/1
O IA    10.1.1.0 [110/2] via 10.0.0.4, 00:14:18, FastEthernet1/0
C       10.0.0.0 is directly connected, FastEthernet1/0
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 01:21:11, FastEthernet1/0

What's next? Maybe some blogtorials about different OSPF area types (stub/nssa/totally stubby/totally nssa). 

More advanced articles to come so stay tuned!! If you like my posts please subscribe!!