We are building on the topology from my previous blogtorials. So let's get started.
Objective: Filter R5 loopback (172.16.5.0/24) from making it into R4 routing table and allow everything else into R4 routing table. Filter R5 loopback (172.16.5.1/32 which is in Area 1) from making it into Area 0.
Relevant configurations are posted below.
R4#sh ip route
<-- output shortened -->
O E2 172.16.5.0/24 [110/20] via 10.1.1.5, 00:00:00, FastEthernet1/1
1st with the prefix-list
R4#sh run | sec prefix-list
ip prefix-list R5LOOPBACK-N-ALL seq 10 deny 172.16.5.0/24 ** Deny R5 loopback. Note that /24 will specifically only match a subnet mask of /24 so if there is a route with 172.16.5.0/25 it will not be matched. You can however use ge (greater than or equal to) 24 le (less than or equal to) 25 to match a /24 and /25 **ip prefix-list R5LOOPBACK-N-ALL seq 20 permit 0.0.0.0/0 le 32 ** Permit everything else **
R4#sh run | sec ospf
router ospf 1
log-adjacency-changes
redistribute connected subnets
network 10.0.0.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
distribute-list prefix R5LOOPBACK-N-ALL in ** Filter all incoming routing updates through the prefix list R5LOOPBACK-N-ALL **
Notice that R5 loopback (172.16.5.0/24) is no longer in the R4 routing table, however everything else is in there.
R4#sh ip route
172.16.0.0/16 is variably subnetted, 6 subnets, 2 masks
C 172.16.4.0/24 is directly connected, Loopback0
O IA 172.16.7.1/32 [110/1002] via 192.168.1.2, 00:10:44, Tunnel0
O E2 172.16.6.0/24 [110/20] via 10.0.0.2, 00:10:44, FastEthernet1/0
O E2 172.16.1.0/24 [110/20] via 10.0.0.1, 00:10:44, FastEthernet1/0
O E2 172.16.2.0/24 [110/20] via 10.0.0.2, 00:10:44, FastEthernet1/0
O E2 172.16.3.0/24 [110/20] via 10.0.0.3, 00:10:44, FastEthernet1/0
10.0.0.0/24 is subnetted, 4 subnets
O IA 10.3.3.0 [110/1001] via 192.168.1.2, 00:10:44, Tunnel0
O E2 10.2.2.0 [110/20] via 10.0.0.2, 00:10:44, FastEthernet1/0
C 10.1.1.0 is directly connected, FastEthernet1/1
C 10.0.0.0 is directly connected, FastEthernet1/0
C 192.168.1.0/24 is directly connected, Tunnel0
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 00:10:45, FastEthernet1/0
Now let's see how we can accomplish this using route-maps and access-lists.
Create an access list to match traffic to be denied.
Create an access list to match traffic to be denied.
R4# sh run | incl access
access-list 1 permit 172.16.5.0 0.0.0.255
Then create the route-maps deny statement to deny the matched traffic.
R4#sh run | sec route-map
route-map R5LOOPBACK-N-ALL deny 10 ** Deny sequence 10 **
match ip address 1 ** Match the access-list 1 and I know it's kind of backwards but we are permitting traffic to be denied :) **
route-map R5LOOPBACK-N-ALL permit 20 ** Make sure you add this at the end so everything else can be permitted. Route-maps have an implicit deny at the end. **
R4#sh run | sec ospf
log-adjacency-changes
redistribute connected subnets
network 10.0.0.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
distribute-list route-map R5LOOPBACK-N-ALL in ** using the route-map we created to filter R5 (172.16.5.0/24) loopback but allow everything else **
Now let's do it with area x filter-list prefix in|out command. We can use this command to filter Type 3 LSAs on our ABR (R4) router which is connecting Area 1 and Area 0.
R2 is in Area 0 and Area 0 only and as you can see it has an IA (Inter-Area) route to 172.16.5.1/32.
R2#sh ip route
<-- output shortened -->
O IA 172.16.5.1/32 [110/3] via 10.0.0.4, 00:00:01, FastEthernet1/0
R4#sh run | sec prefix-list
ip prefix-list R5LOOPBACK-N-ALL seq 10 deny 172.16.5.0/24 le 32
ip prefix-list R5LOOPBACK-N-ALL seq 20 permit 0.0.0.0/0 le 32
R4#sh run | sec ospf
area 0 filter-list prefix R5LOOPBACK-N-ALL in ** you can also use out option to filter updates sent from an area where as in filters anything sent to an area **
network 10.0.0.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
Now let's do it with area x filter-list prefix in|out command. We can use this command to filter Type 3 LSAs on our ABR (R4) router which is connecting Area 1 and Area 0.
R2 is in Area 0 and Area 0 only and as you can see it has an IA (Inter-Area) route to 172.16.5.1/32.
R2#sh ip route
<-- output shortened -->
O IA 172.16.5.1/32 [110/3] via 10.0.0.4, 00:00:01, FastEthernet1/0
Let's start the configurations on R4 (ABR)
ip prefix-list R5LOOPBACK-N-ALL seq 10 deny 172.16.5.0/24 le 32
ip prefix-list R5LOOPBACK-N-ALL seq 20 permit 0.0.0.0/0 le 32
router ospf 1
log-adjacency-changesarea 0 filter-list prefix R5LOOPBACK-N-ALL in ** you can also use out option to filter updates sent from an area where as in filters anything sent to an area **
network 10.0.0.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
Now let's take a look at R2 routing table and notice that 172.16.5.1/32 is gone.
R2# sh ip route
172.16.0.0/24 is subnetted, 4 subnets
D 172.16.6.0 [90/156160] via 10.2.2.6, 12:17:09, FastEthernet1/1
O E2 172.16.1.0 [110/20] via 10.0.0.1, 14:00:10, FastEthernet1/0
C 172.16.2.0 is directly connected, Loopback0
O E2 172.16.3.0 [110/20] via 10.0.0.3, 14:00:39, FastEthernet1/0
10.0.0.0/24 is subnetted, 3 subnets
C 10.2.2.0 is directly connected, FastEthernet1/1
O IA 10.1.1.0 [110/2] via 10.0.0.4, 00:07:45, FastEthernet1/0
C 10.0.0.0 is directly connected, FastEthernet1/0
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 01:14:39, FastEthernet1/0
Let's do a couple of show commands on R4 to verify the area x filter-list.
R4#sh ip ospf
Now let's configure it with the area x range command. Often area x range command is used to summarize routes on ABRs, however we can also use this to suppress routes.
R4#sh run | sec ospf
router ospf 1
log-adjacency-changes
area 1 range 172.16.5.1 255.255.255.255 not-advertise
network 10.0.0.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
R2# sh ip route
172.16.0.0/24 is subnetted, 4 subnets
D 172.16.6.0 [90/156160] via 10.2.2.6, 12:17:09, FastEthernet1/1
O E2 172.16.1.0 [110/20] via 10.0.0.1, 14:00:10, FastEthernet1/0
C 172.16.2.0 is directly connected, Loopback0
O E2 172.16.3.0 [110/20] via 10.0.0.3, 14:00:39, FastEthernet1/0
10.0.0.0/24 is subnetted, 3 subnets
C 10.2.2.0 is directly connected, FastEthernet1/1
O IA 10.1.1.0 [110/2] via 10.0.0.4, 00:07:45, FastEthernet1/0
C 10.0.0.0 is directly connected, FastEthernet1/0
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 01:14:39, FastEthernet1/0
Let's do a couple of show commands on R4 to verify the area x filter-list.
R4#sh ip ospf
<-- output shortened -->
Area BACKBONE(0)
Number of interfaces in this area is 2
Area has no authentication
SPF algorithm last executed 00:08:25.452 ago
SPF algorithm executed 3 times
Area ranges are
Area-filter R5LOOPBACK-N-ALL in
Number of LSA 11. Checksum Sum 0x0ADF5A
Number of opaque link LSA 0. Checksum Sum 0x000000
Number of DCbitless LSA 0
Number of indication LSA 0
Number of DoNotAge LSA 0
Flood list length 0
R4#sh run | sec ospf
router ospf 1
log-adjacency-changes
area 1 range 172.16.5.1 255.255.255.255 not-advertise
network 10.0.0.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 1
network 192.168.1.0 0.0.0.255 area 0
Notice R2 routing table is now missing 172.16.5.1/32 route.
R2# sh ip route
<-- output shortened -->
172.16.0.0/24 is subnetted, 4 subnets
D 172.16.6.0 [90/156160] via 10.2.2.6, 12:23:41, FastEthernet1/1
O E2 172.16.1.0 [110/20] via 10.0.0.1, 14:06:42, FastEthernet1/0
C 172.16.2.0 is directly connected, Loopback0
O E2 172.16.3.0 [110/20] via 10.0.0.3, 14:07:12, FastEthernet1/0
10.0.0.0/24 is subnetted, 3 subnets
C 10.2.2.0 is directly connected, FastEthernet1/1
O IA 10.1.1.0 [110/2] via 10.0.0.4, 00:14:18, FastEthernet1/0
C 10.0.0.0 is directly connected, FastEthernet1/0
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 01:21:11, FastEthernet1/0
What's next? Maybe some blogtorials about different OSPF area types (stub/nssa/totally stubby/totally nssa).
More advanced articles to come so stay tuned!! If you like my posts please subscribe!!
I found this "blogtorial" very helpful. Good job on posting relevant configs as it is easy for me to configure this in my own lab and follow along. I believe prefix-list and route-maps are more common than area x filter and area range. Great post and keep up the good work.
ReplyDelete