In this lab, we will come to understand how to properly filter OSPF routes. Route filtering in OSPF has a lot to watch out for due to its link-state nature. If applied incorrectly, route filtering in OSPF may create a traffic black hole. A traffic black hole is having a next-hop neighbor that doesn’t have any routes for a specific prefix but the routing table points to that device as the next-hop of the route. In distance vector protocols like RIP and EIGRP, this rarely happens because, in those protocols, anything that is not in the routing table will not be announced to the neighbor. Link-state protocols like OSPF make use of LSAs, which will still enable the routes to be propagated regardless whether the route is in the routing table or not. We will see later in detail some of the techniques and consideration on how to filter routes in OSPF.

Below are the tasks that we will do in this lab:

  1. Configure distribute-list in R3 to filter 7.7.7.7/32; use access-list.
  2. Configure distribute-list in R5 to filter 7.7.7.7/32; use a route-map.
  3. Filter 6.6.6.6/32 in R2; do not use distribute-list.
  4. Configure R1 and R2 to make sure 4.4.4.4/32 doesn’t enter Area 1235.
  5. Configure R1 and R2 to filter announcement of 3.3.3.3/32 to Area 14 and Area 26.
  6. Set Area 26 as NSSA. In R2, redistribute 22.22.22.22/32 to all areas except Area 26. Use only one line of configuration to filter.
  7. Redistribute 77.77.77.77/32 in R7 to OSPF. Make sure R7 doesn’t announce this to R6.
  8. Remove the previous filtering command from Task 7. Configure R2 so it will not announce 77.77.77.77/32 to other areas.

Task 1: Configure distribute-list in R3 to filter 7.7.7.7/32; use access-list.

First let’s check if R3 has the route to 7.7.7.7/32.

R3#sh ip route | inc 7.7.7.7
O IA    7.7.7.7 [110/5] via 35.35.35.5, 00:43:01, FastEthernet0/1

Now let’s configure an access-list to include this route and filter it in OSPF using distribute-list. Since we are going to deny this route, the ACL should be deny and should contain a ‘permit any’ statement at the end.

R3(config)#no access-list 1
R3(config)#access-list 1 deny host 7.7.7.7
R3(config)#access-list 1 permit any
R3(config)#router ospf 1
R3(config-router)#distribute-list 1 in
R3(config-router)#exit

R3#sh ip route 7.7.7.7
% Network not in table

The filter worked and we don’t see 7.7.7.7 /32 in the routing table. However in OSPF, filtering a route from the routing table doesn’t mean that it will not be announced out to the neighbor. The command “distribute-list in” only filters the route from being installed to the routing table but will not prevent LSA propagation. To prove this, let’s shut R5’s connection to R2 so that R5’s path to 7.7.7.7/32 will take R3. We will check if R5 is still seeing the routes to 7.7.7.7/32 or not.

R5(config)#int fa0/0
R5(config-if)#shut

R5#sh ip ospf neigh

Neighbor ID     Pri   State           Dead Time   Address         Interface
3.3.3.3           1   FULL/BDR        00:00:36    35.35.35.3      FastEthernet0/1

R5#sh ip route 7.7.7.7
Routing entry for 7.7.7.7/32
  Known via "ospf 1", distance 110, metric 6, type inter area
  Last update from 35.35.35.3 on FastEthernet0/1, 00:00:29 ago
  Routing Descriptor Blocks:
  * 35.35.35.3, from 1.1.1.1, 00:00:29 ago, via FastEthernet0/1
      Route metric is 6, traffic share count is 1

The output above shows that, even though R3 has no route to the loopback of R7, R5 still receives the route. In fact R5’s next-hop for this route is R3. This means that even if you use the ‘distribute-list out’ command to prevent announcement of a prefix to a neighbor, it won’t work. This approach can be applied to distance vector protocols but not OSPF. Now, let’s try if R5 can ping R7.

R5#ping 7.7.7.7

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 7.7.7.7, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)

This is an example of a traffic black hole, where there is a route to a neighbor but the neighbor simply drops the traffic because it has no route to the destination. This uses up unnecessary bandwidth. It is better to have no route to a destination than to have a route going to a traffic black hole. This is why careful considerations need to be taken when using ‘distribute-list in’ command in OSPF. This command should only be applied on non-transit routers like leaf routers.

Let’s unshut the interface between R2 and R5 and proceed to the next task.

R5(config)#int fa0/0
R5(config-if)#no shut

Task 2: Configure distribute-list in R5 to filter 7.7.7.7/32; use a route-map.

We will take the same steps as above but we will use a route-map this time.

R5#sh ip route | inc 7.7.7.7
O IA    7.7.7.7 [110/4] via 25.25.25.2, 00:04:01, FastEthernet0/0

R5(config)#access-list 1 deny 7.7.7.7
R5(config)#router ospf 1
R5(config-router)#access-list 1 permit host 7.7.7.7
R5(config)#route-map DENY7.7.7.7 deny 10
R5(config-route-map)#match ip address 1
R5(config-route-map)#route-map DENY7.7.7.7 permit 20
R5(config-route-map)#router ospf 1
R5(config-router)#distribute-list route-map DENY7.7.7.7 in

R5#sh ip route 7.7.7.7
% Network not in table

Now the question is why the access-list was not configured as deny but permit. This is because the route-map is already a deny statement and, if it’s a double negative, it will become positive. If we put the access-list as deny and route-map as deny, it will permit the route.

Task 3: Filter 6.6.6.6/32 in R5, do not use distribute-list.

The condition doesn’t allow us to use a distribute-list. What can we use then? We can use the ‘distance’ command under OSPF and put an administrative distance of 255. Routes with an administrative distance of 255 are considered unreachable and will not be put into the routing table. Let’s go ahead and configure this.

R5#sh ip route | inc 6.6.6.6
O IA    6.6.6.6 [110/3] via 25.25.25.2, 00:07:32, FastEthernet0/0
R5(config)#access-list 2 permit host 6.6.6.6
R5(config)#router ospf 1
R5(config-router)#distance 255 2.2.2.2 0.0.0.0 2
R5#sh ip route 6.6.6.6
Routing entry for 6.6.6.6/32
  Known via "ospf 1", distance 110, metric 5, type inter area
  Last update from 35.35.35.3 on FastEthernet0/1, 00:00:17 ago
  Routing Descriptor Blocks:
  * 35.35.35.3, from 1.1.1.1, 00:00:17 ago, via FastEthernet0/1
      Route metric is 5, traffic share count is 1

Take note that in the ‘distance’ command, the IP address specified is the router-id of the neighbor and not the next-hop IP address. We can see in the output that the command didn’t work totally; it simply chose the next available path, which is through R3. To filter this route completely, we can either issue another ‘distance’ command using 3.3.3.3 as the IP source or we can simply use the 0.0.0.0 255.255.255.255 to imply all IP sources of the route. Let’s do the latter.

R5(config)#router ospf 1
R5(config-router)#distance 255 0.0.0.0 255.255.255.255 2
R5#sh ip route 6.6.6.6
% Network not in table

Task 4: Configure R1 and R2 to make sure 4.4.4.4/32 doesn’t enter Area 1235.

We have learned in the previous tasks that we can use neither ‘distribute-list in’ nor ‘distance’ command to filter because LSAs will still be propagated. In ABRs, there is a way to filter Type 3 or Summary LSAs to be propagated to an area through the use of OSPF ‘filter-list’. It can be applied both inward and outward directions.

R3# sh ip route | inc 4.4.4.4
O IA    4.4.4.4 [110/3] via 13.13.13.1, 00:30:13, FastEthernet0/0
R5#sh ip route | inc 4.4.4.4
O IA    4.4.4.4 [110/4] via 35.35.35.3, 00:07:29, FastEthernet0/1

R1(config)#ip prefix-list AREA14 deny 4.4.4.4/32
R1(config)#ip prefix-list AREA14 permit 0.0.0.0/0 le 32
R1(config)#router ospf 1
R1(config-router)#area 1235 filter-list prefix AREA14 in

R2(config)#ip prefix-list AREA14 deny 4.4.4.4/32
R2(config)#ip prefix-list AREA14 permit 0.0.0.0/0 le 32
R2(config)#router ospf 1
R2(config-router)#area 1235 filter-list prefix AREA14 in

Let’s verify if we can still see the route to 4.4.4.4/32 and the LSA in R3 and R5.

R3#sh ip route 4.4.4.4
% Network not in table

R5#sh ip route 4.4.4.4
% Network not in table


R3#sh ip ospf database summary 4.4.4.4

            OSPF Router with ID (3.3.3.3) (Process ID 1)

R5#sh ip ospf database summary 4.4.4.4

            OSPF Router with ID (5.5.5.5) (Process ID 1)

Using this filter-list command filters the LSA from entering an area. Since there is no LSA for 4.4.4.4/32 received by R3 and R5, there will be no entries in the routing table. This ‘filter-list’ command is applicable only in ABRs.

Task 5: Configure R1 and R2 to filter announcement of 3.3.3.3/32 to Area 14 and Area 26.

We can use the filter-list command in a similar fashion, this time on the outward direction. However, let us use another command to show other means of filtering route announcements to other areas.

R4#sh ip route | inc 3.3.3.3
O IA    3.3.3.3 [110/3] via 14.14.14.1, 00:00:06, FastEthernet0/0

R6#sh ip route | inc 3.3.3.3
O IA    3.3.3.3 [110/4] via 26.26.26.2, 00:54:28, FastEthernet0/0

R1(config)#router ospf 1
R1(config-router)#area 1235 range 3.3.3.3 255.255.255.255 not-advertise

R2(config)#router ospf 1
R2(config-router)#area 1235 range 3.3.3.3 255.255.255.255 not-advertise

Let’s check if the command did work and if LSAs are being propagated out to other areas.

R4#sh ip route 3.3.3.3
% Network not in table
R4#sh ip ospf database summary 3.3.3.3

            OSPF Router with ID (4.4.4.4) (Process ID 1)

R6#sh ip route 3.3.3.3
% Network not in table
R6#sh ip ospf database summary 3.3.3.3

            OSPF Router with ID (6.6.6.6) (Process ID 1)

This worked the same way as the ‘filter-list’ command.

Task 6: Set Area 26 as NSSA. In R2, redistribute 22.22.22.22/32 to all areas except Area 26. Use only one line of configuration to filter.

R2(config)#router ospf 1
R2(config-router)#area 26 nssa
R2(config-router)#redistribute connected subnets

R6(config)#router ospf 1
R6(config-router)#area 26 nssa

R7(config)#router ospf 1
R7(config-router)#area 26 nssa

R7#sh ip route 22.22.22.22
Routing entry for 22.22.22.22/32
  Known via "ospf 1", distance 110, metric 20, type NSSA extern 2, forward metric 2
  Last update from 67.67.67.6 on FastEthernet0/1, 00:00:51 ago
  Routing Descriptor Blocks:
  * 67.67.67.6, from 2.2.2.2, 00:00:51 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1

R7 can still see the route to 22.22.22.22/32. Let’s issue a single command for R2 not to announce this to area 26.

R2(config)#router ospf 1
R2(config-router)#area 26 nssa no-redistribution

R7#sh ip route 22.22.22.22
% Network not in table

R1#sh ip route 22.22.22.22
Routing entry for 22.22.22.22/32
  Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 1
  Last update from 12.12.12.2 on FastEthernet0/1, 00:03:49 ago
  Routing Descriptor Blocks:
  * 12.12.12.2, from 2.2.2.2, 00:03:49 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1

Now, through that single command in the ABR R2, it filters the announcement of whatever is redistributed in R2 to enter Area 26.

Task 7: Redistribute 77.77.77.77/32 in R7 to OSPF. Make sure R7 doesn’t announce this to R6.

Now this task will highlight the step on how to use ‘distribute-list out’ in OSPF filtering. Let’s configure and verify if the command will work here.

R7(config)#int loopback1
R7(config-if)#ip add 77.77.77.77 255.255.255.255

R7(config)#router ospf 1
R7(config-router)#redistribute connected subnets

R6#sh ip route 77.77.77.77
Routing entry for 77.77.77.77/32
  Known via "ospf 1", distance 110, metric 20, type NSSA extern 2, forward metric 2
  Last update from 67.67.67.7 on FastEthernet0/1, 00:00:05 ago
  Routing Descriptor Blocks:
  * 67.67.67.7, from 7.7.7.7, 00:00:05 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1

Let’s configure R7 to filter this prefix from being announced out to R6 and other areas.

R7(config)#access-list 1 deny 77.77.77.77
R7(config)#access-list 1 permit any
R7(config)#router ospf 1
R7(config-router)#distribute-list 1 out

R6#sh ip route 77.77.77.77
% Network not in table

This is the only instance where the ‘distribute-list’ command will work in the ASBR. The ‘distribute-list out’ is used to filter external routes from being announced or redistributed into OSPF.

Task 8: Remove the previous filtering command from Task 7. Configure R2 so it will not announce 77.77.77.77/32 to other areas.

R7(config)#router ospf 1
R7(config-router)#no distribute-list 1 out

R1#sh ip route 77.77.77.77
Routing entry for 77.77.77.77/32
  Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 4
  Last update from 12.12.12.2 on FastEthernet0/1, 00:06:55 ago
  Routing Descriptor Blocks:
  * 12.12.12.2, from 2.2.2.2, 00:06:55 ago, via FastEthernet0/1
      Route metric is 20, traffic share count is 1

Let’s configure R2 so the prefix will only be announced inside Area 26.

R2(config)#router ospf 1
R2(config-router)#summary-address 77.77.77.77 255.255.255.255 not-advertise

R1#sh ip route 77.77.77.77
% Network not in table

Similar to the ‘area range command,’ the ‘summary-address’ command can be used to summarize external routes or filter it to be announced to other areas with the ‘not-advertise’ included in the command.

References

http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/routmap.html

http://www.cisco.com/web/learning/le31/le46/cln/promo/share_the_wealth_contest/finalists/Susan_Mansfield_FILTERING_WITH_OSPF_-_Technical_Overview.pdf

http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fiarospf.html