First be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]
There are 5 ways to perform OSPF Route Filtering:
1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database
!!!distribute-list OUT works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and 7!!!
2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database.
filter-list can be applied: IN - into the area, OUT - out of the area
3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database)
Can be used with both, "area X range" (ABR) and "summary-address" (ASBR) commands
4. DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE
(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10 is an ACL
5. DATABASE-FILTER - If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):
(config-subif)#ip ospf database-filter all out <- PER INTERFACE
(config-router)#neighbor x.x.x.x database-filter all out <- PER NEIGHBOR
Be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]
The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list.
!!!DISTRIBUTE-LIST only affects the local router!!! Meaning - the Update will be distributed to the other routers, the subnets will only be filtered out the local IP ROUTING TABLE
The advantage is that it's rather easy to implement, and it can filter any type of LSA:
(config-router)#distribute-list prefix MY_PREFIX_LIST in <--- OUT would only work on ASBR TO FILTER LSA5 & LSA7
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database,
and it will be further propagated to the other OSPF Neighbors. The route will therefore appear in the Routing Table,but it will not be reachable, as one of the routers along the path does not have it in it's Routing Table.
*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP
Filter using Distribute List
The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. The advantage is that it's rather easy to implement, and it can filter any type of LSA:
Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST in <--- OUT would only work on OSBR TO FILTER LSA5 & LSA7
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to the other OSPF Neighbors.
The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the path does not have it in it's Routing Table.
*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP
OSPF filter-list - LSA-3 FILTERING
This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Lets say that we want to filter the network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else
(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24
(config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32
Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:
(config-router)#area 2 filter-list prefix JEDANES in
This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or out-from the AREA 2
OSPF "not-advertise" LSA1 & LSA2 FILTERING
If you need to filter LSAs 1 and 2, you can use the "not-advertise" command, but also ONLY ON ABR!
(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise
Tune the ADVERTISED DISTANCE to Filter the Prefix
Another way to filter the OSPF networks is manually setting the distance to 255, which is UNREACHABLE. It's not the most elegant way, but you should know that it's also an option.
Cisqueros_R4(config-router)#distance 255 3.3.3.3 255.255.255.0 10 <--- 10 IS AN ACCESS-LIST WITH THE PREFIXES WE WANT TO FILTER
Filter EXTERNAL OSPF Routes: LSA5 & LSA7
The first way to filter there routes was already mentioned above:
Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST OUT
The second way is reserved ONLY for the External Routes, and it's the "not-advertised" applied to the "summary-address" command
(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- MUST BE APPLIED ON ASBR
Filter OSPF per Interface
If you wish to prevent LSAs to be sent via particular Interface:
(config-if)#ip ospf database-filter all out
*ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface
Filter OSPF per NEIGHBOR
Even though OSPF doesn't require that we manually configure the Neighbors, we do need to use the "neighbor" command in order to configure the OSPF database filtering:
(config-router)#neighbor 5.5.5.5 database-filter all out
*Network MUST be configured as POINT-TO-POINT (on the Interface Configuration)
Thanks. Nice explanation
ReplyDelete
ReplyDeleteI Wouldn't agree on this. Without the not-advertise keyword, the command
area 1 range 172.25.182.0 255.255.255.0
will suppress the ABR's automatic Type-3 generation for area 1 routes within the range 172.25.182.0/24 into the backbone area and advertise a single /24 summary instead.
In contrast, with the not-advertise keyword it suppresses that summary as well. So it actually filters Type-3 LSAs.
<(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- MUST BE APPLIED ON ASBR>
You can also do that on a NSSABR; because of the 7-to-5 translation it is the originator of the Type-5 LSAs, just like a "regular" ASBR.
The first paragraph of my previous posting was lost: I was refering this:
Delete"If you need to filter LSAs 1 and 2, you can use the "not-advertise" command, but also ONLY ON ABR!"
Thanks a lot, great explanation!
ReplyDeleteGood explanation of all the OSPF filtering types. There is one more that I recently found.
ReplyDeleteThe "distribute-list xxx in" can be used to filter generated LSA-3's on an ABR. You might be wondering how that is possible. Here is why:
Let's take two facts:
1) ABR's generate LSA-3 packets between areas by walking the routing table, not by walking the OSPF database! That means if a route is missing from the routing table, even though it has an entry in the database, then corresponding LSA type 3 will not be generated.
2) The "distribute-list xxx in" command filters routes from being created in the routing table from the OSPF database.
Now, put these two together. You'll find that you can prevent an ABR from generating specific LSA-3 entries between the areas it is connected to by using the "distribute-list xxx in". Keep the route out of the routing table, and you'll effectively prevent the LSA-3 from being generated.
Of course, this technique will not work with connected networks, because the "distribute-list xxx in" command will not remove connected networks from the routing table.
One other thing, when it comes to filtering external routes, as you mentioned, there are two commands. The "summary-address" and the "distribute-list out". However, it seemed a little unclear where they can be used.
ReplyDeleteThe "summary-address" can be used in two places.
1) On an ASBR redistributing LSA type 5 external routes. It can be used to summarize routes or stop advertising routes with the "no-advertise" keyword.
2) On an ASBR redistributing LSA type 7 NSSA external routes or the ABR for the NSSA area. You can technically even put it on both. The ASBR can summarize it once, and the ABR can further summarize it. Again, the "summary-address" can be used to summarize or stop advertisements.
As for the "distribute-list out" command, that only works on the ASBR that is originally redistributing a route, whether an LSA type 5 or 7. This command cannot be used on an ABR to an NSSA area like the "summary-address" can.
So in my opinion it is always easier to use "summary-address no-advertise" unless you have a ton of addresses to suppress, where "distribute-list" would be better suited because it can use an access-list.