Previously in part 1 we discussed route-filtering using the “filter-list” command in OSPF. That was limited to our ABR and ASBRs. With distribute-lists we are able to filter OSPF routes from making to the routing information base/routing table (RIB). If you recall our topology from part 1, well I’ve just added R4 to that. If you don’t recall part 1 here is the link, check it out first.
note: This is not recommended and is an easy way to black-hole traffic and cause headaches. Filtering at the ABR and or ASBRs would be better. However there are some situations when you just want to filter the route from just one router.
This time what I want to do is filter the route of 33.33.33.33/32 from R3 making it into R4’s RIB. Let’s begin.
First let’s configure R3 and R4 to complete the topology.
R3: conf t int g3/0 ip add 192.168.3.1 255.255.255.0 no shut ip ospf 1 area 1 R4: conf t int g3/0 ip add 192.168.3.2 255.255.255.0 no shut ip ospf 1 area 1
Now let’s wait for the OSPF adjacency to go into the FULL state.
Alright, now we can begin filtering. Here’s what you need to know. We CANNOT EVER NEVER ABSOLUTELY NOT filter type 1 and type 2 LSAs in an OSPF area, we just can’t. It breaks the logic of OSPF. Instead what we can do is prevent routes from making it into the RIB from the OSPF database. That’s exactly what distribute-list does for us.
Since now we can prevent routes from making it to the RIB, we can do the route-filtering locally. We do not have to do it from the ABR or ASBR. Let’s see our options.
In this case I’ll just reference a basic/standard access-list.
conf t access-list 1 deny 33.33.33.33 0.0.0.0 access-list 1 permit any router ospf 1 distribute-list 1 in
Let’s break down the commands, I referenced an access-list, which of course has an implicit deny at the end. That is why you see the permit any at the end. Then I went into OSPF and said apply this distribute-list, reference ACL 1, and apply it inwards. There is an option for “out” HOWEVER IT DOES NOTHING. That’s only useful in EIGRP.
Its possible to reference other things for distribute-lists, like so.
It’s also possible for us to specify an interface after the direct, like so :
distribute-list 1 in g3/0
Alright now let’s check the RIB.
Now we should still see the type 1 LSA for 33.33.33.33 in our OSPF LSDB.
Let’s confirm there was no Link State Updates (LSUs) being sent out from R4.
In Part 1 we noticed that filtering OSPF routes with “filter-list” caused an LSU to be sent out with the max age of 60 minutes letting other routers know the type 3 LSA was invalid. Here we are not filtering LSAs at all so the OSPF process does not need to do anything.
Since there is no change to OSPF directly, negating the command should not cause a re-sync of the OSPF process. Let’s remove it and confirm the route comes back.
R4: conf t router ospf 1 no distribute-list 1 in
Perfect! That concludes part 2, in part 3 we’ll talk about the last method for filtering OSPF routes. Stay tuned.