Filtering OSPF Routes Part 2

Previously in part 1 we discussed route-filtering using the “filter-list” command in OSPF. That was limited to our ABR and ASBRs. With distribute-lists we are able to filter OSPF routes from making to the routing information base/routing table (RIB). If you recall our topology from part 1, well I’ve just added R4 to that. If you don’t recall part 1 here is the link, check it out first.

note: This is not recommended and is an easy way to black-hole traffic and cause headaches. Filtering at the ABR and or ASBRs would be better. However there are some situations when you just want to filter the route from just one router.

This time what I want to do is filter the route of 33.33.33.33/32 from R3 making it into R4’s RIB.  Let’s begin.

 

img 575e2cda826ba

 

First let’s configure R3 and R4 to complete the topology.

R3:
conf t
int g3/0
ip add 192.168.3.1 255.255.255.0
no shut
ip ospf 1 area 1

R4:
conf t
int g3/0
ip add 192.168.3.2 255.255.255.0
no shut
ip ospf 1 area 1

Now let’s wait for the OSPF adjacency to go into the FULL state.

img 575e2d9adbe4b

Alright, now we can begin filtering. Here’s what you need to know. We CANNOT EVER NEVER ABSOLUTELY NOT filter type 1 and type 2 LSAs in an OSPF area, we just can’t. It breaks the logic of OSPF. Instead what we can do is prevent routes from making it into the RIB from the OSPF database. That’s exactly what distribute-list does for us.

Since now we can prevent routes from making it to the RIB, we can do the route-filtering locally. We do not have to do it from the ABR or ASBR. Let’s see our options.

In this case I’ll just reference a basic/standard access-list.

conf t
access-list 1 deny 33.33.33.33 0.0.0.0
access-list 1 permit any
router ospf 1
distribute-list 1 in

Let’s break down the commands, I referenced an access-list, which of course has an implicit deny at the end. That is why you see the permit any at the end. Then I went into OSPF and said apply this distribute-list, reference ACL 1, and apply it inwards. There is an option for “out” HOWEVER IT DOES NOTHING. That’s only useful in EIGRP.

Its possible to reference other things for distribute-lists, like so.

img 575e2ff3eca4f

It’s also possible for us to specify an interface after the direct, like so :

distribute-list 1 in g3/0

Alright now let’s check the RIB.

img 575e2f2a4595d

Now we should still see the type 1 LSA for 33.33.33.33 in our OSPF LSDB.

img 575e2f7c9cf24

Let’s confirm there was no Link State Updates (LSUs) being sent out from R4.

img 575e3045ad352

In Part 1 we noticed that filtering OSPF routes with “filter-list” caused an LSU to be sent out with the max age of 60 minutes letting other routers know the type 3 LSA was invalid. Here we are not filtering LSAs at all so the OSPF process does not need to do anything.

Since there is no change to OSPF directly, negating the command should not cause a re-sync of the OSPF process. Let’s remove it and confirm the route comes back.

R4:
conf t
router ospf 1
no distribute-list 1 in

img 575e30c21abdf

Perfect! That concludes part 2, in part 3 we’ll talk about the last method for filtering OSPF routes. Stay tuned.

Leave a comment