OSPF Route Filtering

Leave a Comment / Cisco, Networking, OSPF, Route Filtering / By

When I say OSPF route filtering, I know what some of you think: “Mike, did you bang your head on something?  LSDBs have to be consistent across the entire area for OSPF to calculate SPF properly, so how can you filter routes?”  There are three ways to filter routes in OSPF, they are:

  • Distribute-Lists
  • Area Filter-Lists
  • Summarization

Each of these has to be done on specific devices so that the LSDB is not harmed and all OSPF devices in the area see the network similarly.

This is the diagram we are going to use to demonstrate filtering

Distribute-List Filtering

The first thing we can do to filter a route is to use the distribute-list command.  You have two options: inbound and outbound. Although it may not seem intuitive, this is what OSPF will block with the direction you choose:

  • Inbound: Will filter the network. This will stop SPF from running against it, but the LSA will remain in the LSDB.
  • Outbound: Will filter redistributed networks on the ASBR.

Looking at the above topology, let’s take 10.95.1.0/24 and see what would happen if we configured R5 not to run SPF against it.

R5(config)#ip prefix-list OSPF_FILTERING permit 10.95.1.0/24
R5(config)#route-map OSPF_FILTERING deny 1
R5(config-route-map)#match ip address prefix-list OSPF_FILTERING
R5(config-route-map)#route-map OSPF_FILTERING permit 9999
R5(config-route-map)#exit
R5(config)#router ospf 1
R5(config-router)#distribute-list route-map OSPF_FILTERING in

Let’s see if the LSA is still in the LSDB on R5

R5#show ip ospf database summary 10.95.1.0
OSPF Router with ID (5.5.5.5) (Process ID 1)
Summary Net Link States (Area 25)
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 196
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.95.1.0 (summary Network Number)
Advertising Router: 2.2.2.2
LS Seq Number: 80000001
Checksum: 0xDDAA
Length: 28
Network Mask: /24
MTID: 0 Metric: 66
R5#

But it is not in the routing table on R5

R5#sh ip route 10.95.1.0
% Subnet not in table
R5#

So we see there is still an LSA in the LSDB in R5 for 10.95.1.0, so let us see how R7 will react to R5 not running SPF against 10.95.1.0/24

R7#sh ip ospf data summary 10.95.1.0 adv 2.2.2.2
OSPF Router with ID (7.7.7.7) (Process ID 1)
Summary Net Link States (Area 25)
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 181
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.95.1.0 (summary Network Number)
Advertising Router: 2.2.2.2
LS Seq Number: 80000001
Checksum: 0xDDAA
Length: 28
Network Mask: /24
MTID: 0 Metric: 66
R7#
R7#show ip route 10.95.1.0
Routing entry for 10.95.1.0/24
Known via \\\"ospf 1\\\", distance 110, metric 68, type inter area
Last update from 10.0.57.5 on FastEthernet0/1, 00:01:39 ago
Routing Descriptor Blocks:
* 10.0.57.5, from 2.2.2.2, 00:01:39 ago, via FastEthernet0/1
Route metric is 68, traffic share count is 1
R7#

So, what if the ABR in area 25 (R2) stopped SPF from running on 10.95.1.0/24? We put the same.

R2(config)#ip prefix-list OSPF_FILTERING permit 10.95.1.0/24
R2(config)#route-map OSPF_FILTERING deny 1
R2(config-route-map)#match ip address prefix-list OSPF_FILTERING
R2(config-route-map)#route-map OSPF_FILTERING permit 9999
R2(config-route-map)#exit
R2(config)#router ospf 1
R2(config-router)#distribute-list route-map OSPF_FILTERING in

If we look at both the routing table and the OSPF database for 10.95.1.0, this is what we will see.

R2#show ip route 10.95.1.0
% Subnet not in table
R2#
R2#show ip ospf data sum 10.95.1.0
OSPF Router with ID (2.2.2.2) (Process ID 1)
Summary Net Link States (Area 0)
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 1561
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.95.1.0 (summary Network Number)
Advertising Router: 1.1.1.1
LS Seq Number: 80000001
Checksum: 0x7953
Length: 28
Network Mask: /24
MTID: 0 Metric: 2
R2#

It looks familiar to what it was showing on R5; the route 10.95.1.0/24 is not in the routing table but in the OSPF database. R5 and R7 show a slight difference, though;

R5#sh ip route 10.95.1.0
% Subnet not in table
R5#
R5#sh ip ospf data sum 10.95.1.0
OSPF Router with ID (5.5.5.5) (Process ID 1)
R5#
R7#sh ip route 10.95.1.0
% Subnet not in table
R7#
R7#show ip ospf data sum 10.95.1.0
OSPF Router with ID (7.7.7.7) (Process ID 1)
R7#

R5 and R7 filter it from both the LSA and the LSDB, and if there is no LSA, then SPF can not be run against it. You have to watch where you put the distribute-list filtering. You may unintentionally filter routes when you do not want other devices to filter the routes.

The next way to use distribute-list filtering is on an ASBR; you can stop a route from being advertised out of the local router using the distribute-list-out command. We are going to filter 172.16.1.0/24 from leaving R6

R6(config)#ip access-list standard OSPF_FILTERING
R6(config-std-nacl)#deny 172.16.1.0
R6(config-std-nacl)#permit any
R6(config-std-nacl)#router ospf 1
R6(config-router)#distribute-list OSPF_FILTERING out
R6(config-router)#end
R6#

Verification on R3 shows that all other routes are in the routing table but 172.16.1.0/24, subsequently out of the NSSA area, we see the same behavior on R7.

! Router 3 Verification
R3#sh ip route | inc 172.16
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O N2 172.16.0.0/24 [110/360] via 10.0.36.6, 00:21:31, FastEthernet0/0
O N2 172.16.2.0/25 [110/360] via 10.0.36.6, 00:21:31, FastEthernet0/0
O N2 172.16.2.128/25 [110/360] via 10.0.36.6, 00:21:31, FastEthernet0/0
O N2 172.16.55.0/24 [110/360] via 10.0.36.6, 00:21:31, FastEthernet0/0
R3#
! Router 7 Verification
R7#show ip route | inc 172.16
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O E2 172.16.0.0/24 [110/360] via 10.0.57.5, 00:06:01, FastEthernet0/1
O E2 172.16.2.0/25 [110/360] via 10.0.57.5, 00:06:01, FastEthernet0/1
O E2 172.16.2.128/25 [110/360] via 10.0.57.5, 00:06:01, FastEthernet0/1
O E2 172.16.55.0/24 [110/360] via 10.0.57.5, 00:06:01, FastEthernet0/1
R7#

ABR Filtering

We can also filter into and out of an ABR. This is called ABR filtering. If we are filtering “in”, this means that it will match and filter based inbound into the area. The flip side of that is if we are filtering “out”, this will filter the route as it leaves the ABR for that area. For example, suppose we want to filter 172.16.1.0/24 out of area 36. In that case, it will filter the prefix from being sent out of area 36, affecting all the configured areas, whereas if we want to filter 172.16.2.0/24 inbound into area 25, only area 25 will filter this network, all other areas will not filter it.

R3(config)#ip prefix-list FILTER_OUT_36 deny 172.16.1.0/24
R3(config)#ip prefix-list FILTER_OUT_36 permit 0.0.0.0/0 le 32
R3(config)#router ospf 1
R3(config-router)#area 36 filter-list prefix FILTER_OUT_36 out

Verify on devices in area 25 and area 14

R5#sh ip route 172.16.1.0
% Subnet not in table
R4#sh ip route | inc 172.16
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O IA 172.16.0.0/24 [110/67] via 10.0.14.1, 00:00:00, FastEthernet0/0
O IA 172.16.2.0/25 [110/67] via 10.0.14.1, 00:00:00, FastEthernet0/0
O IA 172.16.2.128/25 [110/67] via 10.0.14.1, 00:00:00, FastEthernet0/0
O IA 172.16.55.0/24 [110/67] via 10.0.14.1, 00:00:00, FastEthernet0/0

As you can see, blocking 172.16.1.0/24 out of area 36 will affect all areas. Now lets block 172.16.2.0/25 from area 25

R2(config)#ip prefix-list DENY_OSPF_A25 deny 172.16.2.0/25
R2(config)#ip prefix-list DENY_OSPF_A25 permit 0.0.0.0/0 le 32
R2(config)#router ospf 1
R2(config-router)#area 25 filter-list prefix DENY_OSPF_A25 in

Verify on an area 25 device.

R5#show ip route | Inc 172.16.
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O IA 172.16.0.0/24 [110/131] via 10.0.25.2, 00:00:10, FastEthernet0/0
O IA 172.16.2.128/25 [110/131] via 10.0.25.2, 00:00:10, FastEthernet0/0
O IA 172.16.55.0/24 [110/131] via 10.0.25.2, 00:00:10, FastEthernet0/0

If we were to look at the ABR, we see that ABR still has a route to 172.16.2.0/25

R2#sh ip route 172.16.2.0
Routing entry for 172.16.2.0/25
Known via "ospf 1", distance 110, metric 130, type inter area
Last update from 10.0.12.1 on Serial1/0.1, 00:02:14 ago
Routing Descriptor Blocks:
* 10.0.12.1, from 3.3.3.3, 00:02:14 ago, via Serial1/0.1
Route metric is 130, traffic share count is 1

This is because this is the inter-area route that R3 advertised into area 0. If we look at the area 0 LSDB, we will see this LSA there for area 0, and R2 will run SPF on the area 0 prefix.

R2#show ip ospf database summary 172.16.2.0 adv 3.3.3.3
OSPF Router with ID (2.2.2.2) (Process ID 1)
Summary Net Link States (Area 0)
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 203
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 172.16.2.0 (summary Network Number)
Advertising Router: 3.3.3.3
LS Seq Number: 80000001
Checksum: 0xAA45
Length: 28
Network Mask: /25
MTID: 0 Metric: 2
R2#

Summarization

Finally, you can block prefixes based on summarization. On R1, we are going to configure a summary route to filter 10.95.0.0/23 from being advertised out to all other areas

R1(config)#router ospf 1
R1(config-router)#area 14 range 10.95.0.0 255.255.254.0 not-advertise

We see on devices in areas 25 and 36 that they filter 10.95.0.0/23.  This encompasses 10.95.0.0/24 and 10.95.1.0/24, while all other networks are advertised

R5#sh ip route | inc 10.95.
O IA 10.95.2.0/24 [110/67] via 10.0.25.2, 00:03:16, FastEthernet0/0
O IA 10.95.3.0/24 [110/67] via 10.0.25.2, 00:03:16, FastEthernet0/0
R6#sh ip route | inc 10.95.
O IA 10.95.2.0/24 [110/67] via 10.0.36.3, 00:07:11, FastEthernet0/0
O IA 10.95.3.0/24 [110/67] via 10.0.36.3, 00:07:11, FastEthernet0/0

We have explored the three ways to filter routes from OSPF.  There are some nuances as to how OSPF route filtering can be used.  We have to keep a few things in mind:

  • If you use the distribute-list filtering technique, it does not delete the LSA. It stops SPF from running for the prefixes you want to filter.
  • Area filtering and Summarization can only be implemented on the Area Border Router.
  • When filtering on an ABR, the summary LSA is not passed into the new area.

It is also essential to understand how LSAs work and how they are propagated.  If you run into some unexpected results when filtering, look at the contents of the LSDB.  This can be one of the tools used to help lead you on the right troubleshooting path.