I know what some of you are thinking when I say OSPF route filtering, “Mike, did you bang your head on something?  LSDB’s have to be consistent across the entire area for OSPF to properly calculate SPF, so how can you filter routes?”  There are three ways to filter routes in OSPF, they are:

  • Distribute-Lists
  • Area Filter-Lists
  • Summarization

Each one of these has to be done on certain devices so that the LSDB is not harmed in anyway and all OSPF devices in the area see the network in the same way.

This is the diagram we are going to use to demonstrate filtering:

OSPF Route Filtering

Distribute-List Filtering

The first thing we can do to filter a route is by using the distribute list command.  You are have two options, inbound and outbound. Although it may not seem intuitive, this is what OSPF will block with the direction you choose:

  • Inbound: Will filter the network. This will stop SPF from running against it but the LSA will still be in the LSDB.
  • Outbound: Will filter redistributed networks on the ASBR.

Looking at the above topology, let’s take 10.95.1.0/24 and lets see what would happen if we configured R5 to not run SPF against it.

R5(config)#ip prefix-list OSPF_FILTERING permit 10.95.1.0/24
R5(config)#route-map OSPF_FILTERING deny 1
R5(config-route-map)#match ip address prefix-list OSPF_FILTERING
R5(config-route-map)#route-map OSPF_FILTERING permit 9999
R5(config-route-map)#exit
R5(config)#router ospf 1
R5(config-router)#distribute-list route-map OSPF_FILTERING in

Let see if the LSA is still in the LSDB on R5

R5#show ip ospf database summary 10.95.1.0

            OSPF Router with ID (5.5.5.5) (Process ID 1)

                Summary Net Link States (Area 25)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 196
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.95.1.0 (summary Network Number)
  Advertising Router: 2.2.2.2
  LS Seq Number: 80000001
  Checksum: 0xDDAA
  Length: 28
  Network Mask: /24
        MTID: 0         Metric: 66

R5#

But it is not in the routing table on R5

R5#sh ip route 10.95.1.0
% Subnet not in table
R5#

So we see there is still an LSA in the LSDB in R5 for 10.95.1.0, so lets see how R7 will react to R5 not running SPF against 10.95.1.0/24

R7#sh ip ospf data summary 10.95.1.0 adv 2.2.2.2

            OSPF Router with ID (7.7.7.7) (Process ID 1)

                Summary Net Link States (Area 25)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 181
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.95.1.0 (summary Network Number)
  Advertising Router: 2.2.2.2
  LS Seq Number: 80000001
  Checksum: 0xDDAA
  Length: 28
  Network Mask: /24
        MTID: 0         Metric: 66

R7#
R7#show ip route 10.95.1.0
Routing entry for 10.95.1.0/24
  Known via "ospf 1", distance 110, metric 68, type inter area
  Last update from 10.0.57.5 on FastEthernet0/1, 00:01:39 ago
  Routing Descriptor Blocks:
  * 10.0.57.5, from 2.2.2.2, 00:01:39 ago, via FastEthernet0/1
      Route metric is 68, traffic share count is 1
R7#

So, what if the ABR in area 25 (R2) was stopping SPF from running on 10.95.1.0/24? We put the same

R2(config)#ip prefix-list OSPF_FILTERING permit 10.95.1.0/24
R2(config)#route-map OSPF_FILTERING deny 1
R2(config-route-map)#match ip address prefix-list OSPF_FILTERING
R2(config-route-map)#route-map OSPF_FILTERING permit 9999
R2(config-route-map)#exit
R2(config)#router ospf 1
R2(config-router)#distribute-list route-map OSPF_FILTERING in

If we look at both the routing table and the OSPF database for 10.95.1.0 this is what we will see

R2#show ip route 10.95.1.0
% Subnet not in table
R2#show ip ospf data sum 10.95.1.0

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Summary Net Link States (Area 0)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 1561
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.95.1.0 (summary Network Number)
  Advertising Router: 1.1.1.1
  LS Seq Number: 80000001
  Checksum: 0x7953
  Length: 28
  Network Mask: /24
        MTID: 0         Metric: 2

R2#

We see that it looks familiar to what it was showing on R5, the route 10.95.1.0/24 is not in the routing table but it is in the OSPF database. R5 and R7 show a slight difference though;

R5#sh ip route 10.95.1.0
% Subnet not in table
R5#sh ip ospf data sum 10.95.1.0

OSPF Router with ID (5.5.5.5) (Process ID 1)
R5#
R7#sh ip route 10.95.1.0
% Subnet not in table
R7#show ip ospf data sum 10.95.1.0

OSPF Router with ID (7.7.7.7) (Process ID 1)
R7#

Both R5 and R7 filter it from both the LSA from the LSDB and if there is no LSA, then SPF can not be run against it. You have to watch where you put the distribute-list filtering. You may unintentionally filter routes when you do not want other devices to filter the routes.

The next way to use distribute-list filtering is on an ASBR, you can stop a route from being advertised out of the local router, using the distribute-list out command. We are going to filter 172.16.1.0/24 from leaving R6

R6(config)#ip access-list standard OSPF_FILTERING
R6(config-std-nacl)#deny 172.16.1.0
R6(config-std-nacl)#permit any
R6(config-std-nacl)#router ospf 1
R6(config-router)#distribute-list OSPF_FILTERING out
R6(config-router)#end
R6#

Verification on R3 shows that all other routes are in the routing table but 172.16.1.0/24, subsequently out of the NSSA area, we see the same behavior on R7

! Router 3 Verification
R3#sh ip route | inc 172.16
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O N2 172.16.0.0/24 [110/360] via 10.0.36.6, 00:21:31, FastEthernet0/0
O N2 172.16.2.0/25 [110/360] via 10.0.36.6, 00:21:31, FastEthernet0/0
O N2 172.16.2.128/25 [110/360] via 10.0.36.6, 00:21:31, FastEthernet0/0
O N2 172.16.55.0/24 [110/360] via 10.0.36.6, 00:21:31, FastEthernet0/0
R3#
! Router 7 Verification
R7#show ip route | inc 172.16
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O E2 172.16.0.0/24 [110/360] via 10.0.57.5, 00:06:01, FastEthernet0/1
O E2 172.16.2.0/25 [110/360] via 10.0.57.5, 00:06:01, FastEthernet0/1
O E2 172.16.2.128/25 [110/360] via 10.0.57.5, 00:06:01, FastEthernet0/1
O E2 172.16.55.0/24 [110/360] via 10.0.57.5, 00:06:01, FastEthernet0/1
R7#

ABR Filtering

We can also filter into and out of and ABR, this is called ABR filtering. If we are filtering “in”, this means that it will match and filter based inbound into the area. The flip side of that is if we are filtering “out, this will filter the route as it leaves the ABR for that area. For example, if we want to filter 172.16.1.0/24 out of area 36, it will filter the prefix from being sent out of area 36, affecting all the configured areas, whereas if we want to filter 172.16.2.0/24 inbound into area 25 only area 25 will filter this network, all other areas will not filter it.

R3(config)#ip prefix-list FILTER_OUT_36 deny 172.16.1.0/24
R3(config)#ip prefix-list FILTER_OUT_36 permit 0.0.0.0/0 le 32
R3(config)#router ospf 1
R3(config-router)#area 36 filter-list prefix FILTER_OUT_36 out

Verify on devices in area 25 and area 14

R5#sh ip route 172.16.1.0
% Subnet not in table

R4#sh ip route | inc 172.16
      172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O IA     172.16.0.0/24 [110/67] via 10.0.14.1, 00:00:00, FastEthernet0/0
O IA     172.16.2.0/25 [110/67] via 10.0.14.1, 00:00:00, FastEthernet0/0
O IA     172.16.2.128/25 [110/67] via 10.0.14.1, 00:00:00, FastEthernet0/0
O IA     172.16.55.0/24 [110/67] via 10.0.14.1, 00:00:00, FastEthernet0/0

As you can see blocking 172.16.1.0/24 out of area 36 will affect all areas. Now lets block 172.16.2.0/25 from area 25

R2(config)#ip prefix-list DENY_OSPF_A25 deny 172.16.2.0/25
R2(config)#ip prefix-list DENY_OSPF_A25 permit 0.0.0.0/0 le 32
R2(config)#router ospf 1
R2(config-router)#area 25 filter-list prefix DENY_OSPF_A25 in

Verify on an area 25 device

R5#show ip route | Inc 172.16.
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O IA     172.16.0.0/24 [110/131] via 10.0.25.2, 00:00:10, FastEthernet0/0
O IA     172.16.2.128/25 [110/131] via 10.0.25.2, 00:00:10, FastEthernet0/0
O IA     172.16.55.0/24 [110/131] via 10.0.25.2, 00:00:10, FastEthernet0/0

If we were to look at the ABR, we see the ABR still has a route to 172.16.2.0/25

R2#sh ip route 172.16.2.0
Routing entry for 172.16.2.0/25
  Known via "ospf 1", distance 110, metric 130, type inter area
  Last update from 10.0.12.1 on Serial1/0.1, 00:02:14 ago
  Routing Descriptor Blocks:
  * 10.0.12.1, from 3.3.3.3, 00:02:14 ago, via Serial1/0.1
      Route metric is 130, traffic share count is 1

This is because this is the inter-area route that R3 advertised into area 0. If we look at the area 0 LDSB we will see this LSA there for area 0 and R2 will run SPF on the area 0 prefix.

R2#show ip ospf database summary 172.16.2.0 adv 3.3.3.3

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Summary Net Link States (Area 0)

  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 203
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 172.16.2.0 (summary Network Number)
  Advertising Router: 3.3.3.3
  LS Seq Number: 80000001
  Checksum: 0xAA45
  Length: 28
  Network Mask: /25
        MTID: 0         Metric: 2

R2#

Summarization

Finally, you can block prefixes based on summarization. On R1 we are going to configure a summary route to filter 10.95.0.0/23 from being advertised out to all other areas

R1(config)#router ospf 1
R1(config-router)#area 14 range 10.95.0.0 255.255.254.0 not-advertise

We see on devices in area 25 and 36 that they are filtering 10.95.0.0/23, which encompasses 10.95.0.0/24 and 10.95.1.0/24, while all other networks are advertised

R5#sh ip route | inc 10.95.
O IA 10.95.2.0/24 [110/67] via 10.0.25.2, 00:03:16, FastEthernet0/0
O IA 10.95.3.0/24 [110/67] via 10.0.25.2, 00:03:16, FastEthernet0/0
R6#sh ip route | inc 10.95.
O IA 10.95.2.0/24 [110/67] via 10.0.36.3, 00:07:11, FastEthernet0/0
O IA 10.95.3.0/24 [110/67] via 10.0.36.3, 00:07:11, FastEthernet0/0

We have explored the three ways to filter routes from OSPF.  There are some nuances as to how they can be used, we just have to keep a few things in mind:

  • If you use the distribute-list filtering technique, it does not delete the LSA it stops SPF from running for the prefixes you want to filter
  • Area filtering and Summarization can only be implemented on the Area Border Router
  • When filtering is done on an ABR, the summary LSA is not passed into the new area

It is also important to have a general understanding on how LSA’s work and how they are propagated.  If you run into some unexpected results when filtering, looking at the contents of the LSDB can be one of the tools used to help lead you on the right troubleshooting path

OSPF Route Filtering

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: