OSPF Route Filtering

Route filtering is a method for selectively identifying routes that are advertised or received from neighbor routers. Route filtering may be used to manipulate traffic flows, reduce memory utilization, or improve security.

Filtering of routes with vector-based routing protocols is straightforward as the routes are filtered as routing updates are advertised to downstream neighbors. However, with link-state routing protocols such as OSPF, every router in an area shares a complete copy of the link-state database. Therefore, filtering of routes generally occurs as routes enter the area on the ABR.

Route Filtering

  • Type 3 LSA Filtering - remove routes from the LSDB
    • Filter with summarization
    • Area filtering
  • Type 5 LSA Filtering
    • Outbound distribute-list
      • We set it on the ASBR to filter certain networks from entering the area.
    • Route-Map
      • Why not prevent certain routes from being redistributed in the first place? Technically isn't filtering but works well.
  • Local Filtering - don't remove routes from the LSDB of area routers, routes are only removed from the RIB of local router

OSPF has built-in controls over route propagation. OSPF routes are permitted or denied into different OSPF areas based on area type, such as backbone area, normal (non-stub) area, stub area, Not-So-Stubby Area (NSSA), and totally stubby area.

There are two methods to filter Type 3 LSAs on the ABR, which removes them from the OSPF LSDB.

The first method is to apply a filter-list to networks from one area into or out of another area. The use of the command: area x filter-list prefix name [in|out] will filter type 3 LSAs on an ABR. This command can be applied to inbound or outbound routes.

Using this method..

  • filtering routes into area 0 eliminates their advertisement within all OSPF areas in the routing domain except the originating area.
  • filtering routes into a non-backbone area eliminates their advertisement only within the target area.

The other method for filtering type 3 LSAs is to use an area range statement with the “not-advertise” parameter. This statement is comparable to the filter-list prefix statement with the out parameter. The area range statement is more commonly used to advertise a range of networks to other areas within an OSPF routing domain. The use of the not-advertise parameter suppresses the advertisement of a range of networks to the other areas.

Other filtering methods do not remove routes from the LSDB of area routers. Routes are only removed from the routing table of the local router. Other routers in the same area that do not have filters applied will continue to advertise the routes. A possible result is a black hole in the routing domain. OSPF neighbors could forward traffic to a router that is filtering the route to which it has the lowest cost path.

The most basic filter is the inbound distribute-list. The outbound distribute-list is exclusively used to filter OSPF routes in route redistribution between OSPF and a different routing protocol or OSPF process. The distribute-list in can be applied to any router within the area. A standard access-list or a prefix-list may be used.

Another method of filtering OSPF inbound routes is to alter the administrative distance of the routes. Administrative distance is an arbitrary value reflecting the desirability of the route relative to how it is learned by the local router. The route could be learned via multiple routing protocols, connected networks, or static routes. If a route has multiple sources, the one with the lowest administrative distance is inserted into the routing table. An OSPF route is considered unreachable with an administrative distance of 255, the equivalent of infinity, and will not be inserted into the routing table.

In summary, filtering routes within an OSPF domain takes many forms. OSPF has built-in conventions for filtering different types of routes into different types of areas, such as stub, totally-stubby, and NSSA.

Several filtering methods remove LSAs from the LSDB. These include prefix suppression and type 3 LSA filtering on an ABR with either the area x filter-list or the area range not-advertise statements.

Methods that only impact the routing table of the local router and not the LSDB include cost/administrative distance adjustments and inbound distribute-lists with or without route-maps. These methods have no impact on the advertisement of routes to other routers in the OSPF domain. The routes are only removed from the local routing table, which prevents the use of the routes to forward traffic from the local router.

Type 3 LSA Filtering

  • Filtering with Summarization
  • Area Filtering

Filtering with Summarization

area area-id range network subnet-mask not-advertise [ABR]

  • One of the easiest methodologies for filtering routes is to use the not-advertise keyword during prefix summarization.
  • Using this keyword prevents creation of any type 3 LSAs for any networks in that range, thus making the subordinate routes visible only within the area where the route originates.

Example:

  • R1 is advertising the 172.16.x.x networks.
  • R2 can filter out any of the Type 1 LSAs that are generated in Area 12 from being advertised into Area 0.
  • Result: Checking R3’s RIB, the 172.16.2.0/24 network has been removed from Area 0. If a larger network range were configured, then more of the subordinate routes would be filtered.
				
					R2
router ospf 1
 area 12 range 172.16.2.0 255.255.255.0 not-advertise
				
			
Verifying Removal of 172.16.2.0 from Area 0
R3# show ip route ospf | begin Gateway Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks O IA 10.12.1.0/24 [110/3] via 10.23.1.2, 00:02:24, GigabitEthernet0/0 172.16.0.0/24 is subnetted, 2 subnets O IA 172.16.1.0 [110/4] via 10.34.1.3, 00:00:17, GigabitEthernet0/0 O IA 172.16.3.0 [110/4] via 10.34.1.3, 00:00:17, GigabitEthernet0/0

Area Filtering

area area-id filter-list prefix prefix-list-name {in | out} [ABR]

Although filtering via summarization is very easy, it is limited in its ability. For example, if the 172.16.1.0/24 network needs to be present in Area 0 but removed in Area 34, it is not possible to filter the route using summarization.

Demonstrates that the ABR can filter routes as they advertise out of an area or into an area.

  • R2 is able to filter routes (LSAs) outbound as they leave Area 12 or inbound as they enter Area 0.
  • R3 can filter routes as they leave Area 0 or enter Area 34.
  • The same logic applies with routes advertised in the opposition direction.

Example:

  • R1 is advertising the 172.16.x.x/24 network prefixes.
  • R2 is configured to filter the 172.16.1.0/24 prefix as it enters Area 0.
  • R3 is configured to filter the 172.16.2.0/24 prefix as it leaves Area 0.
				
					R2
ip prefix-list PREFIX-FILTER seq 5 deny 172.16.1.0/24
ip prefix-list PREFIX-FILTER seq 10 permit 0.0.0.0/0 le 32
!
router ospf 1
 router-id 192.168.2.2
 network 10.12.1.0 0.0.0.255 area 12
 network 10.23.1.0 0.0.0.255 area 0
 area 0 filter-list prefix PREFIX-FILTER in
				
			
				
					R3
ip prefix-list PREFIX-FILTER seq 5 deny 172.16.2.0/24
ip prefix-list PREFIX-FILTER seq 10 permit 0.0.0.0/0 le 32
!
router ospf 1
 router-id 192.168.3.3
 network 10.23.1.0 0.0.0.255 area 0
 network 10.34.1.0 0.0.0.255 area 34
 area 0 filter-list prefix PREFIX-FILTER out
				
			

Shows the routing table on R3 where..

  • The 172.16.1.0/24 network has been filtered from all the routers in Area 0.
  • The 172.16.2.0/24 network has been filtered from all the routers in Area 34.
  • This verifies that the area filtering was successful for routes entering the backbone and leaving the backbone.
R3# show ip route ospf | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O IA     10.12.1.0/24 [110/2] via 10.23.1.2, 00:17:39, GigabitEthernet0/1
      172.16.0.0/24 is subnetted, 2 subnets
O IA     172.16.2.0 [110/3] via 10.23.1.2, 00:16:30, GigabitEthernet0/1
O IA     172.16.3.0 [110/3] via 10.23.1.2, 00:16:30, GigabitEthernet0/1
R4# show ip route ospf | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
O IA     10.12.1.0/24 [110/3] via 10.34.1.3, 00:19:41, GigabitEthernet0/0
O IA     10.23.1.0/24 [110/2] via 10.34.1.3, 00:19:41, GigabitEthernet0/0
      172.16.0.0/24 is subnetted, 1 subnets
O IA     172.16.3.0 [110/4] via 10.34.1.3, 00:17:07, GigabitEthernet0/0

Local OSPF Filtering

In some scenarios, routes need to be removed only on specific routers in an area. OSPF is a link-state protocol that requires all routers in the same area to maintain an identical copy of the LSDB for that area. A route can exist in the OSPF LSDB, but it could be prevented from being installed in the local RIB. This is accomplished by using a distribute list.

A distribute list on an ABR does not prevent type 1 LSAs from becoming type 3 LSAs in a different area because the type 3 LSA generation occurs before the distribute list is processed.

However, a distribute list on an ABR prevents type 3 LSAs coming from the backbone from being regenerated into nonbackbone areas because this regeneration process happens after the distribute list is processed. A distribute list should not be used for filtering of prefixes between areas.

Example:

  • R1 is advertising the 172.16.1.0/24, 172.16.2.0/24, and 172.16.3.0/24 network prefixes.
  • R2 filters the 172.16.3.0/24 network from entering its RIB.
  • Result: The 172.16.3.0/24 network is removed from R2’s RIB but is present on R3’s RIB.
				
					R2
ip access-list standard ACL-OSPF-FILTER
 deny 172.16.3.0
 permit any
!
router ospf 1
 router-id 192.168.2.2
 network 10.12.1.0 0.0.0.255 area 12
 network 10.23.1.0 0.0.0.255 area 0
 distribute-list ACL-OSPF-FILTER in  
				
			
R2# show ip route ospf | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O IA     10.34.1.0/24 [110/2] via 10.23.1.3, 00:02:21, GigabitEthernet0/1
      172.16.0.0/24 is subnetted, 2 subnets
O        172.16.1.0 [110/2] via 10.12.1.1, 00:02:21, GigabitEthernet0/0
O        172.16.2.0 [110/2] via 10.12.1.1, 00:02:21, GigabitEthernet0/0
R3# show ip route ospf | begin Gateway
Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
O IA     10.12.1.0/24 [110/2] via 10.23.1.2, 00:24:11, GigabitEthernet0/1
      172.16.0.0/24 is subnetted, 3 subnets
O IA     172.16.1.0 [110/3] via 10.23.1.2, 00:01:54, GigabitEthernet0/1
O IA     172.16.2.0 [110/3] via 10.23.1.2, 00:23:02, GigabitEthernet0/1
O IA     172.16.3.0 [110/3] via 10.23.1.2, 00:23:02, GigabitEthernet0/1

Summary

  • OSPF filtering is normally applied between areas
    • LSA Type-3 Filtering
      • Summarization
      • Area Filtering
    • NSSA ABR External Prefix Filtering
    • Transit prefix suppression
  • OSPF RIB can be filtered anywhere
    • Distribute-list with ACL
    • Distribute-list with Route-Map
    • Administrative Distance
  • RIB filtering can be dangerous
    • Does not stop the flooding of LSAs within the area

 

Leave a Reply

Related Post