Course:
CCNP ENARSI Labs
In this part, you will learn about OSPF route filtering. Route filtering is a method for selectively identifying routes that are advertised or received from neighbor routers. Route filtering may be used to manipulate traffic flows, reduce memory utilization, or improve security.
Filtering of routes with vector-based routing protocols is straightforward. This is because the routes are filtered as routing updates and are advertised to downstream neighbors. However, with link-state routing protocols such as OSPF, every router in an area shares a complete copy of the link-state database. Therefore, filtering of routes generally occurs as routes enter the area on the ABR.
The following sections describe three techniques for filtering routes with OSPF.
a. As an example of filtering with summarization, we will remove the last route summarization command configured on R3.
Open configuration window
| R3(config-router)# no area 2 range 10.10.16.0 255.255.248.0 |
b. On D1, verify that all of the 1010.16.0/24 through 10.10.23.0/24 networks are in the routing table.
D1# show ip route ospf | begin Gateway Gateway of last resort is 10.10.0.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.10.0.1, 01:25:49, GigabitEthernet0/1 10.0.0.0/8 is variably subnetted, 17 subnets, 4 masks O IA 10.10.4.0/23 [110/4] via 10.10.0.1, 00:16:07, GigabitEthernet0/1 O IA 10.10.16.0/24 [110/5] via 10.10.0.1, 00:00:07, GigabitEthernet0/1 O IA 10.10.17.0/24 [110/5] via 10.10.0.1, 00:00:07, GigabitEthernet0/1 O IA 10.10.18.0/24 [110/5] via 10.10.0.1, 00:00:07, GigabitEthernet0/1 O IA 10.10.19.0/24 [110/5] via 10.10.0.1, 00:00:07, GigabitEthernet0/1 O IA 10.10.20.0/24 [110/5] via 10.10.0.1, 00:00:07, GigabitEthernet0/1 O IA 10.10.21.0/24 [110/5] via 10.10.0.1, 00:00:07, GigabitEthernet0/1 O IA 10.10.22.0/24 [110/5] via 10.10.0.1, 00:00:07, GigabitEthernet0/1 O IA 10.10.23.0/24 [110/5] via 10.10.0.1, 00:00:07, GigabitEthernet0/1 172.16.0.0/30 is subnetted, 2 subnets O IA 172.16.0.0 [110/2] via 10.10.0.1, 01:31:12, GigabitEthernet0/1 O IA 172.16.1.0 [110/3] via 10.10.0.1, 01:31:12, GigabitEthernet0/1 |
The D2 LANs are in the routing table of D1.
c. Now, on R3, filter the 10.10.18.0/24 network from being advertised to another area using the not-advertise keyword.
| R3(config-router)# area 2 range 10.10.18.0 255.255.255.0 not-advertise |
d. On D1, verify the routing table.
D1# show ip route ospf | begin Gateway Gateway of last resort is 10.10.0.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.10.0.1, 01:31:12, GigabitEthernet0/1 10.0.0.0/8 is variably subnetted, 16 subnets, 4 masks O IA 10.10.4.0/23 [110/4] via 10.10.0.1, 00:21:30, GigabitEthernet0/1 O IA 10.10.16.0/24 [110/5] via 10.10.0.1, 00:05:30, GigabitEthernet0/1 O IA 10.10.17.0/24 [110/5] via 10.10.0.1, 00:05:30, GigabitEthernet0/1 O IA 10.10.19.0/24 [110/5] via 10.10.0.1, 00:05:30, GigabitEthernet0/1 O IA 10.10.20.0/24 [110/5] via 10.10.0.1, 00:05:30, GigabitEthernet0/1 O IA 10.10.21.0/24 [110/5] via 10.10.0.1, 00:05:30, GigabitEthernet0/1 O IA 10.10.22.0/24 [110/5] via 10.10.0.1, 00:05:30, GigabitEthernet0/1 O IA 10.10.23.0/24 [110/5] via 10.10.0.1, 00:05:30, GigabitEthernet0/1 172.16.0.0/30 is subnetted, 2 subnets O IA 172.16.0.0 [110/2] via 10.10.0.1, 01:31:12, GigabitEthernet0/1 O IA 172.16.1.0 [110/3] via 10.10.0.1, 01:31:12, GigabitEthernet0/1 |
Notice that the 10.10.18.0/24 prefix is no longer in the routing table of D1.
On R1, filter the 10.10.2.0/24 network from being advertised into OSPF Area 0 by creating a prefix list and then referencing the list in the area area-id filter-list prefix prefix-list-name {in | out} command on R1. You will then filter the 10.10.3.0 network from being propagated into Area 2.
Open configuration window
a. On R1, remove the route summarization command that was configured in Part 2.
R1(config-router)# no area 1 range 10.10.0.0 255.255.252.0 R1(config-router)# exit |
b. Verify that the routing table of R2 has the 4 entries from Area 1.
R2# show ip route ospf | include 0/0/0 O IA 10.10.0.0/30 [110/2] via 172.16.0.2, 00:03:46, GigabitEthernet0/0 O IA 10.10.1.0/24 [110/12] via 172.16.0.2, 00:03:46, GigabitEthernet0/0 O IA 10.10.2.0/24 [110/3] via 172.16.0.2, 00:03:46, GigabitEthernet0/0 O IA 10.10.3.0/24 [110/3] via 172.16.0.2, 00:03:46, GigabitEthernet0/0 |
c. Create the following prefix list on R1 to deny 10.10.2.0/24 but permit everything else.
R1(config)# ip prefix-list FILTER-1 deny 10.10.2.0/24 R1(config)# ip prefix-list FILTER-1 permit 0.0.0.0/0 le 32 |
d. Enter OSPF router configuration mode and assign the prefix filter incoming in Area 0.
R1(config)# router ospf 123 R1(config-router)# area 0 filter-list prefix FILTER-1 in |
e. Verify that 10.10.2.0 is not in the routing table of R2.
R2# show ip route ospf | include 0/0/0 O IA 10.10.0.0/30 [110/2] via 172.16.0.2, 00:08:59, GigabitEthernet0/0 O IA 10.10.1.0/24 [110/12] via 172.16.0.2, 00:08:59, GigabitEthernet0/0 O IA 10.10.3.0/24 [110/3] via 172.16.0.2, 00:08:59, GigabitEthernet0/0 |
Notice that the 10.10.2.0/24 prefix has been filtered from Area 0 is no longer in the R2 routing table.
f. Verify that D2 has a route entry for 10.10.3.0/24.
D2# show ip route | inc 10.10.3.0 O IA 10.10.3.0/24 [110/5] via 10.10.4.1, 00:13:22, GigabitEthernet0/2 |
g. On R3, create the following prefix list to deny 10.10.3.0/24 but permit everything else.
R3(config)# ip prefix-list FILTER-1 deny 10.10.3.0/24 R3(config)# ip prefix-list FILTER-1 permit 0.0.0.0/0 le 32 |
h. On R3, enter OSPF router configuration mode and assign the prefix filter outgoing from Area 0.
R3(config)# router ospf 123 R3(config-router)# area 0 filter-list prefix FILTER-1 out |
i. Verify that 10.10.3.0 is not in the routing table of D2.
| D2# show ip route | inc 10.10.3.0 |
A distribute list should not be used for filtering prefixes between areas. A distribute list is configured using the distribute-list {acl-number | acl-name | prefix prefix-list-name | route-map route-map-name} in router configuration command.
In this step, we will filter the 10.10.20.0/24 network from entering the R2 routing table.
Open configuration window
a. On R2, verify that 10.10.20.0 is in the routing table.
R2# show ip route | include 10.10.20.0 O IA 10.10.20.0/24 [110/3] via 172.16.1.2, 01:32:39, GigabitEthernet0/1 |
b. Next enter an ACL called OSPF-FILTER that denies 10.10.20.0/24 from entering the R2 routing table.
R2(config)# ip access-list standard OSPF-FILTER R2(config-std-nacl)# deny 10.10.20.0 0.0.0.255 R2(config-std-nacl)# permit any R2(config-std-nacl)# exit |
c. On R2, enter OSPF router configuration mode and assign the distribute list filter.
R2(config)# router ospf 123 R2(config-router)# distribute-list OSPF-FILTER in R2(config-router)# end |
d. Verify that 10.10.20.0 prefix is not in the routing table of R2.
| R2# show ip route | include 10.10.20.0 |
e. Verify that the 10.10.20.0 prefix is still being propagated in the area. Verify the routing table of R1.
R1# show ip route | include 10.10.20.0 O IA 10.10.20.0/24 [110/4] via 172.16.0.1, 00:45:23, GigabitEthernet0/0/0 |
The 10.10.20.0/24 prefix still appears in the routing table of R1. The distribute list only filtered the route from entering the routing table on R2 but is still in the LSDB for Area 0.
Google