# OSPF Route Filtering #

To filter routes in OSPF protocol I have these options:

0. Passive Interface
1. Filtering with Distribute-Lists [ACL|prefix-list|route-map]
2. Filtering with Administrative Distance
3. Filtering with Route-Maps
4. Filtering with Summarization
5. LSA Type-3 Filtering
6. Forwarding Address Suppression
7. NSSA ABR External Prefix Filtering
8. Database Filtering

To do some tests I will use this topology already used in other topic:

cdrf-rf-ospf-topology

NOTE: after each test I’ll clear configuration (access-lits, prefix-list, route-map, distribute-list, filter-list) applied with previous test.

Before starting with some tests, it’s important to understand that OSPF as a link-state protocol has major restrictions when doing route-filtering. This doesn’t mean that with OSPF (or other link-state protocol) we can’t do route-filtering, we can do it, but we can respect the core functionality of the protocol.

First core concepts we must remember when doing filtering with OSPF are:

“All routers within an area must have the same link-state database”

“OSPF Database operations, LSA Types, LSA exchanging”

From EIGRP domain and RIP domain I redistributed into OSPF networks of Loopback connected to PE1,PE2,PE3 and PE4, in following picture you can find how is OSPF database before doing some filtering on OSPF protocol.

cdrf-rf-ospf-pic1

cdrf-rf-ospf-pic2

0. PASSIVE INTERFACE

Making passive an interface under OSPF

R7(config)#router ospf 1000
R7(config-router)#passive-interface fa1/1

– Router stops sending hello packet out of interface –> neighborship is killed

– Previous peer on this interface sees neighbor going down:
R6# –> %OSPF-5-ADJCHG: Process 1000, Nbr 7.7.7.7 on FastEthernet1/1 from FULL to DOWN, Neighbor Down: Dead timer expired

– Router ignores received hello packets on this interface –> neighborship cannot be renegotiated

– Router stops sending out ospf update on this interface

– Routers will not learn any ospf update on this interface

– Router will keep network connected to the interface in its ospf database (but as a stub network) and still advertises network in update going out from different interfaces.

We can consider a passive interface a way to filter all updates coming in from a neighbour on that interface.

1. DISTRIBUTE-LIST

A distribute list under OSPF can invoke ACLs|prefix-list|route-map. The logic of using these different tools is similar to the RIP/EIGRP case.

With OSPF the big difference is that:

While for RIP/EIGRP a distribute-list stops routes from entering the topological database and then the routing table, in OSPF a distribute-list cannot filter routes from entering the OSPF database in form of LSAs, it only prevents best information present in OSPF database to be installed in the routing table (RIB). In other words, LSAs propagation is not stopped by a distribute-list.

Let’s see a first simple example:

R6#show ip route 30.3.3.224
Routing entry for 30.3.3.224/27
Known via “ospf 1000”, distance 110, metric 1000
Tag 11, type extern 2, forward metric 2
Last update from 10.1.2.9 on FastEthernet1/10, 00:46:15 ago
Routing Descriptor Blocks:
* 10.1.3.8, from 11.11.11.11, 00:46:15 ago, via FastEthernet1/13
Route metric is 1000, traffic share count is 1
Route tag 11
10.1.2.9, from 11.11.11.11, 00:46:15 ago, via FastEthernet1/10
Route metric is 1000, traffic share count is 1
Route tag 11

R6#show ip ospf database external 30.3.3.224

OSPF Router with ID (6.6.6.6) (Process ID 1000)

Type-5 AS External Link States

Routing Bit Set on this LSA
LS age: 1920
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 30.3.3.224 (External Network Number )
Advertising Router: 11.11.11.11
LS Seq Number: 80000003
Checksum: 0x7A2F
Length: 36
Network Mask: /27
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 0.0.0.0
External Route Tag: 11
R6(config)#ip prefix-list EXTERNAL deny 30.3.3.224/27
R6(config)#ip prefix-list EXTERNAL permit 0.0.0.0/0 le 32

R6#show run | s r o
router ospf 1000
router-id 6.6.6.6
log-adjacency-changes
area 0 authentication
area 1 authentication message-digest
network 6.6.6.6 0.0.0.0 area 0
network 10.0.12.0 0.0.0.255 area 1
network 10.0.14.0 0.0.0.255 area 1
network 10.1.0.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
network 10.1.2.0 0.0.0.255 area 0
network 10.1.3.0 0.0.0.255 area 0
distribute-list prefix EXTERNAL in

After applying the filter:

R6#show ip route 30.3.3.224
% Network not in table

but LSA type 5 describing the route is still present in OSPF database

R6#show ip ospf database external 30.3.3.224

OSPF Router with ID (6.6.6.6) (Process ID 1000)

Type-5 AS External Link States

Routing Bit Set on this LSA
LS age: 861
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 30.3.3.224 (External Network Number )
Advertising Router: 11.11.11.11
LS Seq Number: 80000004
Checksum: 0x7830
Length: 36
Network Mask: /27
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 0.0.0.0
External Route Tag: 11

and its propagation in OSPF domain is not stopped, for example on R4:

R4#show ip ospf database external 30.3.3.224

OSPF Router with ID (4.4.4.4) (Process ID 1000)

Type-5 AS External Link States

Routing Bit Set on this LSA
LS age: 983
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 30.3.3.224 (External Network Number )
Advertising Router: 11.11.11.11
LS Seq Number: 80000004
Checksum: 0x7830
Length: 36
Network Mask: /27
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 0.0.0.0
External Route Tag: 11

R4#show ip route 30.3.3.224
Routing entry for 30.3.3.224/27
Known via “ospf 1000”, distance 110, metric 1000
Tag 11, type extern 2, forward metric 3
Last update from 10.0.12.6 on FastEthernet1/15, 01:05:13 ago
Routing Descriptor Blocks:
10.0.12.6, from 11.11.11.11, 01:05:13 ago, via FastEthernet1/15
Route metric is 1000, traffic share count is 1
Route tag 11
* 10.0.11.7, from 11.11.11.11, 01:05:13 ago, via FastEthernet1/11
Route metric is 1000, traffic share count is 1
Route tag 11

This simple example shows that OSPF filtering is very different compared to other protocol’s filtering techniques. Having clear this concept let’s see how distribute-list can use ACLs, prefix-list and route-map as done for EIGRP. Then I’ll review other OSPF filtering modes.

TEST 1a] distribute-list + std-ACL

R7#show ip route ospf | b 30.
30.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:10:00, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:10:00, FastEthernet1/10
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:10:00, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:10:00, FastEthernet1/10
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:10:00, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:10:00, FastEthernet1/10
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:10:00, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:10:00, FastEthernet1/10

Filtering all these networks from the RIB on R7:

R7(config)#ip access-list standard NET-30
R7(config-std-nacl)#5 deny 30.0.0.0 0.255.255.255

R7(config)#router ospf 1000
R7(config-router)#distribute-list NET-30 in

R7#show ip route ospf | i 30
[EMPTY OUTPUT]

———- NOTE ———–
ospf database entries are still present:

R7#show ip ospf database | b 30.1
30.1.1.248      11.11.11.11     1875        0x80000002 0x004A34 11
30.2.2.128      10.10.10.10     19          0x80000003 0x00A090 10
30.2.2.192      10.10.10.10     19          0x80000003 0x001ED2 10
30.3.3.224      11.11.11.11     1874        0x80000002 0x007C2E 11
——– END NOTE ———

TEST 1b] distribute-list + ext-ACL

OSPF belongs to the family of IGP protocols so when calling an ext-ACL with by a distribute-list, fields of the ACL are interpreted this way:

[source ip address][wildcard mask] = [ROUTE’S GATEWAY IP ADDRESS][wildcard mask] => match the ip address of the device to exit toward the route.

[destination ip address][wildcard mask] = [NETWORK ADDRESS][wildcard mask] => match the network portion of the ip prefix.

So we can match the gateway of the route and portion of the network address; for example R7 has this routes 30.x.x.x in its RIB before applying any filter:

R7#show ip route ospf | b 30.
30.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:01:35, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:01:35, FastEthernet1/10
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:01:35, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:01:35, FastEthernet1/10
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:01:35, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:01:35, FastEthernet1/10
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:01:35, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:01:35, FastEthernet1/10

We can use the following ext-ACL to filter only the routes coming from GATEWAY 10.1.6.9 (not Router-ID 9.9.9.9)

————- NOTE —————–
In OSPF the route-source ip address is not always matching with the gateway of the route because OSPF is a link state protocol, so routing informations are injected into and propagated through OSPF database from devices identified by their OSPF ROUTER-ID. As an example suppose we have three direct ospf neighbors R7,R9,R8

R7(ID=7.7.7.)-Fa1/13(10.1.6.7)—/24—(10.1.6.9)Fa1/13-(ID=9.9.9.9)R9-Fa1/10(10.1.2.9)—/24—(DR)(10.1.2.6)Fa1/10-(ID=6.6.6.6)R6

R7 will learn about network 10.1.2.0/24 from 6.6.6.6 because is R6(DR) to generate LSA type 2 for that segment. R7 can go via 10.1.6.9 but it’s R6 to flood this information.
———– END NOTE —————-

R7(config)#access-list 100 deny ip 10.1.6.9 0.0.0.0 30.0.0.0 0.255.255.255
R7(config)#access-list 100 permit ip any any

R7(config)#router ospf 1000
R7(config-router)#distribute-list 100 in

R7#show ip route ospf | b 30.
30.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
O E2    30.2.2.128/26 [110/1000] via 10.1.5.8, 00:00:07, FastEthernet1/10
O E2    30.2.2.192/26 [110/1000] via 10.1.5.8, 00:00:07, FastEthernet1/10
O E2    30.1.1.248/29 [110/1000] via 10.1.5.8, 00:00:07, FastEthernet1/10
O E2    30.3.3.224/27 [110/1000] via 10.1.5.8, 00:00:07, FastEthernet1/10

Networks 30.x.x.x from gateway 10.1.6.9 are filtered.

NOTE: Remember, they are still present in OSPF database.

——— NOTE ————
Another thing to remember too it is that you cannot use extended-named-ACL with a distribute-list:
R7(config)#router ospf 1000
R7(config-router)#distribute-list NET-30-R9 in
Access-list type conflicts with prior definition
% This command only accepts named standard IP access-lists.
——- END NOTE ———-

TEST 1c] distribute-list + prefix-list

What I can’t do with ACLs standard or extended called by distribute-list is to match the mask length of a set of routes, to workaround this I can use a prefix-list instead. For example to filter routes (30,31).x.x.x from the RIB of R7

R7#show ip route ospf | b 31
31.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:13:29, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:13:29, FastEthernet1/10
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:13:29, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:13:29, FastEthernet1/10
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:13:29, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:13:29, FastEthernet1/10
30.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:13:29, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:13:29, FastEthernet1/10
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:13:29, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:13:29, FastEthernet1/10
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:13:29, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:13:29, FastEthernet1/10
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:13:31, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:13:31, FastEthernet1/10

I can do:

R7(config)#ip prefix-list NET3031 deny 30.0.0.0/7 ge 8
R7(config)#ip prefix-list NET3031 permit 0.0.0.0/0 le 32

R7(config)#router ospf 1000
R7(config-router)#distribute-list prefix NET3031 in

R7#show ip route ospf | b 31.
[EMPTY OUTPUT]

R7#show ip route ospf | b 30.
[EMPTY OUTPUT]

Routes (30,31).x.x.x are filtered from RIB.

——— NOTE ————
One more time –> info about those RIB filtered routes are still in ospf database:

R7#show ip ospf database | b 30
30.1.1.248      11.11.11.11     543         0x80000002 0x004A34 11
30.2.2.128      10.10.10.10     609         0x80000002 0x00A28F 10
30.2.2.192      10.10.10.10     610         0x80000002 0x0020D1 10
30.3.3.224      11.11.11.11     542         0x80000002 0x007C2E 11
31.0.0.0        10.10.10.10     609         0x80000002 0x004432 10
31.5.5.0        11.11.11.11     542         0x80000002 0x00C4A2 11
31.7.0.0        11.11.11.11     542         0x80000002 0x00E386 11
——- END NOTE ———-

TEST 1d] distribute-list + route-map

Using a route-map I can extend distribute-list matching options to filter routes. For example route-map allows me to use an ext-ACL in prefix-list style, in other words I can use ext-ACL fields in this way:

[source ip address][wildcard mask] = [NETWORK ADDRESS][wildcard mask] => match a specific portion of the configured ADDRESS based on wildcard

[destination ip address][wildcard mask] = [NETWORK MASK][wildcard mask] => match a specific portion of the configured MASK based on wildcard => Mask Length

If now I wanted to get the same result I got with prefix-list I could do:

R7(config)#ip access-list extended NET3031
R7(config-ext-nacl)#5 permit ip 30.0.0.0 1.255.255.255 0.0.0.0 255.255.255.255

R7(config)#route-map FILTER deny 10
R7(config-route-map)#match ip address NET3031
R7(config)#route-map FILTER permit 20

R7(config)#router ospf 1000
R7(config-router)#distribute-list route-map FILTER in

R7#show ip route ospf | b 30.
[EMPTY OUTPUT]

R7#show ip route ospf | b 31.
[EMPTY OUTPUT]

——— NOTE ————
One more time –> info about those RIB filtered routes are still in ospf database:

R7#show ip ospf database | b 30
30.1.1.248      11.11.11.11     543         0x80000002 0x004A34 11
30.2.2.128      10.10.10.10     609         0x80000002 0x00A28F 10
30.2.2.192      10.10.10.10     610         0x80000002 0x0020D1 10
30.3.3.224      11.11.11.11     542         0x80000002 0x007C2E 11
31.0.0.0        10.10.10.10     609         0x80000002 0x004432 10
31.5.5.0        11.11.11.11     542         0x80000002 0x00C4A2 11
31.7.0.0        11.11.11.11     542         0x80000002 0x00E386 11
——- END NOTE ———-

NOTE: Here I did quick and simple example using ACLs, prefix-list, route-map, permit/deny rules of ACL/prefix interacting with permit/deny action of a route-map can be tricky. You can find more example reviewing the RIP filtering section and the EIGRP filtering section. The logic of this interaction can be
found here

TEST 1e] distribute-list + ‘gateway’

Instead of using an extended ACL (see above) to match the gateway and network portion of routes to filter, I can use the gateway option in two different ways:

a) distribute-list prefix [prefix-1 name] gateway [prefix-2 name]

b) distribute-list gateway [prefix name]

With option a) we can filter a set of routes matched by the first prefix-list and one ore more gateways matched by the second prefix-list

With option b) we can filter all the routes coming from the gateway matched by the prefix-list

For example if I wanted to get the same result I got with TEST 1b], filter networks 30.x.x.x but only those one coming from gateway (10.1.6.9), I could do:

R7#show ip route ospf | b 30.
30.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:11:21, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:11:21, FastEthernet1/10
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:11:21, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:11:21, FastEthernet1/10
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:11:21, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:11:21, FastEthernet1/10
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:11:21, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:11:21, FastEthernet1/10

R7(config)#ip prefix-list NET30 deny 30.0.0.0/8 le 32
R7(config)#ip prefix-list NET30 permit 0.0.0.0/0 le 32

R7(config)#ip prefix-list R9 permit 10.1.6.9/32

R7(config-router)#distribute-list prefix NET30 gateway R9 in fa1/13

R7#show ip route ospf | b 30.
30.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
O E2    30.2.2.128/26 [110/1000] via 10.1.5.8, 00:00:22, FastEthernet1/10
O E2    30.2.2.192/26 [110/1000] via 10.1.5.8, 00:00:22, FastEthernet1/10
O E2    30.1.1.248/29 [110/1000] via 10.1.5.8, 00:00:22, FastEthernet1/10
O E2    30.3.3.224/27 [110/1000] via 10.1.5.8, 00:00:22, FastEthernet1/10

If I wanted filter all routes coming from gateway 10.1.6.9 (R9), I could do:

R7(config)#ip prefix-list R9 deny 10.1.6.9/32
R7(config)#ip prefix-list R9 permit 0.0.0.0/0 le 32

R7(config)#router ospf 1000
R7(config-router)#distribute-list gateway R9 in –> don’t confuse gateway ip address with router-id of R9 – here we are matching gateway ip of the routes.

——————————— NOTE ——————————————–
In all previous examples I always used inbound filtering when using a distribute-list. This is because outbound filtering is not useful with OSPF. Let’s see an example:

R9 is installing in its RIB these route coming from R7:

R9#show ip route ospf | i 10.1.6.7
O IA    4.4.4.4 [110/3] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.3.0/24 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.2.0/24 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.1.0/24 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.0.0/24 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.5.0/24 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.4.0/24 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.7.128/25 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.9.192/26 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.8.240/28 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.10.248/29 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.11.254/32 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O E2    20.15.6.224/27 [110/1000] via 10.1.6.7, 00:01:02, FastEthernet1/13
O IA    5.5.5.5 [110/3] via 10.1.6.7, 00:01:02, FastEthernet1/13
O       7.7.7.7 [110/2] via 10.1.6.7, 00:01:04, FastEthernet1/13
O IA    10.0.10.0/24 [110/3] via 10.1.6.7, 00:01:04, FastEthernet1/13
O IA    10.0.11.0/24 [110/2] via 10.1.6.7, 00:01:04, FastEthernet1/13
O IA    10.0.15.0/24 [110/2] via 10.1.6.7, 00:01:04, FastEthernet1/13
O       10.1.1.0/24 [110/2] via 10.1.6.7, 00:01:04, FastEthernet1/13
[110/2] via 10.1.6.7, 00:01:04, FastEthernet1/13
O       10.1.4.0/24 [110/11] via 10.1.6.7, 00:01:04, FastEthernet1/13

Suppose I wanted to filter all outgoing routes going from R7 to R9. I could think to do:

R7(config)#ip prefix-list DENY-ALL deny 0.0.0.0/0 le 32

R7(config)#router ospf 1000
R7(config-router)#distribute-list DENY-ALL out fa1/13
% Interface not allowed with OUT for OSPF

Ok, let’s try something different, deny all outgoing routes for the whole process:

R7(config)#router ospf 1000
R7(config-router)#distribute-list DENY-ALL out

R9#show ip route ospf | i 10.1.6.7
O IA    4.4.4.4 [110/3] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.3.0/24 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.2.0/24 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.1.0/24 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.0.0/24 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.5.0/24 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.4.0/24 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.7.128/25 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.9.192/26 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.8.240/28 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.10.248/29 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.11.254/32 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O E2    20.15.6.224/27 [110/1000] via 10.1.6.7, 00:08:05, FastEthernet1/13
O IA    5.5.5.5 [110/3] via 10.1.6.7, 00:08:05, FastEthernet1/13
O       7.7.7.7 [110/2] via 10.1.6.7, 00:08:07, FastEthernet1/13
O IA    10.0.10.0/24 [110/3] via 10.1.6.7, 00:08:07, FastEthernet1/13
O IA    10.0.11.0/24 [110/2] via 10.1.6.7, 00:08:07, FastEthernet1/13
O IA    10.0.15.0/24 [110/2] via 10.1.6.7, 00:08:07, FastEthernet1/13
O       10.1.1.0/24 [110/2] via 10.1.6.7, 00:08:07, FastEthernet1/13
[110/2] via 10.1.6.7, 00:08:07, FastEthernet1/13
O       10.1.4.0/24 [110/11] via 10.1.6.7, 00:08:07, FastEthernet1/13

Nothing changes on R9, this is because OSPF routes informations travel router by router in the form of LSAs and with distribute-list out we are not blocking any LSAs. Furthermore, OSPF requires that OSPF database must be consistent inside the same area. Some LSA filtering can be done BETWEEN DIFFERENT AREAS (see below) but not inside a single area.
—————————– END NOTE ——————————————–

2. ADMINISTRATIVE DISTANCE

In OSPF we have two options to change AD of routes:

R7(config-router)#distance ?
<1-255>  Administrative distance
ospf     OSPF distance

R7(config-router)#distance 255 ?
A.B.C.D  IP Source address
<cr>

R7(config-router)#distance 255 10.1.6.9 ?
A.B.C.D  Wildcard bits

R7(config-router)#distance 255 10.1.6.9 0.0.0.0 ?
<1-99>       IP Standard access list number
<1300-1999>  IP Standard expanded access list number
WORD         Standard access-list name
<cr>

First options is to set the distance for a set of routes specified by a standard-ACL, coming from a specific or range of sources matched by a standard-ACL-like rule. Let’s try some tests. R7 is receiving this routes via R9 (9.9.9.9(router-ID) via 10.1.6.9 (gateway-ip)

R7#show ip route ospf 1000 | i via 10.1.6.9
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:36:02, FastEthernet1/13
O E2    32.6.0.0 [110/1000] via 10.1.6.9, 00:36:02, FastEthernet1/13
O E2    33.11.11.0/24 [110/1000] via 10.1.6.9, 00:36:02, FastEthernet1/13
O E2    33.9.9.0/25 [110/1000] via 10.1.6.9, 00:36:02, FastEthernet1/13
O E2    33.9.9.128/25 [110/1000] via 10.1.6.9, 00:36:02, FastEthernet1/13
O       9.9.9.9 [110/2] via 10.1.6.9, 00:36:02, FastEthernet1/13
O IA    10.10.10.10/32 [110/3] via 10.1.6.9, 00:36:02, FastEthernet1/13
O       10.1.11.0/24 [110/11] via 10.1.6.9, 00:36:02, FastEthernet1/13
O       10.1.8.0/24 [110/2] via 10.1.6.9, 00:36:02, FastEthernet1/13
O IA    10.1.13.0/24 [110/2] via 10.1.6.9, 00:36:02, FastEthernet1/13
O IA    10.1.12.0/24 [110/2] via 10.1.6.9, 00:36:02, FastEthernet1/13
O IA    10.2.1.0/24 [110/3] via 10.1.6.9, 00:36:02, FastEthernet1/13
O       10.1.2.0/24 [110/2] via 10.1.6.9, 00:36:02, FastEthernet1/13
O IA    11.11.11.11 [110/3] via 10.1.6.9, 00:36:02, FastEthernet1/13
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:36:02, FastEthernet1/13
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:36:04, FastEthernet1/13
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:36:04, FastEthernet1/13
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:36:04, FastEthernet1/13
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:36:04, FastEthernet1/13
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:36:04, FastEthernet1/13
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:36:04, FastEthernet1/13

Suppose for example we must increase OSPF AD for all networks starting with 30 in their first octet but coming only from R9 (9.9.9.9(router-ID)), setting this AD to 255 should filter the routes:

R7(config)#ip access-list standard NET30
R7(config-std-nacl)#5 permit 30.0.0.0 0.255.255.255

R7(config)#router ospf 1000
R7(config-router)#distance 255 9.9.9.9 0.0.0.0 NET30

Nothing changed:

R7#show ip route ospf | b 30.
30.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:51:23, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:51:23, FastEthernet1/10
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:51:23, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:51:23, FastEthernet1/10
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:51:23, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:51:23, FastEthernet1/10
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:51:23, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:51:23, FastEthernet1/10

Networks 30.x.x.x via 10.1.6.9 are still there.

Like for EIGRP the distance [distance-value] [source-ip][wildcard] [std-ACL-number] has no impact on EXTERNAL OSPF routes. Let’s check if for internal routes it is working.

R7(config)#ip access-list standard NET10
R7(config-std-nacl)#5 permit 10.0.0.0 0.255.255.255

R7(config)#router ospf 1000
R7(config-router)#distance 255 9.9.9.9 0.0.0.0 NET10

R7#show ip route ospf | i via 10.1.6.9
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    32.6.0.0 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    33.11.11.0/24 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    33.9.9.0/25 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    33.9.9.128/25 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O       9.9.9.9 [110/2] via 10.1.6.9, 00:00:06, FastEthernet1/13
O       10.1.2.0/24 [110/2] via 10.1.6.9, 00:00:06, FastEthernet1/13
O IA    11.11.11.11 [110/3] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:00:06, FastEthernet1/13
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:00:07, FastEthernet1/13

I filtered these networks:

O IA    10.10.10.10/32 [110/3] via 10.1.6.9, 00:03:04, FastEthernet1/13
O       10.1.11.0/24 [110/11] via 10.1.6.9, 00:03:04, FastEthernet1/13
O       10.1.8.0/24 [110/2] via 10.1.6.9, 00:03:04, FastEthernet1/13
O IA    10.1.13.0/24 [110/2] via 10.1.6.9, 00:03:04, FastEthernet1/13
O IA    10.1.12.0/24 [110/2] via 10.1.6.9, 00:03:04, FastEthernet1/13
O IA    10.2.1.0/24 [110/3] via 10.1.6.9, 00:03:04, FastEthernet1/13

Looking with attention at the showed routes we can discover an hidden trick here. I listed at the beginning the routes learned by R7 via 10.1.6.9, the trick is that not all these routes are really learned from R9, 10.1.6.9 is the gateway for the route, but the originator into OSPF of the topological information about a network can be different. For each LAN segment is the Designated Router of the LAN to originate the LSA type 2 into OSPF. This can be understood looking at these two different networks, 10.1.8.0/24 R9<->R8 and 10.1.2.0/24 R9<->R6 network.

The first route 10.1.8.0/24 is matched by the filter because is R9 (9.9.9.9) the designated router on that link, so it’s R9 to inject LSA type 2 into OSPF database. The newtork is then filtered out from the RIB of R7.

The second route 10.1.2.0/24 is not matched by the filter because is R6 (6.6.6.6) the DR originating the LSA into OSPF database.

R7#show ip ospf database router adv-router 9.9.9.9

OSPF Router with ID (7.7.7.7) (Process ID 1000)

Router Link States (Area 0)

……………………..

Link connected to: a Transit Network
  (Link ID) Designated Router address: 10.1.8.9
(Link Data) Router Interface address: 10.1.8.9
Number of TOS metrics: 0
TOS 0 Metrics: 1

R7#show ip ospf database network adv-router 9.9.9.9

OSPF Router with ID (7.7.7.7) (Process ID 1000)

Net Link States (Area 0)

Routing Bit Set on this LSA
LS age: 510
Options: (No TOS-capability, DC)
LS Type: Network Links
Link State ID: 10.1.8.9 (address of Designated Router)
Advertising Router: 9.9.9.9
LS Seq Number: 80000004
Checksum: 0xEA4
Length: 32
  Network Mask: /24
Attached Router: 9.9.9.9
Attached Router: 8.8.8.8

R7#show ip route 10.1.8.0
% Subnet not in table

R7#show ip ospf database router adv-router 9.9.9.9

OSPF Router with ID (7.7.7.7) (Process ID 1000)

Router Link States (Area 0)

……………………..

Link connected to: a Transit Network
  (Link ID) Designated Router address: 10.1.2.6
(Link Data) Router Interface address: 10.1.2.9
Number of TOS metrics: 0
TOS 0 Metrics: 1

R7#show ip ospf database network adv-router 6.6.6.6

OSPF Router with ID (7.7.7.7) (Process ID 1000)

Net Link States (Area 0)

Routing Bit Set on this LSA
LS age: 922
Options: (No TOS-capability, DC)
LS Type: Network Links
Link State ID: 10.1.2.6 (address of Designated Router)
  Advertising Router: 6.6.6.6
LS Seq Number: 80000004
Checksum: 0x943B
Length: 32
Network Mask: /24
Attached Router: 6.6.6.6
Attached Router: 9.9.9.9

R7#show ip route 10.1.2.0
Routing entry for 10.1.2.0/24
Known via “ospf 1000”, distance 110, metric 2, type intra area
Last update from 10.1.1.6 on FastEthernet1/1, 01:04:31 ago
Routing Descriptor Blocks:
* 10.1.6.9, from 6.6.6.6, 01:04:31 ago, via FastEthernet1/13 –> R6 is originating OSPF info because it is DR
Route metric is 2, traffic share count is 1
10.1.1.6, from 6.6.6.6, 01:04:31 ago, via FastEthernet1/1  –> R6 is originating OSPF info because it is DR
Route metric is 2, traffic share count is 1 

Here a picture showing the routes before and after each filtering actions.

cdrf-rf-ospf-pic3

To recap so far:

– distance [distance-value] [source-ip][wildcard] [std-ACL-number] has no impact on EXTERNAL OSPF routes.

– distance [distance-value] [source-ip][wildcard] [std-ACL-number] can prevent MATCHED INTERNAL ROUTES from being installed into RIB.

– matched source ip address must be OSPF ROUTER-ID of the device we want filter routes out of the RIB of the router where we are applying the distance filter.

– OSPF DATABASE information about the filtered routes are still in the database, so their propagation into OSPF domain is not stopped.

Another option I have for the distance command is :

R7(config-router)#distance ospf ?
external    External type 5 and type 7 routes
inter-area  Inter-area routes
intra-area  Intra-area routes

With this second option I can set AD for ALL EXTERNAL (E2/E1) routes or ALL INTERNAL [(inter-area (O IA) or intra-area(O)] routes. For example:

R7(config)#router ospf 1000
R7(config-router)#distance ospf external 254 inter-area 253 intra-area 252
R7#show ip route ospf | i E2
O E2    32.4.0.0 [254/1000] via 10.1.6.9, 00:00:51, FastEthernet1/13
O E2    32.6.0.0 [254/1000] via 10.1.6.9, 00:00:51, FastEthernet1/13
O E2    33.11.11.0/24 [254/1000] via 10.1.6.9, 00:00:51, FastEthernet1/13
O E2    33.9.9.0/25 [254/1000] via 10.1.6.9, 00:00:51, FastEthernet1/13
O E2    33.9.9.128/25 [254/1000] via 10.1.6.9, 00:00:51, FastEthernet1/13
O E2    20.15.3.0/24 [254/1000] via 10.0.15.5, 00:00:51, FastEthernet1/15
O E2    20.15.2.0/24 [254/1000] via 10.0.11.4, 00:00:51, FastEthernet1/11
O E2    20.15.1.0/24 [254/1000] via 10.0.15.5, 00:00:51, FastEthernet1/15
O E2    20.15.0.0/24 [254/1000] via 10.0.11.4, 00:00:51, FastEthernet1/11
O E2    20.15.5.0/24 [254/1000] via 10.0.15.5, 00:00:51, FastEthernet1/15
O E2    20.15.4.0/24 [254/1000] via 10.0.11.4, 00:00:51, FastEthernet1/11
O E2    20.15.7.128/25 [254/1000] via 10.0.15.5, 00:00:51, FastEthernet1/15
O E2    20.15.9.192/26 [254/1000] via 10.0.15.5, 00:00:51, FastEthernet1/15
O E2    20.15.8.240/28 [254/1000] via 10.0.11.4, 00:00:51, FastEthernet1/11
O E2    20.15.10.248/29 [254/1000] via 10.0.11.4, 00:00:53, FastEthernet1/11
O E2    20.15.11.254/32 [254/1000] via 10.0.15.5, 00:00:53, FastEthernet1/15
O E2    20.15.6.224/27 [254/1000] via 10.0.11.4, 00:00:53, FastEthernet1/11
O E2    31.7.0.0/16 [254/1000] via 10.1.6.9, 00:00:53, FastEthernet1/13
O E2    31.5.5.0/24 [254/1000] via 10.1.6.9, 00:00:53, FastEthernet1/13
O E2    31.0.0.0/8 [254/1000] via 10.1.6.9, 00:00:53, FastEthernet1/13
O E2    30.2.2.128/26 [254/1000] via 10.1.6.9, 00:00:53, FastEthernet1/13
O E2    30.2.2.192/26 [254/1000] via 10.1.6.9, 00:00:53, FastEthernet1/13
O E2    30.1.1.248/29 [254/1000] via 10.1.6.9, 00:00:53, FastEthernet1/13
O E2    30.3.3.224/27 [254/1000] via 10.1.6.9, 00:00:55, FastEthernet1/13

R7#show ip route ospf | i IA
O IA    10.10.10.10/32 [253/3] via 10.1.6.9, 00:01:18, FastEthernet1/13
O IA    10.1.10.0/24 [253/2] via 10.1.5.8, 00:01:18, FastEthernet1/10
O IA    10.1.9.0/24 [253/2] via 10.1.5.8, 00:01:18, FastEthernet1/10
O IA    10.1.13.0/24 [253/2] via 10.1.6.9, 00:01:18, FastEthernet1/13
O IA    10.1.12.0/24 [253/2] via 10.1.6.9, 00:01:18, FastEthernet1/13
O IA    10.2.1.0/24 [253/3] via 10.1.6.9, 00:01:18, FastEthernet1/13
O IA    11.11.11.11 [253/3] via 10.1.6.9, 00:01:18, FastEthernet1/13

R7#show ip route ospf | i ^O_-_-_-_ –>7 spaces
O       4.4.4.4 [252/2] via 10.0.11.4, 00:04:23, FastEthernet1/11
O       5.5.5.5 [252/2] via 10.0.15.5, 00:04:23, FastEthernet1/15
O       6.6.6.6 [252/2] via 10.1.1.6, 00:04:23, FastEthernet1/1
O       8.8.8.8 [252/2] via 10.1.5.8, 00:04:23, FastEthernet1/10
O       9.9.9.9 [252/2] via 10.1.6.9, 00:04:23, FastEthernet1/13
O       10.1.11.0/24 [252/11] via 10.1.6.9, 00:04:23, FastEthernet1/13
O       10.0.10.0/24 [252/2] via 10.0.15.5, 00:04:23, FastEthernet1/15
O       10.1.8.0/24 [252/2] via 10.1.6.9, 00:04:23, FastEthernet1/13
O       10.0.14.0/24 [252/2] via 10.0.15.5, 00:04:23, FastEthernet1/15
O       10.0.12.0/24 [252/2] via 10.0.11.4, 00:04:23, FastEthernet1/11
O       10.1.3.0/24 [252/2] via 10.1.5.8, 00:04:23, FastEthernet1/10
O       10.1.2.0/24 [252/2] via 10.1.6.9, 00:04:23, FastEthernet1/13
O       10.1.0.0/24 [252/11] via 10.1.1.6, 00:04:23, FastEthernet1/1
O       10.1.7.0/24 [252/11] via 10.1.5.8, 00:04:23, FastEthernet1/10

3. ROUTE-MAPS

Route-maps can be used under OSPF with two different purpose:

1) distribute-list route-map [route-map-name] in/out [interface]

2) redistribute [protocol] route-map [route-map-name]

With option 1) we are enhancing the matching capabilities of a distribute-list [std-ACL(numbered/named), ext-ACL(numbered only), prefix-list, gateway] with the matching capabilities of a route-map:

R11(config)#route-map TEST permit 10
R11(config-route-map)#match ?
as-path           Match BGP AS path list
clns              CLNS information
community         Match BGP community list
extcommunity      Match BGP/VPN extended community list
interface         Match first hop interface of route
ip                IP specific information
ipv6              IPv6 specific information
length            Packet length
local-preference  Local preference for route
metric            Match metric of route
mpls-label        Match routes which have MPLS labels
nlri              BGP NLRI type
policy-list       Match IP policy list
route-type        Match route-type of route
source-protocol   Match source-protocol of route
tag               Match tag of route

Of the above group of options some are specific to BGP protocol and others can be matched by many different protocols. Here I want do some tests when route-map is called by a distribute-list used as a route filter under ospf. I’ve already done an example of invoking a route-map [calling an ext-ACL] by using a distribute-list. Here I would focus on matching capabilities of the route-map that can be useful when used under ospf.

TEST 2a] matching route-type

R7 installed these external routes in its RIB:

R7#show ip route ospf | i E2
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:19:26, FastEthernet1/13
O E2    32.6.0.0 [110/1000] via 10.1.6.9, 00:19:26, FastEthernet1/13
O E2    33.11.11.0/24 [110/1000] via 10.1.6.9, 00:19:26, FastEthernet1/13
O E2    33.9.9.0/25 [110/1000] via 10.1.6.9, 00:19:26, FastEthernet1/13
O E2    33.9.9.128/25 [110/1000] via 10.1.6.9, 00:19:26, FastEthernet1/13
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:19:26, FastEthernet1/15
O E2    20.15.2.0/24 [110/1000] via 10.0.11.4, 00:19:26, FastEthernet1/11
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:19:26, FastEthernet1/15
O E2    20.15.0.0/24 [110/1000] via 10.0.11.4, 00:19:26, FastEthernet1/11
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:19:26, FastEthernet1/15
O E2    20.15.4.0/24 [110/1000] via 10.0.11.4, 00:19:26, FastEthernet1/11
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:19:26, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:19:26, FastEthernet1/15
O E2    20.15.8.240/28 [110/1000] via 10.0.11.4, 00:19:26, FastEthernet1/11
O E2    20.15.10.248/29 [110/1000] via 10.0.11.4, 00:19:27, FastEthernet1/11
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:19:27, FastEthernet1/15
O E2    20.15.6.224/27 [110/1000] via 10.0.11.4, 00:19:27, FastEthernet1/11
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:19:27, FastEthernet1/13
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:19:27, FastEthernet1/13
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:19:27, FastEthernet1/13
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:19:27, FastEthernet1/13
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:19:27, FastEthernet1/13
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:19:27, FastEthernet1/13
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:19:29, FastEthernet1/13

NOTE: some of the routes have equal cost paths to different gateways, the outputs is not showing all the entries in the RIB, for example:

R7#show ip route ospf | b E2
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:23:32, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:23:32, FastEthernet1/10

Now suppose we want filter all external routes, I can do:

R7(config)#route-map EXTERNAL deny 10
R7(config-route-map)#match route-type external
R7(config)#route-map EXTERNAL permit 20

R7(config)#router ospf 1000
R7(config-router)#distribute-list route-map EXTERNAL in

R7#show ip route ospf | i E2
[EMPTY OUTPUT]

R7#show ip route ospf
4.0.0.0/32 is subnetted, 1 subnets
O       4.4.4.4 [110/2] via 10.0.11.4, 00:00:58, FastEthernet1/11
5.0.0.0/32 is subnetted, 1 subnets
O       5.5.5.5 [110/2] via 10.0.15.5, 00:00:58, FastEthernet1/15
6.0.0.0/32 is subnetted, 1 subnets
O       6.6.6.6 [110/2] via 10.1.1.6, 00:00:58, FastEthernet1/1
8.0.0.0/32 is subnetted, 1 subnets
O       8.8.8.8 [110/2] via 10.1.5.8, 00:00:58, FastEthernet1/10
9.0.0.0/32 is subnetted, 1 subnets
O       9.9.9.9 [110/2] via 10.1.6.9, 00:00:58, FastEthernet1/13
10.0.0.0/8 is variably subnetted, 21 subnets, 2 masks
O IA    10.10.10.10/32 [110/3] via 10.1.6.9, 00:00:58, FastEthernet1/13
[110/3] via 10.1.5.8, 00:00:58, FastEthernet1/10
O       10.1.11.0/24 [110/11] via 10.1.6.9, 00:00:58, FastEthernet1/13
O       10.0.10.0/24 [110/2] via 10.0.15.5, 00:00:58, FastEthernet1/15
[110/2] via 10.0.11.4, 00:00:58, FastEthernet1/11
O IA    10.1.10.0/24 [110/2] via 10.1.5.8, 00:00:58, FastEthernet1/10
O IA    10.1.9.0/24 [110/2] via 10.1.5.8, 00:01:00, FastEthernet1/10
O       10.1.8.0/24 [110/2] via 10.1.6.9, 00:01:00, FastEthernet1/13
[110/2] via 10.1.5.8, 00:01:00, FastEthernet1/10
O       10.0.14.0/24 [110/2] via 10.0.15.5, 00:01:00, FastEthernet1/15
O IA    10.1.13.0/24 [110/2] via 10.1.6.9, 00:01:00, FastEthernet1/13
O       10.0.12.0/24 [110/2] via 10.0.11.4, 00:01:00, FastEthernet1/11
O IA    10.1.12.0/24 [110/2] via 10.1.6.9, 00:01:01, FastEthernet1/13
O       10.1.3.0/24 [110/2] via 10.1.5.8, 00:01:01, FastEthernet1/10
[110/2] via 10.1.1.6, 00:01:01, FastEthernet1/1
O IA    10.2.1.0/24 [110/3] via 10.1.6.9, 00:01:01, FastEthernet1/13
[110/3] via 10.1.5.8, 00:01:01, FastEthernet1/10
O       10.1.2.0/24 [110/2] via 10.1.6.9, 00:01:01, FastEthernet1/13
[110/2] via 10.1.1.6, 00:01:01, FastEthernet1/1
O       10.1.0.0/24 [110/11] via 10.1.1.6, 00:01:01, FastEthernet1/1
O       10.1.7.0/24 [110/11] via 10.1.5.8, 00:01:01, FastEthernet1/10
11.0.0.0/32 is subnetted, 1 subnets
O IA    11.11.11.11 [110/3] via 10.1.6.9, 00:01:01, FastEthernet1/13
[110/3] via 10.1.5.8, 00:01:01, FastEthernet1/10

External routes are removed from the RIB. Are they still in database? Yes, they are:

R7#show ip ospf database | b Ex
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         431         0x80000004 0x00632B 4
20.15.1.0       5.5.5.5         452         0x80000004 0x004C3C 5
20.15.2.0       4.4.4.4         431         0x80000004 0x004D3F 4
20.15.3.0       5.5.5.5         451         0x80000004 0x003650 5
20.15.4.0       4.4.4.4         431         0x80000004 0x003753 4
20.15.5.0       5.5.5.5         451         0x80000004 0x002064 5
20.15.6.224     4.4.4.4         431         0x80000004 0x009D29 4
20.15.7.128     5.5.5.5         451         0x80000004 0x000879 5
20.15.8.240     4.4.4.4         431         0x80000004 0x00475D 4
20.15.9.192     5.5.5.5         451         0x80000004 0x00F00E 5
20.15.10.248    4.4.4.4         431         0x80000004 0x001181 4
20.15.11.254    5.5.5.5         451         0x80000004 0x00E797 5
30.1.1.248      11.11.11.11     603         0x80000004 0x004636 11
30.2.2.128      10.10.10.10     454         0x80000004 0x009E91 10
30.2.2.192      10.10.10.10     456         0x80000004 0x001CD3 10
30.3.3.224      11.11.11.11     605         0x80000004 0x007830 11
31.0.0.0        10.10.10.10     455         0x80000004 0x004034 10
31.5.5.0        11.11.11.11     605         0x80000004 0x00C0A4 11
31.7.0.0        11.11.11.11     605         0x80000004 0x00DF88 11
32.4.0.0        10.10.10.10     455         0x80000004 0x00036C 10
32.6.0.0        10.10.10.10     455         0x80000004 0x00EA82 10
33.9.9.0        10.10.10.10     457         0x80000004 0x005986 10
33.9.9.128      11.11.11.11     606         0x80000004 0x004812 11
33.11.11.0      11.11.11.11     606         0x80000004 0x001C3B 11

As OSPF option we have:

R7(config-route-map)#match route-type ?
external       external route (BGP, EIGRP and OSPF type 1/2)
internal       internal route (including OSPF intra/inter area)
nssa-external  nssa-external route (OSPF type 1/2)

TEST 2b] match ip next-hop

Matching ip next-hop is equivalent to match the gateway of the routes. For example:

R7#show ip route ospf | i via 10.0.15.5
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:02:04, FastEthernet1/15
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:02:04, FastEthernet1/15
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:02:04, FastEthernet1/15
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:02:04, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:02:04, FastEthernet1/15
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:02:04, FastEthernet1/15
O       5.5.5.5 [110/2] via 10.0.15.5, 00:02:04, FastEthernet1/15
O       10.0.10.0/24 [110/2] via 10.0.15.5, 00:02:04, FastEthernet1/15
O       10.0.14.0/24 [110/2] via 10.0.15.5, 00:02:04, FastEthernet1/15

I can filter all these routes via 10.0.15.5 with this configuration:

R7(config)#ip access-list standard R5
R7(config-std-nacl)#5 permit 10.0.15.5 0.0.0.0

R7(config)route-map FILTER deny 10
R7(config-route-map)#match ip next-hop R5
R7(config)#route-map FILTER permit 20

R7(config)#router ospf 1000
R7(config-router)#distribute-list route-map FILTER in 

R7#show ip route ospf | i via 10.0.15.5
[EMPTY OUTPUT]

TEST 2c] match ip route-source

One more time, take a look at the external routes installed into R7’s RIB:

R7#show ip route | i E2
E1 – OSPF external type 1, E2 – OSPF external type 2
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:15:51, FastEthernet1/13
O E2    32.6.0.0 [110/1000] via 10.1.6.9, 00:15:51, FastEthernet1/13
O E2    33.11.11.0/24 [110/1000] via 10.1.6.9, 00:15:51, FastEthernet1/13
O E2    33.9.9.0/25 [110/1000] via 10.1.6.9, 00:15:51, FastEthernet1/13
O E2    33.9.9.128/25 [110/1000] via 10.1.6.9, 00:15:51, FastEthernet1/13
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:15:51, FastEthernet1/15
O E2    20.15.2.0/24 [110/1000] via 10.0.11.4, 00:15:51, FastEthernet1/11
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:15:51, FastEthernet1/15
O E2    20.15.0.0/24 [110/1000] via 10.0.11.4, 00:15:51, FastEthernet1/11
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:15:51, FastEthernet1/15
O E2    20.15.4.0/24 [110/1000] via 10.0.11.4, 00:15:51, FastEthernet1/11
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:15:51, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:15:51, FastEthernet1/15
O E2    20.15.8.240/28 [110/1000] via 10.0.11.4, 00:15:53, FastEthernet1/11
O E2    20.15.10.248/29 [110/1000] via 10.0.11.4, 00:15:53, FastEthernet1/11
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:15:53, FastEthernet1/15
O E2    20.15.6.224/27 [110/1000] via 10.0.11.4, 00:15:53, FastEthernet1/11
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:15:53, FastEthernet1/13
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:15:53, FastEthernet1/13
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:15:53, FastEthernet1/13
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:15:53, FastEthernet1/13
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:15:53, FastEthernet1/13
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:15:55, FastEthernet1/13
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:15:55, FastEthernet1/13

Networks 20.15.x.0/24 with x = [0,2,4,6..10] are injected into OSPF by R4 (4.4.4.4)

R7#show ip ospf database external 20.15.4.0

OSPF Router with ID (7.7.7.7) (Process ID 1000)

Type-5 AS External Link States

  Routing Bit Set on this LSA
LS age: 1795
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 20.15.4.0 (External Network Number )
  Advertising Router: 4.4.4.4 –> Route-Source
LS Seq Number: 80000001
Checksum: 0x3D50
Length: 36
Network Mask: /24
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 0.0.0.0
External Route Tag: 4

I can filter out from RIB of R7 all these external routes with this configuration:

R7(config)#ip access-list standard R4
R7(config-std-nacl)#5 permit 4.4.4.4 0.0.0.0

R7(config)#route-map FILTER deny 10
R7(config-route-map)#match ip route-source R4
R7(config)#route-map FILTER permit 20

R7(config)#router ospf 1000
R7(config-router)#distribute-list route-map FILTER in

R7#show ip route | i E2
E1 – OSPF external type 1, E2 – OSPF external type 2
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:00:05, FastEthernet1/13
O E2    32.6.0.0 [110/1000] via 10.1.6.9, 00:00:05, FastEthernet1/13
O E2    33.11.11.0/24 [110/1000] via 10.1.6.9, 00:00:05, FastEthernet1/13
O E2    33.9.9.0/25 [110/1000] via 10.1.6.9, 00:00:05, FastEthernet1/13
O E2    33.9.9.128/25 [110/1000] via 10.1.6.9, 00:00:05, FastEthernet1/13
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:00:05, FastEthernet1/15
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:00:05, FastEthernet1/15
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:00:05, FastEthernet1/15
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:00:05, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:00:05, FastEthernet1/15
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:00:05, FastEthernet1/15
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:00:05, FastEthernet1/13
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:00:05, FastEthernet1/13
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:00:07, FastEthernet1/13
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:00:07, FastEthernet1/13
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:00:07, FastEthernet1/13
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:00:07, FastEthernet1/13
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:00:07, FastEthernet1/13

No more routes are coming via 10.0.11.4.

————————————- NOTE ——————————————-
Here 10.0.11.4 was the gateway ip address of all these routes and not the route source, what would happen if I matched this address instead of 4.4.4.4 with the option route-source?

R7(config)#router ospf 1000
R7(config-router)#no distribute-list route-map FILTER in

R7(config)#ip access-list standard R4
R7(config-std-nacl)#no 5 permit 4.4.4.4 0.0.0.0
R7(config-std-nacl)#5 permit 10.0.11.4 0.0.0.0

R7#show run | s ip access
ip access-list standard R4
permit 10.0.11.4

R7#show run | s route-map
route-map FILTER deny 10
match ip route-source R4
route-map FILTER permit 20

R7(config)#router ospf 1000
R7(config-router)#distribute-list route-map FILTER in

Here the result:

R7#show ip route | i E2
E1 – OSPF external type 1, E2 – OSPF external type 2
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:05:38, FastEthernet1/13
O E2    32.6.0.0 [110/1000] via 10.1.6.9, 00:05:38, FastEthernet1/13
O E2    33.11.11.0/24 [110/1000] via 10.1.6.9, 00:05:38, FastEthernet1/13
O E2    33.9.9.0/25 [110/1000] via 10.1.6.9, 00:05:38, FastEthernet1/13
O E2    33.9.9.128/25 [110/1000] via 10.1.6.9, 00:05:38, FastEthernet1/13
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:05:38, FastEthernet1/15
O E2    20.15.2.0/24 [110/1000] via 10.0.11.4, 00:05:38, FastEthernet1/11
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:05:38, FastEthernet1/15
O E2    20.15.0.0/24 [110/1000] via 10.0.11.4, 00:05:38, FastEthernet1/11
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:05:38, FastEthernet1/15
O E2    20.15.4.0/24 [110/1000] via 10.0.11.4, 00:05:38, FastEthernet1/11
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:05:38, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:05:38, FastEthernet1/15
O E2    20.15.8.240/28 [110/1000] via 10.0.11.4, 00:05:41, FastEthernet1/11
O E2    20.15.10.248/29 [110/1000] via 10.0.11.4, 00:05:41, FastEthernet1/11
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:05:41, FastEthernet1/15
O E2    20.15.6.224/27 [110/1000] via 10.0.11.4, 00:05:41, FastEthernet1/11
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:05:41, FastEthernet1/13
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:05:41, FastEthernet1/13
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:05:41, FastEthernet1/13
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:05:41, FastEthernet1/13
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:05:41, FastEthernet1/13
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:05:43, FastEthernet1/13
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:05:43, FastEthernet1/13

Routes “via 10.0.11.4” are still in the RIB of R7. One more time, pay attention to the difference between ip gateway of a route and its route-source. With other IGP protocol this distinction is not so important because gateway ip of the route is equivalent to route-source:

R11#show ip route 10.2.9.0
Routing entry for 10.2.9.0/24
Known via “eigrp 2”, distance 90, metric 307200, type internal
Redistributing via eigrp 2, ospf 1000
Last update from 10.2.4.254 on FastEthernet0/0, 00:48:56 ago
Routing Descriptor Blocks:
* 10.2.4.254, from 10.2.4.254, 00:48:56 ago, via FastEthernet0/0
Route metric is 307200, traffic share count is 1
Total delay is 2000 microseconds, minimum bandwidth is 10000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 1

R11#show ip eigrp neighbors
IP-EIGRP neighbors for process 2
H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
(sec)         (ms)       Cnt Num
0   10.2.4.254              Fa0/0             10 00:47:04 1467  5000  0  3

10.2.4.254 is PE3 that has an eigrp router-id 3.0.0.254 but the eigrp router-id is not taken into account in the topological information of the eigrp protocol.

R11#show ip route 20.15.4.0
Routing entry for 20.15.4.0/24
Known via “ospf 1000”, distance 110, metric 1000
Tag 4, type extern 2, forward metric 3
Last update from 10.1.9.8 on FastEthernet1/9, 00:44:42 ago
Routing Descriptor Blocks:
* 10.1.13.9, from 4.4.4.4, 00:44:42 ago, via FastEthernet1/15
Route metric is 1000, traffic share count is 1
Route tag 4
10.1.9.8, from 4.4.4.4, 00:44:42 ago, via FastEthernet1/9
Route metric is 1000, traffic share count is 1
Route tag 4

For network 20.15.4.0 R11 has two exit points (gateways) 10.1.13.9 and 10.1.9.8 but both this informations are seen by R11 as injected into OSPF by R4 with router-id 4.4.4.4 (route-source)
———————————– END NOTE ——————————————

TEST 2c] match metric

I can use metric of the routes as a matching option, for example all external routes are injected with metric 1000:

R7#show ip route ospf | i \/1000
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:00:34, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:34, FastEthernet1/10
O E2    32.6.0.0 [110/1000] via 10.1.6.9, 00:00:34, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:34, FastEthernet1/10
O E2    33.11.11.0/24 [110/1000] via 10.1.6.9, 00:00:34, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:34, FastEthernet1/10
O E2    33.9.9.0/25 [110/1000] via 10.1.6.9, 00:00:34, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:34, FastEthernet1/10
O E2    33.9.9.128/25 [110/1000] via 10.1.6.9, 00:00:34, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:34, FastEthernet1/10
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:00:34, FastEthernet1/15
O E2    20.15.2.0/24 [110/1000] via 10.0.11.4, 00:00:34, FastEthernet1/11
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:00:34, FastEthernet1/15
O E2    20.15.0.0/24 [110/1000] via 10.0.11.4, 00:00:34, FastEthernet1/11
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:00:36, FastEthernet1/15
O E2    20.15.4.0/24 [110/1000] via 10.0.11.4, 00:00:36, FastEthernet1/11
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:00:36, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:00:36, FastEthernet1/15
O E2    20.15.8.240/28 [110/1000] via 10.0.11.4, 00:00:36, FastEthernet1/11
O E2    20.15.10.248/29 [110/1000] via 10.0.11.4, 00:00:36, FastEthernet1/11
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:00:36, FastEthernet1/15
O E2    20.15.6.224/27 [110/1000] via 10.0.11.4, 00:00:36, FastEthernet1/11
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:00:36, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:36, FastEthernet1/10
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:00:38, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:38, FastEthernet1/10
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:00:38, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:38, FastEthernet1/10
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:00:38, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:38, FastEthernet1/10
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:00:38, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:38, FastEthernet1/10
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:00:38, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:38, FastEthernet1/10
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:00:38, FastEthernet1/13
[110/1000] via 10.1.5.8, 00:00:38, FastEthernet1/10

We can simply filter them in this way:

R7#show run | s route-map
route-map FILTER deny 10
match metric 1000
route-map FILTER permit 20

R7(config)#router ospf 1000
R7(config-router)#distribute-list route-map FILTER in

R7#show ip route ospf | i \/1000
[EMPTY OUTPUT]

NOTE: Option “match metric external” is valid for EIGRP where in topology base I can read external protocol and external metric informations.

TEST 2d] match tag

If routes are tagged – for example I tagged all redistributed routes into OSPF with tags (4,5,10,11) – If I want filter for example routes with tag 5 (tagged by R5) I can do:

R7(config)#router ospf 1000
R7(config-router)#no distribute-list route-map FILTER in

R7(config)#route-map FILTER deny 10
R7(config-route-map)#no match metric 1000
R7(config-route-map)#match tag 5

R7(config)#router ospf 1000
R7(config-router)#distribute-list route-map FILTER in

R7#show ip route ospf | i E2
O E2    32.4.0.0 [110/1000] via 10.1.6.9, 00:00:14, FastEthernet1/13
O E2    32.6.0.0 [110/1000] via 10.1.6.9, 00:00:14, FastEthernet1/13
O E2    33.11.11.0/24 [110/1000] via 10.1.6.9, 00:00:14, FastEthernet1/13
O E2    33.9.9.0/25 [110/1000] via 10.1.6.9, 00:00:14, FastEthernet1/13
O E2    33.9.9.128/25 [110/1000] via 10.1.6.9, 00:00:14, FastEthernet1/13
O E2    20.15.2.0/24 [110/1000] via 10.0.11.4, 00:00:14, FastEthernet1/11
O E2    20.15.0.0/24 [110/1000] via 10.0.11.4, 00:00:14, FastEthernet1/11
O E2    20.15.4.0/24 [110/1000] via 10.0.11.4, 00:00:14, FastEthernet1/11
O E2    20.15.8.240/28 [110/1000] via 10.0.11.4, 00:00:14, FastEthernet1/11
O E2    20.15.10.248/29 [110/1000] via 10.0.11.4, 00:00:14, FastEthernet1/11
O E2    20.15.6.224/27 [110/1000] via 10.0.11.4, 00:00:14, FastEthernet1/11
O E2    31.7.0.0/16 [110/1000] via 10.1.6.9, 00:00:14, FastEthernet1/13
O E2    31.5.5.0/24 [110/1000] via 10.1.6.9, 00:00:14, FastEthernet1/13
O E2    31.0.0.0/8 [110/1000] via 10.1.6.9, 00:00:14, FastEthernet1/13
O E2    30.2.2.128/26 [110/1000] via 10.1.6.9, 00:00:16, FastEthernet1/13
O E2    30.2.2.192/26 [110/1000] via 10.1.6.9, 00:00:16, FastEthernet1/13
O E2    30.1.1.248/29 [110/1000] via 10.1.6.9, 00:00:16, FastEthernet1/13
O E2    30.3.3.224/27 [110/1000] via 10.1.6.9, 00:00:16, FastEthernet1/13

All networks 20.15.x.0/24 wit x=[1,3,5,7..11] are filtered out from the RIB

4. FILTERING WITH SUMMARIZATION

Summarizing prefixes can be considered a way to filter more specific networks from being advertised through the OSPF domain. In OSPF two types of summarization are available:

1] Inter-Area Summarization

2] External Route Summarization

TEST 1a]

I configured OSPF domain with internal links in this way:

networks are 10.0.x.0/24 – 10.1.x.0/24 – 10.2.x.0/24

Inter-Area Summarization can be done at ABRs. The command to use is AREA RANGE. Let’s see an example:

R7(config)#router ospf 1000
R7(config-router)#area 1 range 10.0.0.0 255.255.0.0

The “area x range” command defines a range of addresses matched by [network-add][wildcard], when used as in the example:

a – it defines that 10.0.0.0/16 is part of OSPF Area 1.
b – it creates a Type 3 Summary LSA about that prefix-range in OSPF database for different Areas.
c – it creates a route to Null0 interface in the routing table.
d – it suppresses all Type 3 Summary LSAs that represents more specific networks in different Areas.

a) in other words the network defined by the range command works as if it was generated by an internal router in Area1.

b) being an ABR (areas:1,0) R7 install an LSA Type 3 Summary about that network in areas that are different (Area 0) from the area (Area 2) where the network was originated:

R7#show ip ospf database summary 10.0.0.0 adv-router 7.7.7.7

OSPF Router with ID (7.7.7.7) (Process ID 1000)

Summary Net Link States (Area 0)

LS age: 1341
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 10.0.0.0 (summary Network Number)
Advertising Router: 7.7.7.7
LS Seq Number: 80000001
Checksum: 0x3ED7
Length: 28
Network Mask: /16
TOS: 0  Metric: 1

c)

R7#show ip route 10.0.0.0 255.255.0.0
Routing entry for 10.0.0.0/16
Known via “ospf 1000”, distance 110, metric 0, type intra area
Routing Descriptor Blocks:
* directly connected, via Null0
Route metric is 0, traffic share count is 1

d) Compare which Type 3 Summary LSAs R7 is injecting into OSPF database for Area 0 before and after the area range command is configured with or without the not-advertise option

cdrf-rf-ospf-pic4

The “not-advertise” option is the one that makes possible to filter routes with a summarization commands.

NOTE: In this case we are not only filtering routes out of the RIB but also preventing associated LSA to propagate, for example if I configured the same command “area 1 range 10.0.0.0 255.255.0.0 not-advertise” on R6 too, on R9/R8 I wouldn’t see any routing info about networks/subnets of 10.0.0.0/16:

R6(config)#router ospf 1000
R6(config-router)#area 1 range 10.0.0.0 255.255.0.0 not-advertise

R9#show ip route 10.0.0.0
Routing entry for 10.0.0.0/8, 16 known subnets
Attached (6 connections)
Variably subnetted with 2 masks

O       10.10.10.10/32 [110/2] via 10.1.12.10, 01:35:23, FastEthernet1/9
C       10.1.11.0/24 is directly connected, FastEthernet0/1
O       10.1.10.0/24 [110/2] via 10.1.12.10, 01:35:23, FastEthernet1/9
O       10.1.9.0/24 [110/2] via 10.1.13.11, 01:35:23, FastEthernet1/15
C       10.1.8.0/24 is directly connected, FastEthernet1/1
C       10.1.13.0/24 is directly connected, FastEthernet1/15
C       10.1.12.0/24 is directly connected, FastEthernet1/9
O       10.1.3.0/24 [110/2] via 10.1.8.8, 01:34:50, FastEthernet1/1
[110/2] via 10.1.2.6, 01:34:50, FastEthernet1/10
O       10.2.1.0/24 [110/2] via 10.1.13.11, 01:35:23, FastEthernet1/15
[110/2] via 10.1.12.10, 01:35:23, FastEthernet1/9
C       10.1.2.0/24 is directly connected, FastEthernet1/10
O       10.1.1.0/24 [110/2] via 10.1.6.7, 01:34:50, FastEthernet1/13
[110/2] via 10.1.2.6, 01:34:50, FastEthernet1/10
O       10.1.0.0/24 [110/11] via 10.1.2.6, 01:34:50, FastEthernet1/10
O       10.1.7.0/24 [110/11] via 10.1.8.8, 01:34:53, FastEthernet1/1
C       10.1.6.0/24 is directly connected, FastEthernet1/13
O       10.1.5.0/24 [110/2] via 10.1.8.8, 01:34:53, FastEthernet1/1
[110/2] via 10.1.6.7, 01:34:53, FastEthernet1/13
O       10.1.4.0/24 [110/11] via 10.1.6.7, 01:34:53, FastEthernet1/13

Neither the network range 10.0.0.0/16 nor its more specific subnets are present on R9. Associated LSAs are suppressed too:

R6#show ip ospf database | b Summary
Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
4.4.4.4         6.6.6.6         1810        0x80000003 0x002CE4
4.4.4.4         7.7.7.7         1929        0x80000003 0x000EFE
5.5.5.5         6.6.6.6         1810        0x80000003 0x00FD0F
5.5.5.5         7.7.7.7         1930        0x80000003 0x00DF29
10.1.9.0        8.8.8.8         1809        0x80000003 0x00AC59
10.1.9.0        9.9.9.9         1836        0x80000003 0x009868
10.1.10.0       8.8.8.8         1811        0x80000003 0x00A163
10.1.10.0       9.9.9.9         1836        0x80000003 0x008D72
10.1.12.0       8.8.8.8         1809        0x80000003 0x00956C
10.1.12.0       9.9.9.9         1836        0x80000003 0x006D91
10.1.13.0       8.8.8.8         1809        0x80000003 0x008A76
10.1.13.0       9.9.9.9         1836        0x80000003 0x00629B
10.2.1.0        8.8.8.8         1809        0x80000003 0x000309
10.2.1.0        9.9.9.9         1836        0x80000003 0x00E423
10.10.10.10     8.8.8.8         1811        0x80000003 0x00DA16
10.10.10.10     9.9.9.9         1838        0x80000003 0x00BC30
11.11.11.11     8.8.8.8         1811        0x80000003 0x00AC40
11.11.11.11     9.9.9.9         1838        0x80000003 0x008E5A

So using the area range with not-advertise option I can hide network originated in one area into another area. Of course this filtering must be done in all ABRs looking into an Area; for example if I do not-advertise only on R7, more specific subnets will be still advertised by R6.

NOTE: this is only an example, completely hiding net 10.x.x.x could have not too much sense in this context.

TEST 2a]

The same concept of suppressing(summarizing) LSA Type 3 seen with area range command can be extended to External Routes summarizing/suppressing LSA Type 5 and 7

R7 knows about these external networks injected into OSPF by the two ASBR R5 and R4

R7#show ip route | i 20.15
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:04:52, FastEthernet1/15
O E2    20.15.2.0/24 [110/1000] via 10.0.11.4, 00:04:52, FastEthernet1/11
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:04:52, FastEthernet1/15
O E2    20.15.0.0/24 [110/1000] via 10.0.11.4, 00:04:52, FastEthernet1/11
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:04:52, FastEthernet1/15
O E2    20.15.4.0/24 [110/1000] via 10.0.11.4, 00:04:52, FastEthernet1/11
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:04:52, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:04:52, FastEthernet1/15
O E2    20.15.8.240/28 [110/1000] via 10.0.11.4, 00:04:52, FastEthernet1/11
O E2    20.15.10.248/29 [110/1000] via 10.0.11.4, 00:04:52, FastEthernet1/11
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:04:52, FastEthernet1/15
O E2    20.15.6.224/27 [110/1000] via 10.0.11.4, 00:04:52, FastEthernet1/11

Since Area 1 is a normal area, all the LSAs describing those routes are Type 5 LSA:

R5#show ip ospf database external adv-router 5.5.5.5 | i Link State
Type-5 AS External Link States
Link State ID: 20.15.1.0 (External Network Number )
Link State ID: 20.15.3.0 (External Network Number )
Link State ID: 20.15.5.0 (External Network Number )
Link State ID: 20.15.7.128 (External Network Number )
Link State ID: 20.15.9.192 (External Network Number )
Link State ID: 20.15.11.254 (External Network Number )

R4#show ip ospf database external adv-router 4.4.4.4 | i Link State
Type-5 AS External Link States
Link State ID: 20.15.0.0 (External Network Number )
Link State ID: 20.15.2.0 (External Network Number )
Link State ID: 20.15.4.0 (External Network Number )
Link State ID: 20.15.6.224 (External Network Number )
Link State ID: 20.15.8.240 (External Network Number )
Link State ID: 20.15.10.248 (External Network Number )

On ASBRs routers I can use the summary-address command to summarize external routes into an OSPF area:

R4(config-router)#summary-address ?
A.B.C.D  IP summary address

R4(config-router)#summary-address 20.15.0.0 ?
A.B.C.D  Summary mask

R4(config-router)#summary-address 20.15.0.0 255.255.0.0 ?
not-advertise  Do not advertise when translating OSPF type-7 LSA
tag            Set tag
<cr>

R4(config-router)#summary-address 20.15.0.0 255.255.0.0 tag 4

After this configuration I have:

R4#show ip ospf database external adv-router 4.4.4.4 | i Link State
Type-5 AS External Link States
Link State ID: 20.15.0.0 (External Network Number )

Only the summary is present as Type 5 LSA in OSPF database. The summary is tagged with tag 4.

R4#show ip ospf database external 20.15.0.0

OSPF Router with ID (4.4.4.4) (Process ID 1000)

Type-5 AS External Link States

LS age: 170
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 20.15.0.0 (External Network Number )
Advertising Router: 4.4.4.4
LS Seq Number: 80000005
Checksum: 0x612C
Length: 36
  Network Mask: /16
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 0.0.0.0
External Route Tag: 4

R7#show ip route | i 20.15
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:24:19, FastEthernet1/15
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:24:19, FastEthernet1/15
O E2    20.15.0.0/16 [110/1000] via 10.0.11.4, 00:03:40, FastEthernet1/11
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:24:19, FastEthernet1/15
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:24:19, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:24:19, FastEthernet1/15
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:24:19, FastEthernet1/15

Doing the same on R5:

R5(config)#router ospf 1000
R5(config-router)#summary-address 20.15.0.0 255.255.0.0 tag 5

R7#show ip route | b 20.15
O E2    20.15.0.0 [110/1000] via 10.0.15.5, 00:01:30, FastEthernet1/15
[110/1000] via 10.0.11.4, 00:01:30, FastEthernet1/11

R7#show ip ospf database | b 20.15
20.15.0.0       4.4.4.4         222         0x80000006 0x005F2D 4
20.15.0.0       5.5.5.5         215         0x80000001 0x005D2F 5

Again using the not-advertise option I can totally filter the summary-range and its more specific subnets:

R4(config)#router ospf 1000
R4(config-router)#summary-address 20.15.0.0 255.255.0.0 not-advertise

R4#show ip ospf database external adv-router 4.4.4.4 | i Link State

R7#show ip route | b 20.15
O E2    20.15.0.0 [110/1000] via 10.0.15.5, 00:04:00, FastEthernet1/15

The summary from R4 is gone.

This type of filtering for external routes is valid for Type 7 LSAs too when external routes are originated in an NSSA Area. For example I can do a similar test for networks 30.x.x.x injected into OSPF database by routers R10 and R11, before doing that I change OSPF Area 2 in NSSA area:

R9(config)#router ospf 1000
R9(config-router)#area 2 nssa

R8(config)#router ospf 1000
R8(config-router)#area 2 nssa

R10(config)#router ospf 1000
R10(config-router)#area 2 nssa

R11(config)#router ospf 1000
R11(config-router)#area 2 nssa 

Now ASBR R10 and R11 generate LSA Type 7:

R10#show ip ospf database | b Ex
Type-7 AS External Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Tag
30.1.1.248      11.11.11.11     188         0x80000001 0x00DF69 11
30.2.2.128      10.10.10.10     159         0x80000001 0x0006FA 10
30.2.2.192      10.10.10.10     159         0x80000001 0x00833D 10
30.3.3.224      11.11.11.11     188         0x80000001 0x001263 11
31.0.0.0        10.10.10.10     159         0x80000001 0x00A79D 10
31.5.5.0        11.11.11.11     188         0x80000001 0x005AD7 11
31.7.0.0        11.11.11.11     188         0x80000001 0x0079BB 11
32.4.0.0        10.10.10.10     159         0x80000001 0x006AD5 10
32.6.0.0        10.10.10.10     159         0x80000001 0x0052EB 10
33.9.9.0        10.10.10.10     159         0x80000001 0x00C0EF 10
33.9.9.128      11.11.11.11     188         0x80000001 0x00E145 11
33.11.11.0      11.11.11.11     188         0x80000001 0x00B56E 11

R11#show ip ospf database | b Ex
Type-7 AS External Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Tag
30.1.1.248      11.11.11.11     234         0x80000001 0x00DF69 11
30.2.2.128      10.10.10.10     209         0x80000001 0x0006FA 10
30.2.2.192      10.10.10.10     209         0x80000001 0x00833D 10
30.3.3.224      11.11.11.11     234         0x80000001 0x001263 11
31.0.0.0        10.10.10.10     209         0x80000001 0x00A79D 10
31.5.5.0        11.11.11.11     234         0x80000001 0x005AD7 11
31.7.0.0        11.11.11.11     234         0x80000001 0x0079BB 11
32.4.0.0        10.10.10.10     209         0x80000001 0x006AD5 10
32.6.0.0        10.10.10.10     209         0x80000001 0x0052EB 10
33.9.9.0        10.10.10.10     209         0x80000001 0x00C0EF 10
33.9.9.128      11.11.11.11     234         0x80000001 0x00E145 11
33.11.11.0      11.11.11.11     234         0x80000001 0x00B56E 11

R9 being the ABRs router of Area 2 with the higher IP address (referring to R8) translate this Type 7 in Type 5:

R8#show ip ospf database | b Ex
Type-7 AS External Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Tag
30.1.1.248      11.11.11.11     400         0x80000001 0x00DF69 11
30.2.2.128      10.10.10.10     373         0x80000001 0x0006FA 10
30.2.2.192      10.10.10.10     373         0x80000001 0x00833D 10
30.3.3.224      11.11.11.11     400         0x80000001 0x001263 11
31.0.0.0        10.10.10.10     373         0x80000001 0x00A79D 10
31.5.5.0        11.11.11.11     400         0x80000001 0x005AD7 11
31.7.0.0        11.11.11.11     400         0x80000001 0x0079BB 11
32.4.0.0        10.10.10.10     373         0x80000001 0x006AD5 10
32.6.0.0        10.10.10.10     373         0x80000001 0x0052EB 10
33.9.9.0        10.10.10.10     373         0x80000001 0x00C0EF 10
33.9.9.128      11.11.11.11     400         0x80000001 0x00E145 11
33.11.11.0      11.11.11.11     400         0x80000001 0x00B56E 11

Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         10          0x80000001 0x002174 0
20.15.0.0       5.5.5.5         799         0x80000002 0x005B30 5
30.1.1.248      9.9.9.9         384         0x80000001 0x00B0AA 11
30.2.2.128      9.9.9.9         366         0x80000001 0x00B856 10
30.2.2.192      9.9.9.9         366         0x80000001 0x003698 10
30.3.3.224      9.9.9.9         386         0x80000001 0x00E2A4 11
31.0.0.0        9.9.9.9         367         0x80000001 0x005AF8 10
31.5.5.0        9.9.9.9         386         0x80000001 0x002B19 11
31.7.0.0        9.9.9.9         386         0x80000001 0x004AFC 11
32.4.0.0        9.9.9.9         367         0x80000001 0x001D31 10
32.6.0.0        9.9.9.9         367         0x80000001 0x000547 10
33.9.9.0        9.9.9.9         367         0x80000001 0x00734B 10
33.9.9.128      9.9.9.9         386         0x80000001 0x00B286 11
33.11.11.0      9.9.9.9         386         0x80000001 0x0086AF 11 

Now if I summarize on R10 and R11:

R10(config)#router ospf 1000
R10(config-router)#summary-address 30.0.0.0 254.0.0.0 tag 10
R10(config-router)#summary-address 32.0.0.0 254.0.0.0 tag 10

R11(config)#router ospf 1000
R11(config-router)#summary-address 30.0.0.0 254.0.0.0 tag 11
R11(config-router)#summary-address 32.0.0.0 254.0.0.0 tag 11

R8#show ip ospf database | b Ex
Type-7 AS External Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Tag
30.0.0.0        10.10.10.10     861         0x80000002 0x00AF96 10
30.0.0.0        11.11.11.11     815         0x80000003 0x00D368 11
32.0.0.0        10.10.10.10     861         0x80000002 0x0095AE 10
32.0.0.0        11.11.11.11     815         0x80000003 0x00B980 11

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         772         0x80000003 0x00652A 4
20.15.0.0       5.5.5.5         209         0x80000004 0x005732 5
30.0.0.0        9.9.9.9         85          0x80000006 0x009EAC 11
–> it’s R9 to make the Type7/Type5 conversion because it has higher IP address than R8
32.0.0.0        9.9.9.9         85          0x80000006 0x0084C4 11 –> it’s R9 to make the Type7/Type5 conversion because it has higher IP address than R8

on R7 for example I see:

R7#show ip ospf database | b Ex
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         838         0x80000003 0x00652A 4
20.15.0.0       5.5.5.5         275         0x80000004 0x005732 5
30.0.0.0        9.9.9.9         152         0x80000006 0x009EAC 11
32.0.0.0        9.9.9.9         153         0x80000006 0x0084C4 11

——————- NOTE ——————-
Being the metric from R9 to R10 and to R11 the same, R9 converts Type7 LSAs from R11 because R11 has an higher Router-ID than R10, if you want to set R10 as the exit point, it is enough to make R9 to R10 metric better than R9 to R11 metric, fo example:

R9(config)#int fa1/15
R9(config-if)#ip ospf cost 1000

R9#show ip ospf border-routers | i i 1
i 10.10.10.10 [1] via 10.1.12.10, FastEthernet1/9, ASBR, Area 2, SPF 13
i 11.11.11.11 [2] via 10.1.12.10, FastEthernet1/9, ASBR, Area 2, SPF 13

R7#show ip ospf database | b Ex
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         1347        0x80000003 0x00652A 4
20.15.0.0       5.5.5.5         784         0x80000004 0x005732 5
30.0.0.0        9.9.9.9         92          0x80000007 0x0058F6 10
32.0.0.0        9.9.9.9         92          0x80000007 0x003E0F 10 –> Now we exit toward R10

—————– END NOTE ——————-

Coming back to the filtering scenario, If now I want totally exclude also the summary-range hiding all routing info from Area2:

R11(config)#router ospf 1000
R11(config-router)#summary-address 30.0.0.0 254.0.0.0 not-advertise
R11(config-router)#summary-address 32.0.0.0 254.0.0.0 not-advertise

R10(config)#router ospf 1000
R10(config-router)#summary-address 30.0.0.0 254.0.0.0 not-advertise
R10(config-router)#summary-address 32.0.0.0 254.0.0.0 not-advertise

R7#show ip ospf database | b Ex
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         1673        0x80000003 0x00652A 4
20.15.0.0       5.5.5.5         1110        0x80000004 0x005732 5

Network (30,31,32,33).x.x.x are filtered.

To recap:

– Area Range [net-add][net-mask] Not-Advertise –> Filter LSAs Type 3 from the database for the range and for all subnets of the range

– Summary-address [net-add][net-mask] Not-Advertise –> Filter LSAs Type 5 or Type 7 from the database for the summary and for all subnets of the summary.

5. LSA TYPE-3 FILTERING

So far I verified that filtering in OSPF can be done in the RIB with techniques available for IGP protocols (distribute-list, ACLs, prefix-list, route-map) but these tools are valid only for filtering routes from the RIB of a router but are not valid to filter LSAs from the database and so for stopping their propagation. Using instead summarization with not-advertise option I can filter LSAs (Type-3 with area-range command, Type-5/Type-7 with summary-address command).

One more option is available to filter LSA Type-3 incoming/outgoing into/from an Area. This option consists of FILTER-LIST. A filter-list is used PER AREA on ABR routers. Following picture shows LSA Type-3 on R7 before any filtering.

cdrf-rf-ospf-pic5

Filter-List can be applied in two directions:

IN –>  Filter LSAs before they are injected into an Area
OUT –> Filter LSAs before they leave an Area

TEST 5a]
Suppose we want remove from Area 1 the routes originated in Area 2. The Type-3 Summary LSAs associated to these routes are injected into Area 0 by ABR R8 and R9 then are propagated to other ABRs R6 and R7 through Area 0, then R6 and R7 injects these LSAs in Area1. I want configure R7 to stop injecting this LSAs into Area 1.

R7(config)#ip prefix-list AREA2-ROUTES deny 10.1.9.0/24
R7(config)#ip prefix-list AREA2-ROUTES deny 10.1.10.0/24
R7(config)#ip prefix-list AREA2-ROUTES deny 10.1.12.0/24
R7(config)#ip prefix-list AREA2-ROUTES deny 10.1.13.0/24
R7(config)#ip prefix-list AREA2-ROUTES deny 10.2.1.0/24
R7(config)#ip prefix-list AREA2-ROUTES deny 10.10.10.10/32
R7(config)#ip prefix-list AREA2-ROUTES deny 11.11.11.11/32
R7(config)#ip prefix-list AREA2-ROUTES permit 0.0.0.0/0 le 32

R7(config)#router ospf 1000
R7(config-router)#area 1 filter-list prefix ?
WORD  Name of an IP prefix-list

R7(config-router)#area 1 filter-list prefix AREA2-ROUTES ?
in   Filter networks sent to this area
out  Filter networks sent from this area

R7(config-router)#area 1 filter-list prefix AREA2-ROUTES in

After this configuration I have:

cdrf-rf-ospf-pic6

These LSAs are no more injected into Area 1 by R7 (so they are no more received by other routers in Area 1).

10.1.9.0        7.7.7.7         1526        0x8000000B 0x00C43C
10.1.10.0       7.7.7.7         1022        0x8000000E 0x00B349
10.1.12.0       7.7.7.7         1022        0x8000000C 0x00A15B
10.1.13.0       7.7.7.7         773         0x80000010 0x008E69
10.2.1.0        7.7.7.7         1287        0x80000005 0x0027E5
10.10.10.10     7.7.7.7         1025        0x80000006 0x00FCF3
11.11.11.11     7.7.7.7         1287        0x80000005 0x00D01D

R7 filters them as it receives them through area 0 and before installing them into Area 1. I can get the same effect filtering the same LSAs as they leave Area2 on ABRs R8 and R9, preventing them to be injected into Area 0 of R8 and R9, then they will never reach R7(see below):

TEST 5b]

R9#show ip prefix
ip prefix-list AREA2-ROUTES: 8 entries
seq 5 deny 10.1.9.0/24
seq 10 deny 10.1.10.0/24
seq 15 deny 10.1.12.0/24
seq 20 deny 10.1.13.0/24
seq 25 deny 10.2.1.0/24
seq 30 deny 10.10.10.10/32
seq 35 deny 11.11.11.11/32
seq 40 permit 0.0.0.0/0 le 32

R9(config)#router ospf 1000
R9(config-router)#area 2 filter-list prefix AREA2-ROUTES out

R8(config)#ip prefix-list AREA2-ROUTES seq 5 deny 10.1.9.0/24
R8(config)#ip prefix-list AREA2-ROUTES seq 10 deny 10.1.10.0/24
R8(config)#ip prefix-list AREA2-ROUTES seq 15 deny 10.1.12.0/24
R8(config)#ip prefix-list AREA2-ROUTES seq 20 deny 10.1.13.0/24
R8(config)#ip prefix-list AREA2-ROUTES seq 25 deny 10.2.1.0/24
R8(config)#ip prefix-list AREA2-ROUTES seq 30 deny 10.10.10.10/32
R8(config)#ip prefix-list AREA2-ROUTES seq 35 deny 11.11.11.11/32
R8(config)#ip prefix-list AREA2-ROUTES seq 40 permit 0.0.0.0/0 le 32

R8(config)#router ospf 1000
R8(config-router)#area 2 filter-list prefix AREA2-ROUTES out

In the following picture you can see that R8 and R9 are preventing matched LSA to go out from Area 2 and be injected into their Area 0. Being not present in Area 0 they will not be flooded through area 0 then they cannot reach Area 0 of R7 and R6, then they cannot be injected in Area 1 of R6 and R7 too.

cdrf-rf-ospf-pic7

Following picture should clarify in/out filter logic.

cdrf-rf-ospf-pic8

Let’s do some further tests.

TEST 5c]

R7 is ABR for Areas 0 and 1, by default it takes intra-area routes of Area 1, converts them into LSA Type-3 and injects it into Area 0, see below the OSPF database for Area 0 Summary LSA on R7 and R6

cdrf-rf-ospf-pic9

We can see that into Area 0 R7|R6 has injected Summary LSAs Type-3 routes from Area 1 and Area 2. I can prevent Area 1 routes from entering the Area 0 Summary section of the OSPF database filtering out all routes as they leave area 1:

R7(config)#ip prefix AREA1-ROUTES deny 0.0.0.0/0 le 32

R6(config)#ip prefix AREA1-ROUTES deny 0.0.0.0/0 le 32 

R7(config)#router ospf 1000
R7(config-router)#area 1 filter-list prefix AREA1-ROUTES out

R6(config)#router ospf 1000
R6(config-router)#area 1 filter-list prefix AREA1-ROUTES out

The prefix-list AREA1-ROUTES is denying any possible routes, but I’m not preventing every routes from entering the OSPF database but only all the routes originating in AREA 1 and ready to be sent by R7 and R6 into other Areas (in this case Area 0). Here It could be thought that denying all we are blocking all routes, instead we are telling R7 and R6 “Block all Type-3 LSAs generated by a route learned from Area 1 and ready to be sent to other Area”

You can compare database before and after this filtering action here:

cdrf-rf-ospf-pic10

Since I blocked all Area 1 routes on the ABRs responsible for their propagation, in the form of LSAs, through the OSPF domain no other routers will receive those routes.

TEST 5d]

If I want move forward the filtering barrier for Area 1 I can try to filter the routes as they enter Area 0 on R6 and R7. Below you can see database OSPF for Summary LSAs in Area 0 of R7 and R6

cdrf-rf-ospf-pic11

R7#show run | s ip prefix
ip prefix-list AREA1-ROUTES seq 5 deny 4.4.4.4/32
ip prefix-list AREA1-ROUTES seq 10 deny 5.5.5.5/32
ip prefix-list AREA1-ROUTES seq 15 deny 10.0.0.0/16 ge 24
ip prefix-list AREA1-ROUTES seq 20 permit 0.0.0.0/0 le 32

R6#show run | s ip prefix
ip prefix-list AREA1-ROUTES seq 5 deny 4.4.4.4/32
ip prefix-list AREA1-ROUTES seq 10 deny 5.5.5.5/32
ip prefix-list AREA1-ROUTES seq 15 deny 10.0.0.0/16 ge 24
ip prefix-list AREA1-ROUTES seq 20 permit 0.0.0.0/0 le 32

R7(config)#router ospf 1000
R7(config-router)#area 0 filter-list prefix AREA1-ROUTES in

R6(config)#router ospf 1000
R6(config-router)#area 0 filter-list prefix AREA1-ROUTES in

You can compare database OSPF before and after the filtering action here:

cdrf-rf-ospf-pic12

TEST 5e]

If now, I will let routes from Area 1 flooding through Area 0 I can block them at R8 and R9 as they leave Area 0 before to be injected in Area 2. See the database OSPF on R8 and R9 before any filtering:

cdrf-rf-ospf-pic13

ip prefix-list AREA1-ROUTES seq 5 deny 4.4.4.4/32
ip prefix-list AREA1-ROUTES seq 10 deny 5.5.5.5/32
ip prefix-list AREA1-ROUTES seq 15 deny 10.0.0.0/16 ge 24
ip prefix-list AREA1-ROUTES seq 20 permit 0.0.0.0/0 le 32

R8(config)#router ospf 1000
R8(config-router)#area 0 filter-list prefix AREA1-ROUTES out

R9(config)#router ospf 1000
R9(config-router)#area 0 filter-list prefix AREA1-ROUTES out

After the filter, I can see that database for Area 0 doesn’t change while I denied matched LSAs from entering database of Area 2 on R8 and R9.

cdrf-rf-ospf-pic14

——————- NOTE ———————–

– when you do, area X filter-list prefix [prefix-name] OUT:
you are not changing Database of Area X but the one of other Areas
you look at Database of Area X and for matching LSAs prevent those LSAs from going out to other Areas

– when you do, area X filter-list prefix [prefix-name] IN:
— you are changing Database of Area X
— you look at Database of other Areas and for matching LSAs prevent those LSAs from being injected into Area X

– Filtering can always be done between different Areas and not inside the SAME AREA

– If one router has more than 2 Areas connected, filtering OUT from one Area blocks LSAs in all other areas, if you want filter LSAs so they cannot reach only one of this further area, use IN filtering on the Area where you want block LSAs. 

—————– END NOTE ———————

TEST 5f]

I can get the same result of TEST 5e] filtering the same LSAs on R8 and R9 but with IN option for Area2:

ip prefix-list AREA1-ROUTES seq 5 deny 4.4.4.4/32
ip prefix-list AREA1-ROUTES seq 10 deny 5.5.5.5/32
ip prefix-list AREA1-ROUTES seq 15 deny 10.0.0.0/16 ge 24
ip prefix-list AREA1-ROUTES seq 20 permit 0.0.0.0/0 le 32

R8(config)#router ospf 1000
R8(config-router)#area 2 filter-list prefix AREA1-ROUTES in

cdrf-rf-ospf-pic15

To recap made tests:

TEST 5a] – R7(config-router)#area 1 filter-list prefix AREA2-ROUTES in
TEST 5b] – R8(config-router)#area 2 filter-list prefix AREA2-ROUTES out
TEST 5c] – R7(config-router)#area 1 filter-list prefix AREA1-ROUTES out
TEST 5d] – R7(config-router)#area 0 filter-list prefix AREA1-ROUTES in
TEST 5e] – R9(config-router)#area 0 filter-list prefix AREA1-ROUTES out
TEST 5f] – R8(config-router)#area 2 filter-list prefix AREA1-ROUTES in

6. FORWARDING ADDRESS SUPPRESSION

Area 2 is configured for nssa operations, in this context NSSA ABRs (R8,R9) have in charge LSA Type 7 to LSA Type 5 conversion, more precisely R9 is making the conversion having an higher Router-ID (9.9.9.9) than R8:

R9#show ip ospf database | b Type-7
Type-7 AS External Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Tag
30.1.1.248      11.11.11.11     1555        0x80000001 0x00DF69 11
30.2.2.128      10.10.10.10     280         0x80000001 0x0006FA 10
30.2.2.192      10.10.10.10     280         0x80000001 0x00833D 10
30.3.3.224      11.11.11.11     1555        0x80000001 0x001263 11
31.0.0.0        10.10.10.10     280         0x80000001 0x00A79D 10
31.5.5.0        11.11.11.11     1555        0x80000001 0x005AD7 11
31.7.0.0        11.11.11.11     1555        0x80000001 0x0079BB 11
32.4.0.0        10.10.10.10     280         0x80000001 0x006AD5 10
32.6.0.0        10.10.10.10     280         0x80000001 0x0052EB 10
33.9.9.0        10.10.10.10     280         0x80000001 0x00C0EF 10
33.9.9.128      11.11.11.11     1555        0x80000001 0x00E145 11
33.11.11.0      11.11.11.11     1555        0x80000001 0x00B56E 11

R9#show ip ospf database | b Type-5
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
………………………………………………………….
30.1.1.248      9.9.9.9         308         0x80000001 0x00B0AA 11
30.2.2.128      9.9.9.9         308         0x80000001 0x00B856 10
30.2.2.192      9.9.9.9         309         0x80000001 0x003698 10
30.3.3.224      9.9.9.9         309         0x80000001 0x00E2A4 11
31.0.0.0        9.9.9.9         309         0x80000001 0x005AF8 10
31.5.5.0        9.9.9.9         309         0x80000001 0x002B19 11
31.7.0.0        9.9.9.9         309         0x80000001 0x004AFC 11
32.4.0.0        9.9.9.9         309         0x80000001 0x001D31 10
32.6.0.0        9.9.9.9         309         0x80000001 0x000547 10
33.9.9.0        9.9.9.9         311         0x80000001 0x00734B 10
33.9.9.128      9.9.9.9         311         0x80000001 0x00B286 11
33.11.11.0      9.9.9.9         311         0x80000001 0x0086AF 11

If I look at two of these routes:

R9#show ip ospf database nssa-external 30.1.1.248

OSPF Router with ID (9.9.9.9) (Process ID 1000)

Type-7 AS External Link States (Area 2)

Routing Bit Set on this LSA
LS age: 1895
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 30.1.1.248 (External Network Number )
Advertising Router: 11.11.11.11
LS Seq Number: 80000005
Checksum: 0xD76D
Length: 36
Network Mask: /29
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 11.11.11.11
External Route Tag: 11

R9#show ip ospf database external 30.1.1.248    

OSPF Router with ID (9.9.9.9) (Process ID 1000)

  Type-5 AS External Link States

LS age: 403
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 30.1.1.248 (External Network Number )
Advertising Router: 9.9.9.9
LS Seq Number: 80000001
Checksum: 0xB0AA
Length: 36
Network Mask: /29
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 11.11.11.11
External Route Tag: 11

R9#show ip ospf database nssa-external 30.2.2.128

OSPF Router with ID (9.9.9.9) (Process ID 1000)

Type-7 AS External Link States (Area 2)

  Routing Bit Set on this LSA
LS age: 729
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 30.2.2.128 (External Network Number )
Advertising Router: 10.10.10.10
LS Seq Number: 80000005
Checksum: 0xFDFE
Length: 36
Network Mask: /26
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 10.10.10.10
External Route Tag: 10

R9#show ip ospf database external 30.2.2.128

OSPF Router with ID (9.9.9.9) (Process ID 1000)

Type-5 AS External Link States

LS age: 603
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 30.2.2.128 (External Network Number )
Advertising Router: 9.9.9.9
LS Seq Number: 80000001
Checksum: 0xB856
Length: 36
Network Mask: /26
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 1000
Forward Address: 10.10.10.10
External Route Tag: 10

I can see here that R9 is setting as Forwarding Address IP 10.10.10.10 and 11.11.11.11 that are the ASBRs ip address. Forwarding Address has impact in how routers in OSPF domain exit from the domain to the external routes; for example look how R7 sees paths to these networks:

R7#show ip route 30.1.1.248
Routing entry for 30.1.1.248/29
Known via “ospf 1000”, distance 110, metric 1000
Tag 11, type extern 2, forward metric 3
Last update from 10.1.6.9 on FastEthernet1/13, 00:00:58 ago
Routing Descriptor Blocks:
10.1.6.9, from 9.9.9.9, 00:00:58 ago, via FastEthernet1/13
Route metric is 1000, traffic share count is 1
Route tag 11
* 10.1.5.8, from 9.9.9.9, 00:00:58 ago, via FastEthernet1/10
Route metric is 1000, traffic share count is 1
Route tag 11

R7#show ip route 30.2.2.128
Routing entry for 30.2.2.128/26
Known via “ospf 1000”, distance 110, metric 1000
Tag 10, type extern 2, forward metric 3
Last update from 10.1.6.9 on FastEthernet1/13, 00:01:29 ago
Routing Descriptor Blocks:
* 10.1.6.9, from 9.9.9.9, 00:01:29 ago, via FastEthernet1/13
Route metric is 1000, traffic share count is 1
Route tag 10
10.1.5.8, from 9.9.9.9, 00:01:29 ago, via FastEthernet1/10
Route metric is 1000, traffic share count is 1
Route tag 10

R7 has two equal cost paths to both networks, R7 sees for both networks R9 as the originator of OSPF routing info (from 9.9.9.9) because R9 is doing the translation Type-7/Type-5. The two paths are there because R7 sees as exiting point R11 (11.11.11.11) for the first network and R10 for the second one. In other words R7 knows that it must reach R11/R10 to reach those networks. Don’t be confused here, is not R9 (9.9.9.9) the exiting point but are the routers that own the Forwarding IP address. R7 has two available paths to 11.11.11.11 and 10.10.10.10:

R7#show ip route 11.11.11.11
Routing entry for 11.11.11.11/32
Known via “ospf 1000”, distance 110, metric 3, type inter area
Last update from 10.1.6.9 on FastEthernet1/13, 00:08:33 ago
Routing Descriptor Blocks:
10.1.6.9, from 9.9.9.9, 00:08:33 ago, via FastEthernet1/13
Route metric is 3, traffic share count is 1
* 10.1.5.8, from 8.8.8.8, 00:08:33 ago, via FastEthernet1/10
Route metric is 3, traffic share count is 1

R7#show ip route 10.10.10.10
Routing entry for 10.10.10.10/32
Known via “ospf 1000”, distance 110, metric 3, type inter area
Last update from 10.1.5.8 on FastEthernet1/10, 01:22:11 ago
Routing Descriptor Blocks:
* 10.1.6.9, from 9.9.9.9, 01:22:11 ago, via FastEthernet1/13
Route metric is 3, traffic share count is 1
10.1.5.8, from 8.8.8.8, 01:22:11 ago, via FastEthernet1/10
Route metric is 3, traffic share count is 1

This is why 30.1.1.248/29 and 30.2.2.128/26 have two ip gateways (two available paths) in routing table; as an evidence of this you can see that the show ip route command for the external networks is showing “forward metric = 3” and metric = 3 is the metric necessary for R7 to reach R11 and R10 (not R9)

So the installation into the RIB of R7 of the two routes is strictly dependent on ip reachability of these Forwarding Address; if Forwarding Address are not reachable, external routes will not be installed into the RIB.

We can use this concept to filter external routes suppressing reachability of the forwarding address.

Ip addresses 11.11.11.11 and 10.10.10.10 are Area 2 adresses injected by R10 and R11 into OSPF database. As learned at point – 4.Filtering with Summarization – one way to filter this address could be to use an area range command in area 2 with not-advertise option in this way:

R7#show ip ospf database | b Summary
Summary Net Link States (Area 0)
Link ID         ADV Router      Age         Seq#       Checksum
10.10.10.10     8.8.8.8         1485        0x80000003 0x00DA16
10.10.10.10     9.9.9.9         1562        0x80000003 0x00BC30
11.11.11.11     8.8.8.8         1100        0x80000001 0x00B03E
11.11.11.11     9.9.9.9         1085        0x80000001 0x009258

Forwarding Addresses are known as Type-3 LSAs Summary, LSAs are coming from R8 and R9 (ABRs of Area 2), now filtering with area range command on R9:

R9(config)#router ospf 1000
R9(config-router)#area 2 range 11.11.11.11 255.255.255.255 not-advertise

Here I’m suppressing Forwarding Address of R11 (11.11.11.11). Look on R7:

R7#show ip route 30.1.1.248  
Routing entry for 30.1.1.248/29
Known via “ospf 1000”, distance 110, metric 1000
Tag 11, type extern 2, forward metric 3
Last update from 10.1.5.8 on FastEthernet1/10, 00:00:56 ago
Routing Descriptor Blocks:
* 10.1.5.8, from 9.9.9.9, 00:00:56 ago, via FastEthernet1/10
Route metric is 1000, traffic share count is 1
Route tag 11

Network 30.1.1.248/29 has only one path available. Why? Because R7 lost one of the path to reach 11.11.11.11 via R9 and only the path via R8 is valid.

R7#show ip route 11.11.11.11
Routing entry for 11.11.11.11/32
Known via “ospf 1000”, distance 110, metric 3, type inter area
Last update from 10.1.5.8 on FastEthernet1/10, 00:04:09 ago
Routing Descriptor Blocks:
* 10.1.5.8, from 8.8.8.8, 00:04:09 ago, via FastEthernet1/10
Route metric is 3, traffic share count is 1

Other route is still safe because I filtered nothing about 10.10.10.10 yet.

R7#show ip route 30.2.2.128
Routing entry for 30.2.2.128/26
Known via “ospf 1000”, distance 110, metric 1000
Tag 10, type extern 2, forward metric 3
Last update from 10.1.6.9 on FastEthernet1/13, 00:05:34 ago
Routing Descriptor Blocks:
* 10.1.6.9, from 9.9.9.9, 00:05:34 ago, via FastEthernet1/13
Route metric is 1000, traffic share count is 1
Route tag 10
10.1.5.8, from 9.9.9.9, 00:05:34 ago, via FastEthernet1/10
Route metric is 1000, traffic share count is 1
Route tag 10

Now if I complete filtering on R9 and R8 for both Forwarding Address in this way:

R9(config)#router ospf 1000
R9(config-router)#area 2 range 11.11.11.11 255.255.255.255 not-advertise
R9(config-router)#area 2 range 10.10.10.10 255.255.255.255 not-advertise

R8(config)#router ospf 1000
R8(config-router)#area 2 range 11.11.11.11 255.255.255.255 not-advertise
R8(config-router)#area 2 range 10.10.10.10 255.255.255.255 not-advertise

R7#show ip route 10.10.10.10
% Subnet not in table

R7#show ip route 11.11.11.11
% Network not in table

Forwarding Adress are suppressed and:

R7#show ip route 30.1.1.248
% Network not in table

R7#show ip route 30.2.2.128
% Network not in table

Looking at more routes:

R7#show ip route | i \/1000   –> NOTE all external routes are redistributed with metric 1000 so I can see all of them in this way
O E2    20.15.3.0/24 [110/1000] via 10.0.15.5, 00:01:39, FastEthernet1/15
O E2    20.15.2.0/24 [110/1000] via 10.0.11.4, 00:01:39, FastEthernet1/11
O E2    20.15.1.0/24 [110/1000] via 10.0.15.5, 00:01:39, FastEthernet1/15
O E2    20.15.0.0/24 [110/1000] via 10.0.11.4, 00:01:39, FastEthernet1/11
O E2    20.15.5.0/24 [110/1000] via 10.0.15.5, 00:01:39, FastEthernet1/15
O E2    20.15.4.0/24 [110/1000] via 10.0.11.4, 00:01:39, FastEthernet1/11
O E2    20.15.7.128/25 [110/1000] via 10.0.15.5, 00:01:39, FastEthernet1/15
O E2    20.15.9.192/26 [110/1000] via 10.0.15.5, 00:01:39, FastEthernet1/15
O E2    20.15.8.240/28 [110/1000] via 10.0.11.4, 00:01:39, FastEthernet1/11
O E2    20.15.10.248/29 [110/1000] via 10.0.11.4, 00:01:39, FastEthernet1/11
O E2    20.15.11.254/32 [110/1000] via 10.0.15.5, 00:01:39, FastEthernet1/15
O E2    20.15.6.224/27 [110/1000] via 10.0.11.4, 00:01:39, FastEthernet1/11

You can see that suppressing forwarding address lets me filtering all external routes injected into the ospf domain with those Forwarding Address as exiting points.

7. NSSA ABR EXTERNAL PREFIX FILTERING

At step 4. – Filtering with Summarization – I learned that with the command summary-address [net-add][net-mask] not-Advertise confgured on an ASBR I can filter external routes injected into the ospf domain. Here I want review some further details when a nssa area is in use.

Area 2 is configured as nssa, ASBR are R10 and R11 redistributing eigrp routes into OSPF:

R11#show ip route | i (O N2)
O N2    32.4.0.0 [110/1000] via 10.2.1.10, 00:12:00, FastEthernet1/1
O N2    32.6.0.0 [110/1000] via 10.2.1.10, 00:12:00, FastEthernet1/1
O N2    33.9.9.0/25 [110/1000] via 10.2.1.10, 00:12:00, FastEthernet1/1
O N2    31.0.0.0/8 [110/1000] via 10.2.1.10, 00:12:00, FastEthernet1/1
O N2    30.2.2.128/26 [110/1000] via 10.2.1.10, 00:12:00, FastEthernet1/1
O N2    30.2.2.192/26 [110/1000] via 10.2.1.10, 00:12:00, FastEthernet1/1

R10#show ip route | i (O N2)
O N2    33.11.11.0/24 [110/1000] via 10.2.1.11, 00:14:07, FastEthernet1/1
O N2    33.9.9.128/25 [110/1000] via 10.2.1.11, 00:14:07, FastEthernet1/1
O N2    31.7.0.0/16 [110/1000] via 10.2.1.11, 00:14:07, FastEthernet1/1
O N2    31.5.5.0/24 [110/1000] via 10.2.1.11, 00:14:07, FastEthernet1/1
O N2    30.1.1.248/29 [110/1000] via 10.2.1.11, 00:14:07, FastEthernet1/1
O N2    30.3.3.224/27 [110/1000] via 10.2.1.11, 00:14:07, FastEthernet1/1

Generally speaking external routes in OSFP can be filtered at the routers where they are originated, normally this happens at ASBR independently by which type of area ASBRs are residing in. Let’s do again an example of filtering at ASBR in Area2 NSSA, before doing that, look at routing info installed on R10,R11(ASBRs) and R8,R9(ABRs):

cdrf-rf-ospf-pic16

R10,R11 send Type-7 LSAs to R8 and R9 with [Type 7/5 translation]-bit set – R9 does the translation, so R8 sees routes as E2 and not N2 like R9.

When I filter on ASBR with summary-address in this way:

R10(config)#router ospf 1000
R10(config-router)#summary-address 30.0.0.0 254.0.0.0 not-advertise
R10(config-router)#summary-address 32.0.0.0 254.0.0.0 not-advertise

R11(config)#router ospf 1000
R11(config-router)#summary-address 30.0.0.0 254.0.0.0 not-advertise
R11(config-router)#summary-address 32.0.0.0 254.0.0.0 not-advertise

I’m removing LSA Type-7 from the 2 ASBRs, so routes are totally removed from the NSSA Area:

R11#show ip ospf database | b Type-7

R10#show ip ospf database | b Type-7

R9#show ip ospf database | b Type-7

R9#show ip ospf database | b Type-5
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         1421        0x80000004 0x00632B 4
20.15.1.0       5.5.5.5         1454        0x80000004 0x004C3C 5
20.15.2.0       4.4.4.4         1421        0x80000004 0x004D3F 4
20.15.3.0       5.5.5.5         1454        0x80000004 0x003650 5
20.15.4.0       4.4.4.4         1420        0x80000004 0x003753 4
20.15.5.0       5.5.5.5         1454        0x80000004 0x002064 5
20.15.6.224     4.4.4.4         1420        0x80000004 0x009D29 4
20.15.7.128     5.5.5.5         1454        0x80000004 0x000879 5
20.15.8.240     4.4.4.4         1420        0x80000004 0x00475D 4
20.15.9.192     5.5.5.5         1454        0x80000004 0x00F00E 5
20.15.10.248    4.4.4.4         1420        0x80000004 0x001181 4
20.15.11.254    5.5.5.5         1454        0x80000004 0x00E797 5

R8#show ip ospf database | b Type-5
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         1573        0x80000004 0x00632B 4
20.15.1.0       5.5.5.5         1607        0x80000004 0x004C3C 5
20.15.2.0       4.4.4.4         1573        0x80000004 0x004D3F 4
20.15.3.0       5.5.5.5         1608        0x80000004 0x003650 5
20.15.4.0       4.4.4.4         1573        0x80000004 0x003753 4
20.15.5.0       5.5.5.5         1607        0x80000004 0x002064 5
20.15.6.224     4.4.4.4         1573        0x80000004 0x009D29 4
20.15.7.128     5.5.5.5         1607        0x80000004 0x000879 5
20.15.8.240     4.4.4.4         1573        0x80000004 0x00475D 4
20.15.9.192     5.5.5.5         1607        0x80000004 0x00F00E 5
20.15.10.248    4.4.4.4         1573        0x80000004 0x001181 4
20.15.11.254    5.5.5.5         1607        0x80000004 0x00E797 5

So I removed all external networks 30.x.x.x 31.x.x.x 32.x.x.x and 33.x.x.x coming from Area 2

NSSA ABR EXTERNAL PREFIX FILTERING is a slogan telling us that, since Area 2 is an NSSA Area, the filtering of external routes can be moved to these routers because to the other connected Areas these routes are seen as they were ASBR. Many words but the concept is:

R9 receives Type-7 LSAs than it translates them to Type-5 LSAs, so it is really generating external routes in Area 0, look at how indeed is database for example on R7:

R7#show ip ospf database | b Ex
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
…………………………………………………………..
30.1.1.248      9.9.9.9         413         0x80000001 0x00B0AA 11
30.2.2.128      9.9.9.9         378         0x80000001 0x00B856 10
30.2.2.192      9.9.9.9         380         0x80000001 0x003698 10
30.3.3.224      9.9.9.9         414         0x80000001 0x00E2A4 11
31.0.0.0        9.9.9.9         380         0x80000001 0x005AF8 10
31.5.5.0        9.9.9.9         414         0x80000001 0x002B19 11
31.7.0.0        9.9.9.9         414         0x80000001 0x004AFC 11
32.4.0.0        9.9.9.9         392         0x80000001 0x001D31 10
32.6.0.0        9.9.9.9         391         0x80000001 0x000547 10
33.9.9.0        9.9.9.9         400         0x80000001 0x00734B 10
33.9.9.128      9.9.9.9         413         0x80000001 0x00B286 11
33.11.11.0      9.9.9.9         413         0x80000001 0x0086AF 11

R7 sees external routes as originated by R9, so I can go on R9 and use summary-address on R9 to filter external routes, even if R9 is an ABR and not a true ASBR:

R9(config)#router ospf 1000
R9(config-router)#summary-address 30.0.0.0 254.0.0.0 not-advertise
R9(config-router)#summary-address 32.0.0.0 254.0.0.0 not-advertise

Look the database on R9:

R9#show ip ospf database | b Type-7
Type-7 AS External Link States (Area 2)

Link ID         ADV Router      Age         Seq#       Checksum Tag
30.1.1.248      11.11.11.11     619         0x80000001 0x00DF69 11
30.2.2.128      10.10.10.10     584         0x80000001 0x0006FA 10
30.2.2.192      10.10.10.10     584         0x80000001 0x00833D 10
30.3.3.224      11.11.11.11     619         0x80000001 0x001263 11
31.0.0.0        10.10.10.10     584         0x80000001 0x00A79D 10
31.5.5.0        11.11.11.11     619         0x80000001 0x005AD7 11
31.7.0.0        11.11.11.11     619         0x80000001 0x0079BB 11
32.4.0.0        10.10.10.10     598         0x80000001 0x006AD5 10
32.6.0.0        10.10.10.10     597         0x80000001 0x0052EB 10
33.9.9.0        10.10.10.10     597         0x80000001 0x00C0EF 10
33.9.9.128      11.11.11.11     609         0x80000001 0x00E145 11
33.11.11.0      11.11.11.11     609         0x80000001 0x00B56E 11

                Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         994         0x80000005 0x00612C 4
20.15.1.0       5.5.5.5         1217        0x80000005 0x004A3D 5
20.15.2.0       4.4.4.4         996         0x80000005 0x004B40 4
20.15.3.0       5.5.5.5         1216        0x80000005 0x003451 5
20.15.4.0       4.4.4.4         996         0x80000005 0x003554 4
20.15.5.0       5.5.5.5         1219        0x80000005 0x001E65 5
20.15.6.224     4.4.4.4         998         0x80000005 0x009B2A 4
20.15.7.128     5.5.5.5         1218        0x80000005 0x00067A 5
20.15.8.240     4.4.4.4         998         0x80000005 0x00455E 4
20.15.9.192     5.5.5.5         1218        0x80000005 0x00EE0F 5
20.15.10.248    4.4.4.4         998         0x80000005 0x000F82 4
20.15.11.254    5.5.5.5         1218        0x80000005 0x00E598 5

I’m still receiving Type-7 LSAs about (30,31,32,33).x.x.x on R9 but I’m not translating them no more, so external routes are not injected into routers of Area 0:

R7#show ip ospf database | b Ex
Type-5 AS External Link States

Link ID         ADV Router      Age         Seq#       Checksum Tag
20.15.0.0       4.4.4.4         1091        0x80000005 0x00612C 4
20.15.1.0       5.5.5.5         1312        0x80000005 0x004A3D 5
20.15.2.0       4.4.4.4         1091        0x80000005 0x004B40 4
20.15.3.0       5.5.5.5         1312        0x80000005 0x003451 5
20.15.4.0       4.4.4.4         1091        0x80000005 0x003554 4
20.15.5.0       5.5.5.5         1312        0x80000005 0x001E65 5
20.15.6.224     4.4.4.4         1091        0x80000005 0x009B2A 4
20.15.7.128     5.5.5.5         1312        0x80000005 0x00067A 5
20.15.8.240     4.4.4.4         1091        0x80000005 0x00455E 4
20.15.9.192     5.5.5.5         1312        0x80000005 0x00EE0F 5
20.15.10.248    4.4.4.4         1091        0x80000005 0x000F82 4
20.15.11.254    5.5.5.5         1312        0x80000005 0x00E598 5

Routes (30,31,32,33).x.x.x are gone.

To recap: when NSSA Area is in use I can choose to filter external routes injected into ospf in 2 ways:

– Filter routes summarizing at true ASBRs –> routes are excluded also from the NSSA Area

– Filter routes summarizing at NSSA ABR in charge of Type-7/Type-5 translation –> router are excluded from other areas connected to the NSSA ABR but are preserved  in NSSA Area.

8. DATABASE FILTERING

In Cisco IOS there is only one way to make OSPF database inconsistent in a single area. This violates the core operations of OSPF “each area must have the same ospf database”. The first 7 filtering techniques don’t break this rule. Some specific scenario may require the breaking of this rule. To do that we have this option under interface config:

R9(config)#int fa1/15
R9(config-if)#ip ospf database-filter all out
*Mar  1 02:54:05.455: %OSPF-5-ADJCHG: Process 1000, Nbr 11.11.11.11 on FastEthernet1/15 from FULL to DOWN, Neighbor Down: Interface down or detached
*Mar  1 02:54:05.635: %OSPF-5-ADJCHG: Process 1000, Nbr 11.11.11.11 on FastEthernet1/15 from LOADING to FULL, Loading Done

Previous Entries # MULTI-VRF-CE - VRF LITE # Next Entries # Route-map/Acl permit/deny logic #