Performing OSPF route filtering within an area does not affect routes as they enter the OSPF topology database, but the IP routing table instead; and on only the router on which the route filtering is configured. Route filtering on link-state routing protocols often result in different routing tables (but same topology database) on routers, which would then introduce routing loops or routing black holes to the network if not implemented carefully.
OSPF route filtering within an area can be achieved using distribute lists (in conjunction with access lists, prefix lists, and route maps), or modifying the administrative distance.
The routing table and OSPF topology database on RT3 before implementing route filtering:
RT3#sh ip route Gateway of last resort is not set 23.0.0.0/24 is subnetted, 1 subnets C 23.23.23.0 is directly connected, Serial0/1 172.16.0.0/24 is subnetted, 1 subnets O IA 172.16.1.0 [110/65] via 13.13.13.1, 00:00:42, Serial0/0 12.0.0.0/24 is subnetted, 1 subnets O 12.12.12.0 [110/128] via 23.23.23.2, 00:00:42, Serial0/1 [110/128] via 13.13.13.1, 00:00:42, Serial0/0 O IA 192.168.1.0/24 [110/65] via 13.13.13.1, 00:00:42, Serial0/0 13.0.0.0/24 is subnetted, 1 subnets C 13.13.13.0 is directly connected, Serial0/0 RT3# RT3#sh ip ospf database OSPF Router with ID (3.3.3.3) (Process ID 100) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.1.1 1.1.1.1 48 0x80000003 0x00DD70 4 2.2.2.2 2.2.2.2 48 0x80000001 0x000807 4 3.3.3.3 3.3.3.3 47 0x80000002 0x00BC45 4 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 172.16.1.0 1.1.1.1 59 0x80000001 0x00E495 192.168.1.0 1.1.1.1 59 0x80000001 0x00B815 RT3#
Below shows the routing table and OSPF topology database on RT3 after implemented route filtering to filter 192.168.1.0/24 from entering the routing table.
Route filtering configuration using the distribute-list router subcommand does not modify the OSPF topology database and does not prevent the LSAs from being propagated to other routers!
RT3#conf t Enter configuration commands, one per line. End with CNTL/Z. RT3(config)#access-list 1 permit 172.16.1.0 0.0.0.255 RT3(config)#router ospf 100 RT3(config-router)#distribute-list ? <1-199> IP access list number <1300-2699> IP expanded access list number WORD Access-list name gateway Filtering incoming updates based on gateway prefix Filter prefixes in routing updates route-map Filter prefixes based on the route-map RT3(config-router)#distribute-list 1 in RT3(config-router)#end RT3# RT3#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 2.2.2.2 0 FULL/ - 00:00:32 23.23.23.2 Serial0/1 1.1.1.1 0 FULL/ - 00:00:38 13.13.13.1 Serial0/0 RT3# RT3#sh ip route Gateway of last resort is not set 23.0.0.0/24 is subnetted, 1 subnets C 23.23.23.0 is directly connected, Serial0/1 172.16.0.0/24 is subnetted, 1 subnets O IA 172.16.1.0 [110/65] via 13.13.13.1, 00:00:08, Serial0/0 13.0.0.0/24 is subnetted, 1 subnets C 13.13.13.0 is directly connected, Serial0/0 RT3# RT3#sh ip ospf database OSPF Router with ID (3.3.3.3) (Process ID 100) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.1.1 1.1.1.1 198 0x80000003 0x00DD70 4 2.2.2.2 2.2.2.2 198 0x80000001 0x000807 4 3.3.3.3 3.3.3.3 196 0x80000002 0x00BC45 4 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 172.16.1.0 1.1.1.1 209 0x80000001 0x00E495 192.168.1.0 1.1.1.1 209 0x80000001 0x00B815 RT3#
Below shows a routing black hole issue occurred in the sample network when the link between RT1 and RT2 is failed. RT2 still forward packets destined to 192.168.1.0/24 via RT3 but apparently RT3 does not have the route to the destination network due to route filtering!
RT2#conf t Enter configuration commands, one per line. End with CNTL/Z. RT2(config)#int s0/0 RT2(config-if)#shut RT2(config-if)# 00:04:33: %OSPF-5-ADJCHG: Process 100, Nbr 1.1.1.1 on Serial0/0 from FULL to DOWN, Neighbor Down: Interface down or detached --- output omitted --- RT2(config-if)#end RT2# RT2#sh ip ospf database OSPF Router with ID (2.2.2.2) (Process ID 100) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.1.1 1.1.1.1 29 0x80000004 0x0050EC 2 2.2.2.2 2.2.2.2 61 0x80000002 0x00D624 2 3.3.3.3 3.3.3.3 324 0x80000002 0x00BC45 4 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 172.16.1.0 1.1.1.1 334 0x80000001 0x00E495 192.168.1.0 1.1.1.1 334 0x80000001 0x00B815 RT2# RT2#sh ip route Gateway of last resort is not set 23.0.0.0/24 is subnetted, 1 subnets C 23.23.23.0 is directly connected, Serial0/1 172.16.0.0/24 is subnetted, 1 subnets O IA 172.16.1.0 [110/129] via 23.23.23.3, 00:00:33, Serial0/1 O IA 192.168.1.0/24 [110/129] via 23.23.23.3, 00:00:33, Serial0/1 13.0.0.0/24 is subnetted, 1 subnets O 13.13.13.0 [110/128] via 23.23.23.3, 00:00:33, Serial0/1 RT2# RT2#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 56/91/140 ms RT2# RT2#debug ip icmp ICMP packet debugging is on RT2# RT2#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: U 00:06:06: ICMP: dst (23.23.23.2) host unreachable rcv from 23.23.23.3.U 00:06:08: ICMP: dst (23.23.23.2) host unreachable rcv from 23.23.23.3.U Success rate is 0 percent (0/5) RT2# 00:06:10: ICMP: dst (23.23.23.2) host unreachable rcv from 23.23.23.3 RT2#
Below shows another alternative route filtering configuration on RT3 to achieve the same result – filter 192.168.1.0/24 from entering the routing table, using a distribute list in conjunction with route map and prefix list.
RT3#conf t Enter configuration commands, one per line. End with CNTL/Z. RT3(config)#ip prefix-list Area0-permit permit 172.16.1.0/24 RT3(config)# RT3(config)#route-map Area0-Filter RT3(config-route-map)#match ip address prefix-list Area0-permit RT3(config-route-map)# RT3(config-route-map)#router ospf 100 RT3(config-router)#distribute-list route-map Area0-Filter in RT3(config-router)#end RT3# RT3#sh ip route Gateway of last resort is not set 23.0.0.0/24 is subnetted, 1 subnets C 23.23.23.0 is directly connected, Serial0/1 172.16.0.0/24 is subnetted, 1 subnets O IA 172.16.1.0 [110/65] via 13.13.13.1, 00:00:03, Serial0/0 13.0.0.0/24 is subnetted, 1 subnets C 13.13.13.0 is directly connected, Serial0/0 RT3# RT3#sh ip ospf database OSPF Router with ID (3.3.3.3) (Process ID 100) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.1.1 1.1.1.1 41 0x80000002 0x00DF6F 4 2.2.2.2 2.2.2.2 43 0x80000001 0x000807 4 3.3.3.3 3.3.3.3 40 0x80000002 0x00BC45 4 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 172.16.1.0 1.1.1.1 42 0x80000001 0x00E495 192.168.1.0 1.1.1.1 42 0x80000001 0x00B815 RT3# RT3#sh route-map route-map Area0-Filter, permit, sequence 10 Match clauses: ip address prefix-lists: Area0-permit Set clauses: Policy routing matches: 0 packets, 0 bytes RT3# RT3#sh ip prefix-list ip prefix-list Area0-permit: 1 entries seq 5 permit 172.16.1.0/24 RT3#
Below shows another alternative route filtering configuration on RT3 to achieve the same result – filter 192.168.1.0/24 from entering the routing table, by modifying the administrative distance.
RT3#conf t Enter configuration commands, one per line. End with CNTL/Z. RT3(config)#access-list 1 permit 192.168.1.0 0.0.0.255 RT3(config)# RT3(config)#router ospf 100 RT3(config-router)#distance 255 0.0.0.0 255.255.255.255 1 RT3(config-router)#end RT3# RT3#sh ip route Gateway of last resort is not set 23.0.0.0/24 is subnetted, 1 subnets C 23.23.23.0 is directly connected, Serial0/1 172.16.0.0/24 is subnetted, 1 subnets O IA 172.16.1.0 [110/65] via 13.13.13.1, 00:00:04, Serial0/0 12.0.0.0/24 is subnetted, 1 subnets O 12.12.12.0 [110/128] via 23.23.23.2, 00:00:04, Serial0/1 [110/128] via 13.13.13.1, 00:00:04, Serial0/0 13.0.0.0/24 is subnetted, 1 subnets C 13.13.13.0 is directly connected, Serial0/0 RT3# RT3#sh ip ospf database OSPF Router with ID (3.3.3.3) (Process ID 100) Router Link States (Area 0) Link ID ADV Router Age Seq# Checksum Link count 1.1.1.1 1.1.1.1 94 0x80000002 0x00DF6F 4 2.2.2.2 2.2.2.2 98 0x80000001 0x000807 4 3.3.3.3 3.3.3.3 93 0x80000002 0x00BC45 4 Summary Net Link States (Area 0) Link ID ADV Router Age Seq# Checksum 172.16.1.0 1.1.1.1 95 0x80000001 0x00E495 192.168.1.0 1.1.1.1 95 0x80000001 0x00B815 RT3#
No comments:
Post a Comment