OSPF ABR Type 3 LSA Filtering on Cisco IOS

Hi Deepak,

I’d have to lab it up but I don’t think you can use filtering like this.

Rene

Hi Rene,

There’s a typo, I see:

The 192.168.12.0 /24 and 192.168.24.0 /24 prefixes are now gone from the routing table. It doesn’t matter from which area they come from…

Should be this instead, in bold:

The 192.168.14.0 /24 and 192.168.24.0 /24 prefixes are now gone from the routing table. It doesn’t matter from which area they come from…

Cheers,

Shannon

Hi Shannon,

That’s right, thanks for letting me know. It’s fixed.

Rene

Awesome!

Hi Rene

I want to know why the filtering in ospf only occurs in ABR or ASBR.

Rajendra,
This has to do with how link state protocols work. In order for a link protocol to be able to run the Dijkstra algorithm, they must all have identical databases to run the algorithm against. If filtering were allowed within an area, then by definition, some routers would have a different database than others, and when those routers ran the shortest path tree calculations, they would arrive at different results.

Notice that both the ASBR and ABR, by definition, are at the area boundary. They are allowed to do filtering or summarization only on routes that exist outside of the area where they are presenting the filtering or summarization. This ensures that all routers within the area where the ASBR or ABR has done filtering will all be getting the same information (from the ASBR or ABR).

To put it another way, imagine an ABR like this:

(AREA 0)—ABR—(AREA 1)

The ABR is NOT allowed to summarize or filter an area and re-introduce that back into the same area. So it is okay for the ABR to filter Area 0 and present that to Area 1, or summarize area 1 and present the summary to area 0.

1 Like

Thanks Andrew for the clarification

19 posts were merged into an existing topic: OSPF ABR Type 3 LSA Filtering on Cisco IOS

Hi Rene,

I was doing a lab setup exactly as yours LSA Type-3 Filtering (Inbound). My loopback address on R4 is 4.4.4.1/24, and I haven’t defined any loopback on any other routers:

I want to block this into AREA-3. I am defining my prefix-list on ABR as

ip prefix-list into_area3 seq 7 deny 4.4.4.1/24
ip prefix-list into_area3 seq 10 permit 0.0.0.0/0 le 32

 router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 3 filter-list prefix into_area3 in
 network 4.4.4.0 0.0.0.255 area 0
 network 192.168.14.0 0.0.0.255 area 1
 network 192.168.24.0 0.0.0.255 area 2
 network 192.168.34.0 0.0.0.255 area 3

But I still see it in route of R3:

O IA 4.4.4.1 [110/11] via 192.168.34.4, 00:47:37, FastEthernet0/0

Never mind I figured this out. Basically to block the route for 4.4.4.1, I should make an exact match in my prefix-list.

So basically I changed

ip prefix-list into_area3 seq 7 deny 4.4.4.1/24

TO

ip prefix-list into_area3 seq 7 deny 4.4.4.1/32

And it works.

3 Likes

Hi,
I have a question Im configuring OSPF for some data links between my networks equipments and ISP equipment s but the ISP uses the area 0 for the data links and I use area 0 on my network .

How the ISP will redistribute the networks of area 0 to me and how can I redistribute the networks of area 0 to them.

Hello Helen.

I am assuming that you and the ISP are operating completely separate OSPF domains. That is, their OSPF routing is completely autonomous from yours. This means that your area 0 has nothing to do with their area 0. They are two completely separate systems.

If this is the case, then the way one OSPF domain communicates with another OSPF domain is via a router that has two separate OSPF processes running. One interface is using process number 1 for example, this may be your internal OSPF domain, and the outside interface is using process 2, which is part of the ISP’s OSPF domain. This is assuming that the redistribution point is your edge router. You can find detailed information of redistribution between separate OSPF domains at this comprehensive Cisco documentation.

Now if the ISP is participating in the SAME OSPF domain as you (which I consider unlikely, but I’m including this for completion), then there is essentially no redistribution taking place as far as domain to domain is concerned. Both are in the same domain.

I hope this has been helpful!

Laz

1 Like

Hello
By using filtering on ABR, does this method tell the ABR not to advertise this prefix list or it tell the router in the area not to install this prefix in their routing table ?
Thank
Sovandara

Hello Heng

When you apply LSA3 filtering, you are telling the ABR not to advertise the specific prefix. In other words, it does not send any information about the specific prefix in its LSAs.

I hope this has been helpful!

Laz

R4(config)#ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24
R4(config)#ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24

i dont understand what means seq 6 seq 7

Hello Bahri

When creating a prefix list, we can add multiple statements. For example, in Rene’s lesson, he initially started with the following two commands:

R4(config)#ip prefix-list INTO-AREA3 deny 2.2.2.2/32
R4(config)#ip prefix-list INTO-AREA3 permit 0.0.0.0/0 le 32

Now because the INTO-AREA3 prefix list has two entries, these entries are given specific sequence numbers. Because Rene didn’t specify these sequence numbers, by default, the IOS will assign sequence numbers at intervals of 5 (or 10 depending on the IOS version and platform). If you were to display the INTO-AREA3 prefix list, you would see something like this:

R4# show prefix-list INTO-AREA3
5  deny 2.2.2.2/32
10 permit 0.0.0.0/0 le 32

Now in the case where the commands in your post were implemented, it was required that these be entered between the two existing entries, that is, somewhere between sequence numbers 5 and 10. Using the seq keyword, the location of these two new entries can be specified. Once the commands are implemented, and you display the current prefix list, you would get something like this:

R4# show prefix-list INTO-AREA3
5  deny 2.2.2.2/32
6  deny 192.168.14.0/24
7  deny 192.168.24.0/24
10 permit 0.0.0.0/0 le 32

I hope this has been helpful!

Laz

Hi
LAZ
Thank you very much,
it useful

Hello,

In the topic OSPF ABR Type 3 LSA Filtering (https://networklessons.com/cisco/ccie-routing-switching/ospf-abr-type-3-lsa-filtering-on-cisco-ios), the R4#show ip ospf neighbor snippet shows that R4 is elected BDR for all the other 3 routers, but shouldn’t it be the opposite i.e. R4 is DR for R1,R2 and R3. As R4 has the highest loopback address.

Also, in the topic, OSPF DR/BDR Election explained (https://networklessons.com/cisco/ccie-routing-switching/ospf-drbdr-election-explained), in the 2 multi-access segments topology R2#show ip ospf neighbor shows that R1 is elected BDR while the text below it says that “R1 is the DR for the 192.168.12.0/24 segment”.

Are these changes correct or have I missed something in the DR/BDR election process?

Thanks,
Apoorva

Hello Apoorva

For the first case, you are correct, that R4 should be the DR, assuming that all routers were turned on simultaneously and that the DR/BDR elections took place once all devices came up. Now there are cases however, where the DR will have a lower loopback IP. Remember that in DR/BDR elections, there is no preemption. What this means is that if the DR fails at any point, the BDR becomes the DR. If the original DR comes back up again, it DOES NOT assume the role of DR again, but becomes the BDR. In other words, elections don’t take place again until the current DR has failed. So in the case of the lab, it may be that Rene reset the OSPF algorithm on R4, or restarted R4 at some point, which made all the other routers become the DR in their respective mutliaccess segments. When R4 came back up again, R1, R2, and R3 remained DRs. So although it is not intuitive, there are normal operating situations where the DR will not be the router with the highest loopback address. The same is true whether you use router IDs or highest physical interface IPs.

In the second case you mention, yes, there seems to be a typo. The text should read:

In the example above you can see that R2 is the DR for the 192.168.12.0/24 segment and R3 is the DR for the 192.168.23.0/24 segment.

I will let Rene know.

Thanks and I hope this has been helpful!

Laz

Good afternoon ,

Rene,

Can you please hep me to understand the portion of this lab.
I verify that R1 & R2 don’t have route 3.3.3.3 on their routing table once I applied router filtering out . I used this command area 3 filter-list prefix OUT-AREA3 out.

Question:? Why R4 is adding route 3.3.3.3 to it’s routing table and not filtering out that route, since the loopback interface 4.4.4.4 it’s on Area 0 .

R1 & R2 due to filtering can’t ping 3.3.3.3, cause is not on the routing table; which is fine , according to the purpose of the configuration.

R1#sh ip route 3.3.3.3
% Network not in table
R1#

R2#sh ip route 3.3.3.3
% Network not in table

R4#sh ip route 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "ospf 1", distance 110, metric 2, type intra area
  Last update from 192.168.34.3 on FastEthernet1/0, 01:53:04 ago
  Routing Descriptor Blocks:
  * 192.168.34.3, from 3.3.3.3, 01:53:04 ago, via FastEthernet1/0
      Route metric is 2, traffic share count is 1

I sued extended ping to ping from lop 4.4.4.4 to ping 3.3.3.3 and it works, when it shuld be blocked.

R4#ping ip
Target IP address: 3.3.3.3
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 4.4.4.4
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/40 ms

Outbound Area LSA Type 3 filtering
R1 and R2 both know about the loopback interface of R3. Let’s create a prefix-list that matches 3.3.3.3 /32:

*************CURRENT CONFIGURATION ON R4 ************************************

R4#show ip prefix-list OUT-AREA3 
ip prefix-list OUT-AREA3: 2 entries
   seq 5 deny 3.3.3.3/32
   seq 10 permit 0.0.0.0/0 le 32
R4#show ip prefix-list INTO-AREA3    
ip prefix-list INTO-AREA3: 4 entries
   seq 5 deny 2.2.2.2/32
   seq 6 deny 192.168.14.0/24
   seq 7 deny 192.168.24.0/24
   seq 10 permit 0.0.0.0/0 le 32
R4#sh run | s router              
router ospf 1
 area 3 filter-list prefix INTO-AREA3 in
 area 3 filter-list prefix OUT-AREA3 out
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.14.0 0.0.0.255 area 1
 network 192.168.24.0 0.0.0.255 area 2
 network 192.168.34.0 0.0.0.255 area 3
R4#