OSPF ABR Type 3 LSA Filtering on Cisco IOS

Thanks Andrew for the clarification

19 posts were merged into an existing topic: OSPF ABR Type 3 LSA Filtering on Cisco IOS

Hi Rene,

I was doing a lab setup exactly as yours LSA Type-3 Filtering (Inbound). My loopback address on R4 is 4.4.4.1/24, and I haven’t defined any loopback on any other routers:

I want to block this into AREA-3. I am defining my prefix-list on ABR as

ip prefix-list into_area3 seq 7 deny 4.4.4.1/24
ip prefix-list into_area3 seq 10 permit 0.0.0.0/0 le 32

 router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 3 filter-list prefix into_area3 in
 network 4.4.4.0 0.0.0.255 area 0
 network 192.168.14.0 0.0.0.255 area 1
 network 192.168.24.0 0.0.0.255 area 2
 network 192.168.34.0 0.0.0.255 area 3

But I still see it in route of R3:

O IA 4.4.4.1 [110/11] via 192.168.34.4, 00:47:37, FastEthernet0/0

Never mind I figured this out. Basically to block the route for 4.4.4.1, I should make an exact match in my prefix-list.

So basically I changed

ip prefix-list into_area3 seq 7 deny 4.4.4.1/24

TO

ip prefix-list into_area3 seq 7 deny 4.4.4.1/32

And it works.

3 Likes

Hi,
I have a question Im configuring OSPF for some data links between my networks equipments and ISP equipment s but the ISP uses the area 0 for the data links and I use area 0 on my network .

How the ISP will redistribute the networks of area 0 to me and how can I redistribute the networks of area 0 to them.

Hello Helen.

I am assuming that you and the ISP are operating completely separate OSPF domains. That is, their OSPF routing is completely autonomous from yours. This means that your area 0 has nothing to do with their area 0. They are two completely separate systems.

If this is the case, then the way one OSPF domain communicates with another OSPF domain is via a router that has two separate OSPF processes running. One interface is using process number 1 for example, this may be your internal OSPF domain, and the outside interface is using process 2, which is part of the ISP’s OSPF domain. This is assuming that the redistribution point is your edge router. You can find detailed information of redistribution between separate OSPF domains at this comprehensive Cisco documentation.

Now if the ISP is participating in the SAME OSPF domain as you (which I consider unlikely, but I’m including this for completion), then there is essentially no redistribution taking place as far as domain to domain is concerned. Both are in the same domain.

I hope this has been helpful!

Laz

1 Like

Hello
By using filtering on ABR, does this method tell the ABR not to advertise this prefix list or it tell the router in the area not to install this prefix in their routing table ?
Thank
Sovandara

Hello Heng

When you apply LSA3 filtering, you are telling the ABR not to advertise the specific prefix. In other words, it does not send any information about the specific prefix in its LSAs.

I hope this has been helpful!

Laz

R4(config)#ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24
R4(config)#ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24

i dont understand what means seq 6 seq 7

Hello Bahri

When creating a prefix list, we can add multiple statements. For example, in Rene’s lesson, he initially started with the following two commands:

R4(config)#ip prefix-list INTO-AREA3 deny 2.2.2.2/32
R4(config)#ip prefix-list INTO-AREA3 permit 0.0.0.0/0 le 32

Now because the INTO-AREA3 prefix list has two entries, these entries are given specific sequence numbers. Because Rene didn’t specify these sequence numbers, by default, the IOS will assign sequence numbers at intervals of 5 (or 10 depending on the IOS version and platform). If you were to display the INTO-AREA3 prefix list, you would see something like this:

R4# show prefix-list INTO-AREA3
5  deny 2.2.2.2/32
10 permit 0.0.0.0/0 le 32

Now in the case where the commands in your post were implemented, it was required that these be entered between the two existing entries, that is, somewhere between sequence numbers 5 and 10. Using the seq keyword, the location of these two new entries can be specified. Once the commands are implemented, and you display the current prefix list, you would get something like this:

R4# show prefix-list INTO-AREA3
5  deny 2.2.2.2/32
6  deny 192.168.14.0/24
7  deny 192.168.24.0/24
10 permit 0.0.0.0/0 le 32

I hope this has been helpful!

Laz

Hi
LAZ
Thank you very much,
it useful

Hello,

In the topic OSPF ABR Type 3 LSA Filtering (https://networklessons.com/cisco/ccie-routing-switching/ospf-abr-type-3-lsa-filtering-on-cisco-ios), the R4#show ip ospf neighbor snippet shows that R4 is elected BDR for all the other 3 routers, but shouldn’t it be the opposite i.e. R4 is DR for R1,R2 and R3. As R4 has the highest loopback address.

Also, in the topic, OSPF DR/BDR Election explained (https://networklessons.com/cisco/ccie-routing-switching/ospf-drbdr-election-explained), in the 2 multi-access segments topology R2#show ip ospf neighbor shows that R1 is elected BDR while the text below it says that “R1 is the DR for the 192.168.12.0/24 segment”.

Are these changes correct or have I missed something in the DR/BDR election process?

Thanks,
Apoorva

Hello Apoorva

For the first case, you are correct, that R4 should be the DR, assuming that all routers were turned on simultaneously and that the DR/BDR elections took place once all devices came up. Now there are cases however, where the DR will have a lower loopback IP. Remember that in DR/BDR elections, there is no preemption. What this means is that if the DR fails at any point, the BDR becomes the DR. If the original DR comes back up again, it DOES NOT assume the role of DR again, but becomes the BDR. In other words, elections don’t take place again until the current DR has failed. So in the case of the lab, it may be that Rene reset the OSPF algorithm on R4, or restarted R4 at some point, which made all the other routers become the DR in their respective mutliaccess segments. When R4 came back up again, R1, R2, and R3 remained DRs. So although it is not intuitive, there are normal operating situations where the DR will not be the router with the highest loopback address. The same is true whether you use router IDs or highest physical interface IPs.

In the second case you mention, yes, there seems to be a typo. The text should read:

In the example above you can see that R2 is the DR for the 192.168.12.0/24 segment and R3 is the DR for the 192.168.23.0/24 segment.

I will let Rene know.

Thanks and I hope this has been helpful!

Laz

Good afternoon ,

Rene,

Can you please hep me to understand the portion of this lab.
I verify that R1 & R2 don’t have route 3.3.3.3 on their routing table once I applied router filtering out . I used this command area 3 filter-list prefix OUT-AREA3 out.

Question:? Why R4 is adding route 3.3.3.3 to it’s routing table and not filtering out that route, since the loopback interface 4.4.4.4 it’s on Area 0 .

R1 & R2 due to filtering can’t ping 3.3.3.3, cause is not on the routing table; which is fine , according to the purpose of the configuration.

R1#sh ip route 3.3.3.3
% Network not in table
R1#

R2#sh ip route 3.3.3.3
% Network not in table

R4#sh ip route 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "ospf 1", distance 110, metric 2, type intra area
  Last update from 192.168.34.3 on FastEthernet1/0, 01:53:04 ago
  Routing Descriptor Blocks:
  * 192.168.34.3, from 3.3.3.3, 01:53:04 ago, via FastEthernet1/0
      Route metric is 2, traffic share count is 1

I sued extended ping to ping from lop 4.4.4.4 to ping 3.3.3.3 and it works, when it shuld be blocked.

R4#ping ip
Target IP address: 3.3.3.3
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 4.4.4.4
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/40 ms

Outbound Area LSA Type 3 filtering
R1 and R2 both know about the loopback interface of R3. Let’s create a prefix-list that matches 3.3.3.3 /32:

*************CURRENT CONFIGURATION ON R4 ************************************

R4#show ip prefix-list OUT-AREA3 
ip prefix-list OUT-AREA3: 2 entries
   seq 5 deny 3.3.3.3/32
   seq 10 permit 0.0.0.0/0 le 32
R4#show ip prefix-list INTO-AREA3    
ip prefix-list INTO-AREA3: 4 entries
   seq 5 deny 2.2.2.2/32
   seq 6 deny 192.168.14.0/24
   seq 7 deny 192.168.24.0/24
   seq 10 permit 0.0.0.0/0 le 32
R4#sh run | s router              
router ospf 1
 area 3 filter-list prefix INTO-AREA3 in
 area 3 filter-list prefix OUT-AREA3 out
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.14.0 0.0.0.255 area 1
 network 192.168.24.0 0.0.0.255 area 2
 network 192.168.34.0 0.0.0.255 area 3
R4#

Can you please post your diagram as well? Thanks

OSPF-FILTERING-TYPE-3

Also pasting the whole configuration OSPF-FILTERING-TYPE-3-CONFIGURATION .txt (6.5 KB) for the 4 routers in the above topology.

Hello, the network 3.3.3.3/32 is being permitted by the sequence 10 in your prefix-list named INTO-AREA3.

Does it make sense?

Hi Mercedes,
based on your first post…

R4 has routing entry for 3.3.3.3/32 in database, it is because R4 has interface in OSPF area 3.
R4 is an ABR router and ABRs always have OSPF database for all the areas they have interfaces in.
Because 4.4.4.4/32 is loopback on R4 then reachability is going to be there.

You can add another router, lets say R5 and interconnect it with R4. R4 and R5 interconnecting interfaces should belong to area 0. Because R4 is filtering 3.3.3.3/32 (based on seq 5 in OUT-AREA3) then R5 should not have reachability to 3.3.3.3/32.

Fugazz,
Thank you for clarifying me this issue.
I created the R5 connected to R4 and it’s working like R1 & R2 , which area unable to reach loopack 3.3.3.3 due to Filtering.
Thanks you for that.

What about if I want to block loopback 4.4.4.4 on the ASBR too.
Is there a granular way or better way to block any route like for example loopback 4.4.4.4 to reach loopback 3.3.3.3.
In other words is better blocking access to 3.3.3.3 using a route map on ABR for any specific route on R4?