OSPF ABR Type 3 LSA Filtering on Cisco IOS

apja1522 · June 15, 2019, 5:21am

Hello,

In the topic OSPF ABR Type 3 LSA Filtering (https://networklessons.com/cisco/ccie-routing-switching/ospf-abr-type-3-lsa-filtering-on-cisco-ios), the R4#show ip ospf neighbor snippet shows that R4 is elected BDR for all the other 3 routers, but shouldn’t it be the opposite i.e. R4 is DR for R1,R2 and R3. As R4 has the highest loopback address.

Also, in the topic, OSPF DR/BDR Election explained (https://networklessons.com/cisco/ccie-routing-switching/ospf-drbdr-election-explained), in the 2 multi-access segments topology R2#show ip ospf neighbor shows that R1 is elected BDR while the text below it says that “R1 is the DR for the 192.168.12.0/24 segment”.

Are these changes correct or have I missed something in the DR/BDR election process?

Thanks,
Apoorva

lagapidis · June 18, 2019, 6:28am

Hello Apoorva

For the first case, you are correct, that R4 should be the DR, assuming that all routers were turned on simultaneously and that the DR/BDR elections took place once all devices came up. Now there are cases however, where the DR will have a lower loopback IP. Remember that in DR/BDR elections, there is no preemption. What this means is that if the DR fails at any point, the BDR becomes the DR. If the original DR comes back up again, it DOES NOT assume the role of DR again, but becomes the BDR. In other words, elections don’t take place again until the current DR has failed. So in the case of the lab, it may be that Rene reset the OSPF algorithm on R4, or restarted R4 at some point, which made all the other routers become the DR in their respective mutliaccess segments. When R4 came back up again, R1, R2, and R3 remained DRs. So although it is not intuitive, there are normal operating situations where the DR will not be the router with the highest loopback address. The same is true whether you use router IDs or highest physical interface IPs.

In the second case you mention, yes, there seems to be a typo. The text should read:

In the example above you can see that R2 is the DR for the 192.168.12.0/24 segment and R3 is the DR for the 192.168.23.0/24 segment.

I will let Rene know.

Thanks and I hope this has been helpful!

Laz

90forlifemcarreno · November 2, 2019, 5:03pm

Good afternoon ,

Rene,

Can you please hep me to understand the portion of this lab.
I verify that R1 & R2 don’t have route 3.3.3.3 on their routing table once I applied router filtering out . I used this command area 3 filter-list prefix OUT-AREA3 out.

Question:? Why R4 is adding route 3.3.3.3 to it’s routing table and not filtering out that route, since the loopback interface 4.4.4.4 it’s on Area 0 .

R1 & R2 due to filtering can’t ping 3.3.3.3, cause is not on the routing table; which is fine , according to the purpose of the configuration.

R1#sh ip route 3.3.3.3
% Network not in table
R1#

R2#sh ip route 3.3.3.3
% Network not in table

R4#sh ip route 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "ospf 1", distance 110, metric 2, type intra area
  Last update from 192.168.34.3 on FastEthernet1/0, 01:53:04 ago
  Routing Descriptor Blocks:
  * 192.168.34.3, from 3.3.3.3, 01:53:04 ago, via FastEthernet1/0
      Route metric is 2, traffic share count is 1

I sued extended ping to ping from lop 4.4.4.4 to ping 3.3.3.3 and it works, when it shuld be blocked.

R4#ping ip
Target IP address: 3.3.3.3
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 4.4.4.4
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
Packet sent with a source address of 4.4.4.4 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/40 ms

Outbound Area LSA Type 3 filtering
R1 and R2 both know about the loopback interface of R3. Let’s create a prefix-list that matches 3.3.3.3 /32:

*************CURRENT CONFIGURATION ON R4 ************************************

R4#show ip prefix-list OUT-AREA3 
ip prefix-list OUT-AREA3: 2 entries
   seq 5 deny 3.3.3.3/32
   seq 10 permit 0.0.0.0/0 le 32
R4#show ip prefix-list INTO-AREA3    
ip prefix-list INTO-AREA3: 4 entries
   seq 5 deny 2.2.2.2/32
   seq 6 deny 192.168.14.0/24
   seq 7 deny 192.168.24.0/24
   seq 10 permit 0.0.0.0/0 le 32
R4#sh run | s router              
router ospf 1
 area 3 filter-list prefix INTO-AREA3 in
 area 3 filter-list prefix OUT-AREA3 out
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.14.0 0.0.0.255 area 1
 network 192.168.24.0 0.0.0.255 area 2
 network 192.168.34.0 0.0.0.255 area 3
R4#

sales2161 · November 2, 2019, 8:32pm

Can you please post your diagram as well? Thanks

90forlifemcarreno · November 2, 2019, 9:41pm

OSPF-FILTERING-TYPE-3

90forlifemcarreno · November 2, 2019, 9:53pm

Also pasting the whole configuration OSPF-FILTERING-TYPE-3-CONFIGURATION .txt (6.5 KB) for the 4 routers in the above topology.

sales2161 · November 2, 2019, 11:46pm

Hello, the network 3.3.3.3/32 is being permitted by the sequence 10 in your prefix-list named INTO-AREA3.

Does it make sense?

fugazz · November 3, 2019, 12:20am

Hi Mercedes,
based on your first post…

R4 has routing entry for 3.3.3.3/32 in database, it is because R4 has interface in OSPF area 3.
R4 is an ABR router and ABRs always have OSPF database for all the areas they have interfaces in.
Because 4.4.4.4/32 is loopback on R4 then reachability is going to be there.

You can add another router, lets say R5 and interconnect it with R4. R4 and R5 interconnecting interfaces should belong to area 0. Because R4 is filtering 3.3.3.3/32 (based on seq 5 in OUT-AREA3) then R5 should not have reachability to 3.3.3.3/32.

90forlifemcarreno · November 3, 2019, 1:14am

Fugazz,
Thank you for clarifying me this issue.
I created the R5 connected to R4 and it’s working like R1 & R2 , which area unable to reach loopack 3.3.3.3 due to Filtering.
Thanks you for that.

What about if I want to block loopback 4.4.4.4 on the ASBR too.
Is there a granular way or better way to block any route like for example loopback 4.4.4.4 to reach loopback 3.3.3.3.
In other words is better blocking access to 3.3.3.3 using a route map on ABR for any specific route on R4?

fugazz · November 3, 2019, 10:49am

Im glad it helped.

In your case R4 is ABR, not the ASBR.

ABR = router that is interconnecting OSPF area 0 with any other OSPF area then 0.
ASBR = router that is performing Redistribution into OSPF.

This is important to understand. ABR is producing LSA Type 3 (Inter Area routes) and ASBR is producing LSA Type 5 (External routes).

Because 4.4.4.4/32 is loopback on R4 in area 0 (it is Intra area route for area 0) and R4 is ABR, then R4 is going to push 4.4.4.4/32 as LSA Type 3 (Inter area route) to area 3.
You can block this LSA Type 3 using filter list. Same approach you used before.

! on R4:
ip prefix-list BLOCK-R4_LOOPBACK seq 4 deny 4.4.4.4/32
router ospf 1
 area 3 filter-list prefix BLOCK-R4_LOOPBACK in

This basically tells R4 to not flood LSA Type 3 for 4.4.4.4/32 into area 3.

OSPF is a link state protocol, this makes filtration somehow limited, becase all routers in certain area needs to have same LSDB, othervise they wont become fully adjancent.

Within OSPF you can filter only on ABRs and ASBRs.

On ABRs you filter using Filter-list and it has following specifications:

Filters routes between areas (LSA Type 3 generated by ABR into another area).
Works only on ABR routers (ABR routers generate LSA Type 3).
Can reference only prefix-list.
in = inside referenced area
out = outside referenced area

There are other tricks how to filter, specifically using “area range”, but ABR needs to know LSA 1 and LSA 2 from area where filtered route is residing (needs to have interface in that area) othervise not-advertise is not possible.
For your example it would look like this.

! on R4:
router ospf 1
 area 0 range 4.4.4.4 255.255.252.255 not-advertise

R4 as ABR is now not advertising 4.4.4.4/32 to other areas.

As other appoach to filtration we can use Distribute-list:

in = apply distribute-list with “in” direction = allow incoming LSA into LSDB and flood to peers, however prevent LSA from becoming a routes in routers own local routing table, this can blackhole traffic. Applying distribute-list “in” is very uncommon.
out = only used on ASBRs to prevent redistribution of certain routes into External LSAs (do not CREATE external LSA). We should think if we want to redistribute these routes in the first place. This is the case where you pointed to route-map.
No interface allowed.
Can use standard or extended ACL. Standard = match on prefix. Extended = match on prefix and adv-rtr-ip (advertising router interface ip) of LSA (NOT the Router ID).

On ASBR we can also use “summary-address” and “not-advertise” filtering.

This is just an overview, the important thing is to uderstand how LSAs propagate routes, so you can filter them later.
I suggest you to go over various lessons on OSPF filtering, You can find them right here.

90forlifemcarreno · November 3, 2019, 3:58pm

Michael,

Thank you very much for the excellent explanation .
I’ll take a a review to the LSA filtering Lessons.

sales2161 · November 3, 2019, 5:43pm

Thanks for figuring out! I was having a hard time defining his problem.

lagapidis · December 13, 2019, 6:30am

A post was merged into an existing topic: OSPF Distribute-List Filtering

aneba · September 9, 2021, 9:39am

Hi Rene,
when issued the show ip ospf 1 command , I get Area BACKBONE(0) (Inactive)

what does (Inactive) signifies?

Thanks for the great lessons.

lagapidis · September 10, 2021, 10:35am

Hello Ayong

The “inactive” indicates that there are no active OSPF interfaces in that area. In order to have an “active” area (backbone or otherwise), you must have at least one network command in OSPF referencing an IP address range that corresponds to an interface. That interface must be:

up
not in OSPF passive mode
assigned to the area in question

This error message will appear if you have enabled the passive-interface default command in the OSPF configuration. This will cause all interfaces to become passive by default, and if you don’t specify which interfaces will be active, OSPF remains passive on that area.

I hope this has been helpful!

Laz

aneba · September 12, 2021, 1:59pm

Thank you Laz. Very helpful!

netbreak57 · September 17, 2021, 5:09pm

the R4 configuration is missing prefix-list and deny statements i believe for lsa filtering in

lagapidis · September 20, 2021, 7:03am

Hello Terry

Yes, you are correct, these commands are missing in the final configuration of R4. I will let Rene know to make the correction.

Thanks for pointing that out!

Laz

abdu_m_k · October 12, 2021, 4:33pm

can an access list be used instead of a prefix list, have you explained prefix lists here on network lessons?

lagapidis · October 14, 2021, 5:16am

Hello Abdulrahman

The filter-list command used to filter LSAs only takes prefix lists as the matching criteria for filtering. Take a look at this context-sensitive help from a Cisco IOS device:

Router(config-router)#area 3 filter-list ?
  prefix  Filter prefixes between OSPF areas

Router(config-router)#area 3 filter-list prefix ?
  WORD  Name of an IP prefix-list

I’ve also tried to lab this up and use an access list, but it doesn’t work. If you want to find out more about prefix lists, take a look at this lesson:

I hope this has been helpful!

Laz