OSPF Distribute-List Filtering

Thank you Laz, that explains it.

1 Like

Hi Rene,

why do we have to filter routes to begin with, what problem is it solving? i am not sure if i got/misunderstood your explanation on why we filter routes in the first place regarding this lesson

Hello Walter

In networks such as those created in the labs and in small to medium sized enterprises, route filtering does not provide much benefit. This is because these networks are small, and OSPF databases, and the resulting routing table entries will be limited in size.

However, when an OSPF area reaches 60 or 70 routers, with several hundred, or even a thousand subnets, and when that area is interconnected with two or three other such OSPF areas, the routing tables, and the OSPF databases can get very large (hundreds of entries in the routing table alone!). This means that a lot of CPU and memory resources are being used to maintain them, and when a change occurs, a lot of resources are necessary to get the topology to reconverge. This taxing of resources can be problematic on such large networks.

The primary purpose of filtering routes is so that we can streamline the information found within each OSPF router to improve the efficient use of device resources. Now it should be stated here that a distribute list will only filter routes from being placed within the routing table, it does not filter the actual LSAs. LSAs can only be filtered between areas. You can see this in the lesson from the fact that the route in question is still found in the OSPF database, but it is not installed in the routing table.

Remember that when a router routes a packet, it will go through the whole routing table sequentially to find a match. This is done for each packet. If the routing table is smaller, needless to say, routing will be more efficient. (Now there are features that make routing even faster such as fast switching, and CEF, but even so, a smaller routing table is always a good thing!!)

By filtering unnecessary routes, and by providing a smaller routing table, fewer resources are used to run OSPF and to route each individual packet.

Now which routes you will filter depends upon your topology. There are many cases where routes are learned via OSPF which will never be used by a particular router, so these can be filtered.

I hope this has been helpful!

Laz

2 Likes

Hi Laz,

thanks for always detailed explanation, makes much more sense now

1 Like

Hey Rene, great lessons, thanks as always.

Just to make you aware you seem to have some code at the bottom of your page:

If you have any questions, feel free to leave a comment![/MM_Access_Decision]

1 Like

Hi Matthew

Thanks so much for pointing that out, I will let Rene knowā€¦

Laz

1 Like

Hi Rene,

I have an issue in implementing the distribute in when i am using extended acl. Standard acl is working fine though. Could you please help to check.

R2#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      1.0.0.0/32 is subnetted, 3 subnets
O IA     1.1.1.1 [110/2] via 192.168.1.1, 00:00:39, GigabitEthernet1/0
O IA     1.1.2.1 [110/2] via 192.168.1.1, 00:00:39, GigabitEthernet1/0
O IA     1.1.3.1 [110/2] via 192.168.1.1, 00:00:39, GigabitEthernet1/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet1/0
L        192.168.1.2/32 is directly connected, GigabitEthernet1/0
      192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.2.0/24 is directly connected, GigabitEthernet2/0
L        192.168.2.1/32 is directly connected, GigabitEthernet2/0
R2#
R2#show ip access
R2#show ip access-lists
Standard IP access list 99
    5 deny   1.1.2.1 (1 match)
    10 permit any (2 matches)
Extended IP access list 199
    10 deny ip host 1.1.2.1 any
    20 permit ip any any (3 matches)
Extended IP access list BLOCK
    10 deny ip host 1.1.2.1 any
    20 permit ip any any (12 matches)
R2#show run | sec router ospf
router ospf 1
 network 192.168.1.0 0.0.0.255 area 1
 network 192.168.2.0 0.0.0.255 area 1
 distribute-list 199 in
R2#

Topology is like:

R1>>>>> R2>>>> R3

R1 is having 3 loopbacks with 1.1.1.1/24, 1.1.2.1/24 and 1.1.3.1/24 . I am trying to block 1.1.2.1 on R2 but its not working for extended Acl.

Topo

Hello Pushpender

First of all, this is normal. It seems that you have run into a particular behaviour of extended access lists as they interact with distribute lists.

When using a standard access list, the network that you configure corresponds to the prefix that you want to filter out. So in your case, by configuring ACL 99 with a deny statement for 1.1.2.1, you are successfully filtering out that prefix.

When you use your extended access list, a distribute list using that ACL interprets it as follows:

  • The network found in the ā€œsourceā€ field of the ACL matches the update source of the route
  • The network found in the ā€œdestinationā€ field of the ACL matches the network address you want to filter

In your configuration, you have placed the 1.1.2.1 network in the source field. In order to correct this situation, you would have to place the network in the destination field like so:

Extended IP access list 199
    10 deny ip any host 1.1.2.1
    20 permit ip any any 

This is a little strange, but the reason this is done is so that you can also specify in the source field, the IP address of the expected source of that information, that is, the router that sent the routing update.

So when using an extended ACL with a distribute list, the source field is the IP address of the router sending the routing update, while the destination field is used to match the actual network.

I hope this has been helpful!

Laz

2 Likes

Hi Laz,

What is the the command mean sh ip ospf database roueter 192.168.12.1, what indicating 192.168.12.1 is ? Kindly explore the command output so i can understand?

Hello Pradyumna

The show ip ospf database command shows the OSPF database found within the local router. This database consists of all of the LSAs that have been received as well as those generated by the local router itself.

The additional router keyword makes the command display information only about router LSAs, or Type 1 LSAs. By adding the 192.168.12.1 address at the end, you are specifying that you want to see LSAs originated by the router with that particular router ID.

So the command show ip ospf database router 192.168.12.1 displays Type 1 LSAs that have originated from the router with an ID of 192.168.12.1 or R1.

The purpose of the lesson was to show that by using distribute-lists the 1.1.1.1/32 network advertised by R1 is found in the OSPF database of R3, but is filtered from appearing in the routing table. By using the above command, Rene showed that this network still appears in the OSPF database as a received LSA, but not in the routing table.

I hope this has been helpful!

Laz

1 Like

Hello Rene, thanks for the lesson,

We have some questions regarding distribute list, in our environment we have a similar scenario where we need to deny some prefixes in order to filter OSPF updates within a single area, bellow you can find the topology that we currently have:

Router ACC1 and ACC2 are in the same area than Routers CMTS1 and CMTS2, for this scenarios CMTS1 is learning prefixes from CMTS 2 over OSPF as normal, in this case we need to filter (deny) prefixes 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 from router ACC1 to CMTS1 and nedd to filter prefixes 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24 also from ACC1 but this time to CMTS2. For this task we are trying to use distribute list in ACC1 as follows:

ACC1#show access-lists 
Standard IP access list 1
    10 deny   192.168.0.0, wildcard bits 0.0.255.255 log (tag = MATCH_ACCESS_1)
    20 permit any (15 matches)

ACC1#show run | sec distribute-list
 distribute-list 1 out

Based from our understanding router ACC1 should be filtering prefixes 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 from router to CMTS1 so CMTS1 should be learning those prefixes from ACC2 as per our topology shows so we need to configure the same access list on router ACC2 and apply the same out distribute list in order to avoid CMTS1 to learn prefixes 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 so here is the configuration for router ACC2:

ACC2#show access-lists 
Standard IP access list 1
    10 deny   192.168.0.0, wildcard bits 0.0.255.255 log (tag = MATCH_ACCESS_LIST)
    20 permit any (15 matches)

ACC2#show run | sec distribute-list
 distribute-list 1 out

But in this case we are still seeing that CMTS1 is learning prefixes 192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24 and those are being installed in its routing table even after we have applied the distribute-list out command:

CMTS1#show ip route ospf

.
.
.
 Output omited
.
.
.
      192.168.1.0/32 is subnetted, 1 subnets
O        192.168.1.1 [110/3] via 172.16.5.1, 00:03:09, GigabitEthernet2/0
      192.168.2.0/32 is subnetted, 1 subnets
O        192.168.2.1 [110/3] via 172.16.5.1, 00:03:09, GigabitEthernet2/0
      192.168.3.0/32 is subnetted, 1 subnets
O        192.168.3.1 [110/3] via 172.16.5.1, 00:03:09, GigabitEthernet2/0

We noticed that the configured access-list are having matches but for some reason just with the permit sentence in both cases, we are not sure if we can filter OSPF updates in the same area in outgoing sense or if we are applying the access list in a wrong way, we have tried with Prefix-list but the result is the same.

Thanks for any comment you have related this particular scenario.

Best regards!!!

Hello Arturo

It is not possible to filter the advertising of LSAs from one router to another when those OSPF routers are in the same area. You can filter LSAs being exchanged between different areas, and this of course would be implemented at the ABR.

In your topology, you have a single OSPF area, so what you are trying to do is not possible. As stated in the lesson, however, it is possible to prevent the information received in an LSA from being entered into the routing table. In other words, a router will receive LSAs and will build the OSPF database, but you can selectively choose which of those destinations you want to add to the routing table.

In order to do this, you must apply the distribute-list on the router on which you want to block these destinations. Specifically, you must apply the distribute lists on the CMTS1 and CMTS2 routers.

Secondly, when a distribute list is used in this manner, it must be applied in an inbound direction. Review the lesson once again, and you will get a clearer understanding of how distribute lists function for use within the same OSPF area.

I hope this has been helpful!

Laz

1 Like

Hello Lazaros,
Thanks for you answer,

Unfortunatelly we donā€™t have access to the CMTS management, thatā€™s why we were wondering if we could do this just from the ACC1 and ACC2 routers, also we wonder if this is for OSPF in general, I mean, is this behavior the same on every IOS Version for Cisco Routers?, this because we are trying to do this task in IOS XR and we are not sure about this, due in the Cisco Official Command reference for IOS XR routers documentation this part is not that clear. Weā€™ve been doing some research regarding this and we notice in more than one forum that this is no possible as you explained before but just in non-official Cisco Documents.

Thanks for any comment you have.

Best Regars!!!

Hello Arturo

Filtering LSAs between routers that are in the same area is not possible. This is a general rule for OSPF. Unfortunately, many forums will use the term ā€œintra-area filteringā€ to describe what weā€™re doing here, but it is not. It is actually LSA filtering within the router itself that we are performing, filtering them from being installed in the routing table, and not filtering them from being in the OSPF database.

The only other solution is to change the OSPF topology and place CMTS1 and CMTS2 in another OSPF area. Then, ACC1 and ACC2 would be ABRs, and there, you could filter LSAs so they are not shared, using the area filter-list command as shown in this lesson.

What is the reason you want to block these routes from being learned by these routers? Does it have to do with routing? Did you want them to learn particular routes only from a specific router so they can be routed only to that router? If that is the case, then you can change the metric of the routes being advertised.

In any case, let us know more about what you want to ultimately accomplish so that we may be able to suggest other ways to accomplish it.

I hope this has been helpful!

Laz

Thank you so much for your hard work. I have been reading a lot about redistribution, I realized there are many different ways to achieve the same goal.
Can anyone help me out with answering this question:

Redistribute the static routes on Router-8 but ensure that only the following static routes are redistributed into OSPF :
a. All of the 192.168.0.0/16 static routes
b. Host route 2.2.2.2/32

I am not sure what method I should use here exactly.

Hello Essa

Great to hear that the site is helpful for you, and thanks for your kind words :blush:. It is true that there are many different ways to redistribute depending upon what you need.

The question is essentially saying:

Out of all the static routes configured on Router-8, how would you apply redistribution such that only the routes indicated by a. and b. are redistributed?

In order to help you answer this question, we need to know the original set of static routes that Router-8 is configured with. Can you share that with us?

Thanks!

Laz

I Appreciate you Lazaros, thank you for taking the time to help me.
image

interface GigabitEthernet0/0
 ip address 10.250.10.1 255.255.255.0
 ip ospf message-digest-key 1 md5 Essa-OSPF
 ip ospf message-digest-key 2 md5 Essa-OSPF
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 192.168.137.1 255.255.255.252
 ip ospf message-digest-key 1 md5 Essa-OSPF
 ip ospf message-digest-key 2 md5 Essa-OSPF
 duplex auto
 speed auto
 media-type rj45
!

router ospf 1
 area 0 authentication message-digest
 area 5 authentication message-digest
 network 10.1.1.9 0.0.0.0 area 5
 network 10.250.10.0 0.0.0.255 area 5
 network 192.168.137.0 0.0.0.255 area 5
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 2.2.2.2 255.255.255.255 192.168.137.2
ip route 3.3.3.3 255.255.255.255 192.168.137.2
ip route 192.168.50.0 255.255.255.0 192.168.137.2
ip route 192.168.51.0 255.255.255.0 192.168.137.2
ip route 192.168.52.0 255.255.255.0 192.168.137.2
ip route 192.168.53.0 255.255.255.0 192.168.137.2
ip route 192.168.54.0 255.255.255.0 192.168.137.2
!         

please let me know if you need any other information,
Thanks again!

Hello Essa

Iā€™m assuming that Router-8 has some static routes that are within the 192.168.0.0/16 range. In order to achieve the requirements, you must use the command redistribute static in the OSPF configuration mode, along with a route map that will match the appropriate static routes.

In particular, the command should be

redistribute static route-may MY-RMAP subnets

where MY-RMAP is a route map that matches all of the 192.168.0.0/16 and the host route of 2.2.2.2/32. You can find out more about route maps at the following lesson:

Now the subnets keyword is used here because, for OSPF, we want to match routes that are subnetted as well. Otherwise, only classful routes will be matched. More info on the redistribution command and all of its options can be found here:
https://www.cisco.com/c/en/us/td/docs/ios/iproute_pi/command/reference/iri_book/iri_pi1.html#wp1034551

I hope this has been helpful!

Laz

I canā€™t thank you enough Lazaros. I read the link you provided and took some notes, with the command you provided and everything else about route-map. I was able to solve this task and even more!
I truly appreciate your help, I am so glad that I join you guys!
Thanks again for your time.

Hello Essa

Great to hear! Really glad that we could be of help. Thatā€™s what weā€™re here for and when we find out that we have helped someone achieve their goals, whether great or small, is really satisfying. Thanks for letting us know. If you need any more help you know where to find us!!

Laz