Following our path through the CCIEv5 topics, let’s move on to the OSPF Implement and troubleshoot filtering series.
We will start with distribute-list.
With an inbound distribute-list, we can affect the local routing table to prevent routes to be inside a routing table.
Make sure R5 loopbacks 10,11,12 are not seen in R3 routing table.
Configuration and verification:
First let’s verify R3’s current routing table:
R3#sh ip route O E2 172.20.1.0/27 [110/20] via 10.10.1.2, 00:01:15, Ethernet0/0 [110/20] via 10.10.1.1, 00:01:15, Ethernet0/0
Now let’s apply our distribute list to remove those routes.
We need to deny the routes with an access-list and then apply the distribute-list under the OSPF process.
R3(config)#access-list 1 deny 172.20.1.0 0.0.0.32 R3(config)#access-list 1 permit any R3(config)#router ospf 10 R3(config-router)#distribute-list 1 in
The route is not seen in the routing table, however it is still known in the OSPF database:
R3#sh ip route 172.20.1.0 % Subnet not in table R3#sh ip ospf data ext 172.20.1.0 OSPF Router with ID (22.214.171.124) (Process ID 10) Type-5 AS External Link States Routing Bit Set on this LSA in topology Base with MTID 0 LS age: 463 Options: (No TOS-capability, DC, Upward) LS Type: AS External Link Link State ID: 172.20.1.0 (External Network Number ) Advertising Router: 126.96.36.199 LS Seq Number: 80000001 Checksum: 0xCC70 Length: 36 Network Mask: /27 Metric Type: 2 (Larger than any link state path) MTID: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0
If we check another router for example R8, the route is still there:
R8#sh ip route 172.20.1.0 Routing entry for 172.20.1.0/27 Known via "ospf 10", distance 110, metric 20, type extern 2, forward metric 1002 Last update from 10.10.18.1 on Ethernet0/0, 00:09:00 ago Routing Descriptor Blocks: * 10.10.18.1, from 188.8.131.52, 00:09:00 ago, via Ethernet0/0 Route metric is 20, traffic share count is 1
However, using distribute-list this way can be dangerous.
Let’s do the same on R4 and remove the router 172.20.1.0/27 from the routing table.
R4(config)#access-list 1 deny 172.20.1.0 0.0.0.32 R4(config)#access-list 1 permit any R4(config)#router ospf 10 R4(config-router)#distribute-list 1 in
The route is remove from R4 routing table.
R4# sh ip route 172.20.1.0 % Subnet not in table
But it is still in R1 routing table.
R1#sh ip route 172.20.1.0 Routing entry for 172.20.1.0/27 Known via "ospf 10", distance 110, metric 20, type extern 2, forward metric 1001 Last update from 10.10.14.2 on Ethernet1/0, 00:16:02 ago Routing Descriptor Blocks: * 10.10.14.2, from 184.108.40.206, 00:16:02 ago, via Ethernet1/0 Route metric is 20, traffic share count is 1
Because traffic to R5’s loopback must cross R4 (that’s the only forwarding path), if R4 doesn’t have a route to it, it creates a black hole.
So this distribute-list can be useful to remove an entry for the routing table but this won’t stop route advertisement to the neighbor. So you have to be careful when using it.
Thank you for reading.
OSPF – Implement and troubleshoot filtering – Distribute-list