Categories R&S

OSPF – Implement and troubleshoot filtering – Distribute-list

Following our path through the CCIEv5 topics, let’s move on to the OSPF Implement and troubleshoot filtering series.

 

We will start with distribute-list.

 

Theory:

With an inbound distribute-list, we can affect the local routing table to prevent routes to be inside a routing table.

 

Requirements :

Make sure R5 loopbacks 10,11,12 are not seen in R3 routing table.

 

Diagram:

Not-so-totally-stubby area

 

Configuration and verification:

 

First let’s verify R3’s current routing table:

R3#sh ip route
O E2     172.20.1.0/27 [110/20] via 10.10.1.2, 00:01:15, Ethernet0/0
                       [110/20] via 10.10.1.1, 00:01:15, Ethernet0/0

 

Now let’s apply our distribute list to remove those routes.

We need to deny the routes with an access-list and then apply the distribute-list under the OSPF process.

R3(config)#access-list 1 deny 172.20.1.0 0.0.0.32
R3(config)#access-list 1 permit any
R3(config)#router ospf 10
R3(config-router)#distribute-list 1 in

 

The route is not seen in the routing table, however it is still known in the OSPF database:

R3#sh ip route 172.20.1.0
% Subnet not in table

R3#sh ip ospf data ext 172.20.1.0
            OSPF Router with ID (33.33.33.33) (Process ID 10)
                Type-5 AS External Link States
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 463
  Options: (No TOS-capability, DC, Upward)
  LS Type: AS External Link
  Link State ID: 172.20.1.0 (External Network Number )
  Advertising Router: 172.10.1.9
  LS Seq Number: 80000001
  Checksum: 0xCC70
  Length: 36
  Network Mask: /27
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

 

If we check another router for example R8, the route is still there:

R8#sh ip route 172.20.1.0
Routing entry for 172.20.1.0/27
  Known via "ospf 10", distance 110, metric 20, type extern 2, forward metric 1002
  Last update from 10.10.18.1 on Ethernet0/0, 00:09:00 ago
  Routing Descriptor Blocks:
  * 10.10.18.1, from 172.10.1.9, 00:09:00 ago, via Ethernet0/0
      Route metric is 20, traffic share count is 1

 

However, using distribute-list this way can be dangerous.

Let’s do the same on R4 and remove the router 172.20.1.0/27 from the routing table.

R4(config)#access-list 1 deny   172.20.1.0 0.0.0.32
R4(config)#access-list 1 permit any
R4(config)#router ospf 10
R4(config-router)#distribute-list 1 in

 

The route is remove from R4 routing table.

R4# sh ip route 172.20.1.0
% Subnet not in table

 

But it is still in R1 routing table.

R1#sh ip route 172.20.1.0
Routing entry for 172.20.1.0/27
  Known via "ospf 10", distance 110, metric 20, type extern 2, forward metric 1001
  Last update from 10.10.14.2 on Ethernet1/0, 00:16:02 ago
  Routing Descriptor Blocks:
  * 10.10.14.2, from 172.10.1.9, 00:16:02 ago, via Ethernet1/0
      Route metric is 20, traffic share count is 1

 

Because traffic to R5’s loopback must cross R4 (that’s the only forwarding path), if R4 doesn’t have a route to it, it creates a black hole.

 

So this distribute-list can be useful to remove an entry for the routing table but this won’t stop route advertisement to the neighbor. So you have to be careful when using it.

 

 

Thank you for reading.

 

OSPF – Implement and troubleshoot filtering – Distribute-list