Categories R&S

OSPF – Implement and troubleshoot filtering – Forwarding address suppression

Let’s now have a look at this other feature.

 

Theory:

Forwarding address suppression causes routers that are configured not to advertise forwarding addresses into the backbone to direct forwarded traffic to the translating NSSA ASBRs.

 

Requirements:

– Configure area 2 as NSSA.
– Filter R5 loopback (5.5.5.5) from being advertise into area 0
– Make sure that R5 external network (55.55.55.0/24) is still reachable by devices into area 0 and area 3.

 

Diagram:

OSPF forward add supp

Configuration and verification:

First on R1, R4, R5 and R6, we turn area 2 into a nssa:

router ospf 10
area 2 nssa

 

Then we filter R5 loopback on R1:

R1(config)#ip prefix-list R5_LOOPBACK deny 5.5.5.5/32
R1(config)#ip prefix-list R5_LOOPBACK permit 0.0.0.0/0 le 32

R1(config-router)#area 2 filter-list prefix R5_LOOPBACK out

 

Let’s now test from R3 and R10.

Traceroute to 55.55.55.55 doesn’t work:

R3#traceroute 55.55.55.55
Type escape sequence to abort.
Tracing the route to 55.55.55.55
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2  *  *  *
  3  *  *  *
  4  *  *  *
R10#traceroute 55.55.55.55
Type escape sequence to abort.
Tracing the route to 55.55.55.55
VRF info: (vrf in name/id, vrf out name/id)
  1  *  *  *
  2  *  *  *
  3  *  *  *

 

There is no route to 55.55.55.55 into the routing table:

R3#sh ip route 55.55.55.0
% Network not in table

R10#sh ip route 55.55.55.0
% Network not in table

 

But we have one entry in the OSPF external database:

R3#sh ip ospf data ext 55.55.55.0
            OSPF Router with ID (33.33.33.33) (Process ID 10)
                Type-5 AS External Link States
  LS age: 663
  Options: (No TOS-capability, DC, Upward)
  LS Type: AS External Link
  Link State ID: 55.55.55.0 (External Network Number )
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000002
  Checksum: 0xD1E7
  Length: 36
  Network Mask: /24
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 5.5.5.5
        External Route Tag: 0

R10#sh ip ospf data ext 55.55.55.0
            OSPF Router with ID (100.100.100.100) (Process ID 10)
                Type-5 AS External Link States
  LS age: 688
  Options: (No TOS-capability, DC, Upward)
  LS Type: AS External Link
  Link State ID: 55.55.55.0 (External Network Number )
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000002
  Checksum: 0xD1E7
  Length: 36
  Network Mask: /24
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 5.5.5.5
        External Route Tag: 0

 

As you can see the forwarding address is set to R5 router-id (5.5.5.5) which is R5 loopback.

The type-5 external LSA seen on R3 was translated from a type-7 external LSA by R1, the original forward address is being kept during the translation. The advertising router is R1 but the forward address is still R5.

 

R3 needs to perform a recursive lookup on the forwarding address (5.5.5.5) in order to get this into his routing table.

The problem is that because 5.5.5.5 is filtered on R1, R3 see no route to it and therefore it cannot install the route to 55.55.55.0 into his routing table:

R3#sh ip route 5.5.5.5
% Network not in table

R10#sh ip route 5.5.5.5
% Network not in table

 

To fulfill our last requirement, we need to use forwarding address suppression, with that the ABR doing the type-7 to type-5 LSA translation will not preserve the value of the forwarding address.

R1(config-router)#area 2 nssa translate type7 suppress-fa

 

Now on R3 and R10, the forwarding address is set to 0.0.0.0. The recursive lookup is done on the advertising router and the route to 55.55.55.0 is install into their routing table:

R3#sh ip ospf database ext 55.55.55.0
            OSPF Router with ID (33.33.33.33) (Process ID 10)
                Type-5 AS External Link States
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 24
  Options: (No TOS-capability, DC, Upward)
  LS Type: AS External Link
  Link State ID: 55.55.55.0 (External Network Number )
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000003
  Checksum: 0xD4F7
  Length: 36
  Network Mask: /24
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

R3#sh ip route 55.55.55.0
Routing entry for 55.55.55.0/24
  Known via "ospf 10", distance 110, metric 20, type extern 2, forward metric 1
  Last update from 10.10.1.1 on Ethernet0/0, 00:01:24 ago
  Routing Descriptor Blocks:
  * 10.10.1.1, from 11.11.11.11, 00:01:24 ago, via Ethernet0/0
      Route metric is 20, traffic share count is 1
R3#traceroute 55.55.55.55
Type escape sequence to abort.
Tracing the route to 55.55.55.55
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.1.1 2 msec 1 msec 0 msec
  2 10.10.14.2 1 msec 1 msec 0 msec
  3 10.10.2.5 1 msec *  1 msec

R10#sh ip ospf database ext 55.55.55.0
            OSPF Router with ID (100.100.100.100) (Process ID 10)
                Type-5 AS External Link States
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 95
  Options: (No TOS-capability, DC, Upward)
  LS Type: AS External Link
  Link State ID: 55.55.55.0 (External Network Number )
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000003
  Checksum: 0xD4F7
  Length: 36
  Network Mask: /24
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

R10#sh ip route 55.55.55.0
Routing entry for 55.55.55.0/24
  Known via "ospf 10", distance 110, metric 20, type extern 2, forward metric 11
  Last update from 10.10.3.8 on Ethernet0/0, 00:01:37 ago
  Routing Descriptor Blocks:
  * 10.10.3.8, from 11.11.11.11, 00:01:37 ago, via Ethernet0/0
      Route metric is 20, traffic share count is 1
R10#traceroute 55.55.55.55
Type escape sequence to abort.
Tracing the route to 55.55.55.55
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.3.8 0 msec 1 msec 0 msec
  2 10.10.18.1 1 msec 1 msec 5 msec
  3 10.10.14.2 3 msec 1 msec 0 msec
  4 10.10.2.5 1 msec 2 msec *

 

From the Cisco documentation, this feature causes the router to be noncompliant with RFC 1587 (https://www.ietf.org/rfc/rfc1587.txt).

They advise that this should not be configured without careful consideration.

 

 

Thank you for reading.

 

 

OSPF – Implement and troubleshoot filtering – Forwarding address suppression