Categories R&S

OSPF – Implement and troubleshoot filtering – LSA type-3 filtering

Let’s now have a look at another method of filtering, the LSA type 3 filtering.

 

 

Theory:

This filtering method allow us to filter type 3 LSA that are sent between OSPF areas.

Only packets with specified prefixes can be allowed to be sent from one area to another.

This filtering method can be applied out of a specific OSPF area, into a specific OSPF area, or into and out of the same OSPF areas at the same time.

 

Requirements:

  • Make sure that traffic from R10 to R4 loopback (4.4.4.4) goes out of area 3 via R3.
  • Make sure that area 2 doesn’t receive any route for R10 loopback (10.10.10.10).

 

Diagram:

OSPF LSA filtering

Configuration and verification:

Let’s have a look on the first requirement.

Currently when R10 wants to reach R4 loopback it exit area 3 via R1:

R10#traceroute 4.4.4.4
Type escape sequence to abort.
Tracing the route to 4.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.3.8 1 msec 1 msec 0 msec
  2 10.10.18.1 0 msec 1 msec 0 msec
  3 10.10.14.2 0 msec 1 msec *

R10#sh ip route 4.4.4.4
Routing entry for 4.4.4.4/32
  Known via "ospf 10", distance 110, metric 13, type inter area
  Last update from 10.10.3.8 on Ethernet0/0, 00:07:50 ago
  Routing Descriptor Blocks:
  * 10.10.3.8, from 11.11.11.11, 00:07:50 ago, via Ethernet0/0
      Route metric is 13, traffic share count is 1

R10#sh ip ospf data sum 4.4.4.4
            OSPF Router with ID (100.100.100.100) (Process ID 10)
                Summary Net Link States (Area 3)
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 1619
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 4.4.4.4 (summary Network Number)
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000001
  Checksum: 0x9965
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 2

  LS age: 1584
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 4.4.4.4 (summary Network Number)
  Advertising Router: 33.33.33.33
  LS Seq Number: 80000001
  Checksum: 0xD98
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 3

 

As per the OSPF database information, the route via R1 is preferred (lowest metric).

We can use LSA type 3 filtering so that R1 doesn’t advertise R4 loopback to area 3, thus making the exit via R3 the only way around.

 

For this we will combine a prefix list and the area filter list command:

R1(config)#ip prefix-list R4_LOOPBACK deny 4.4.4.4/32
R1(config)#ip prefix-list R4_LOOPBACK permit 0.0.0.0/0 le 32

R1(config-router)#area 3 filter-list prefix R4_LOOPBACK in

So in the prefix-list, we deny R4 loopback and then we permit everything else.

We then apply the prefix list under the OSPF process, the command tells OSPF to deny R4 loopback to be advertise into area 3.

 

We can verify that type 3 LSA filter is apply on R1:

R1#sh ip ospf 10
 Routing Process "ospf 10" with ID 11.11.11.11
 Start time: 00:00:34.808, Time elapsed: 00:47:55.542
 SNIP
    Area 3
        Number of interfaces in this area is 1
        Area has no authentication
        SPF algorithm last executed 00:01:27.454 ago
        SPF algorithm executed 4 times
        Area ranges are
        Area-filter R4_LOOPBACK in
        Number of LSA 40. Checksum Sum 0x14918F
        Number of opaque link LSA 0. Checksum Sum 0x000000
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

 

On R10, we now see the route to R4 via R3 and the entry coming from R1 has been removed from the OSPF database:

R10#sh ip route 4.4.4.4
Routing entry for 4.4.4.4/32
  Known via "ospf 10", distance 110, metric 23, type inter area
  Last update from 10.10.3.9 on Ethernet0/0, 00:02:02 ago
  Routing Descriptor Blocks:
  * 10.10.3.9, from 33.33.33.33, 00:02:02 ago, via Ethernet0/0
      Route metric is 23, traffic share count is 1

R10#sh ip ospf data sum 4.4.4.4
            OSPF Router with ID (100.100.100.100) (Process ID 10)
                Summary Net Link States (Area 3)
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 900
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 4.4.4.4 (summary Network Number)
  Advertising Router: 33.33.33.33
  LS Seq Number: 80000002
  Checksum: 0xB99
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 3

R10#traceroute 4.4.4.4
Type escape sequence to abort.
Tracing the route to 4.4.4.4
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.3.9 1 msec 1 msec 1 msec
  2 10.10.39.1 0 msec 1 msec 1 msec
  3 10.10.1.2 1 msec 1 msec 1 msec
  4 10.10.24.2 1 msec 1 msec *

 

Now the second requirement.

What’s the current situation, from any devices located in area 2 (R4, R5, R6) there is two entry for R10 loopback in the OSPF database, one from R1 and the other one from R2.

R5#sh ip ospf data sum 10.10.10.10
            OSPF Router with ID (172.20.1.17) (Process ID 10)
                Summary Net Link States (Area 2)
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 609
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.10.10.10 (summary Network Number)
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000001
  Checksum: 0x8E57
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 3

  LS age: 609
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.10.10.10 (summary Network Number)
  Advertising Router: 22.22.22.22
  LS Seq Number: 80000005
  Checksum: 0x456F
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 4

R6#sh ip ospf data sum 10.10.10.10
            OSPF Router with ID (172.20.2.17) (Process ID 10)
                Summary Net Link States (Area 2)
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 686
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.10.10.10 (summary Network Number)
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000001
  Checksum: 0x8E57
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 3

  LS age: 686
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.10.10.10 (summary Network Number)
  Advertising Router: 22.22.22.22
  LS Seq Number: 80000005
  Checksum: 0x456F
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 4

 

We will need to apply the filter on both R1 and R2 as those are both ABR.

On R2, we create our prefix-list and apply it under the OSPF process:

R2(config)#ip prefix-list DENY_R10 deny 10.10.10.10/32
R2(config)#ip prefix-list DENY_R10 permit 0.0.0.0/0 le 32

R2(config-router)#area 0 filter-list prefix DENY_R10 out

 

So this time, we prevent LSA for R10 loopback to be advertise out of area 0.

We can see that the prefix coming from R2 has been removed from R4 OSPF database:

R4#sh ip ospf data sum 10.10.10.10
            OSPF Router with ID (172.10.1.1) (Process ID 10)
                Summary Net Link States (Area 2)
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 933
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.10.10.10 (summary Network Number)
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000001
  Checksum: 0x8E57
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 3

 

Let’s do the same on R1 this time,  we use the area filter-list to prevent LSA coming into area 2:

R1(config)#ip prefix-list DENY_R10 deny 10.10.10.10/32
R1(config)#ip prefix-list DENY_R10 permit 0.0.0.0/0 le 32

R1(config-router)#area 2 filter-list prefix DENY_R10 in

 

We now have no more route to R10 loopback:

R4#sh ip route 10.10.10.10
% Subnet not in table
R4#sh ip ospf data sum 10.10.10.10
            OSPF Router with ID (172.10.1.1) (Process ID 10)

R5#sh ip route 10.10.10.10
% Subnet not in table

 

 

Now I run into an issue when testing this.

On R1, if I apply the same command than R2, filtering the prefix out of area 0, it is still advertise on R4.

Let’s try it:

R1(config-router)#no area 2 filter-list prefix DENY_R10 in
R1(config-router)#area 0 filter-list prefix DENY_R10 out

R1#clear ip ospf proc
Reset ALL OSPF processes? [no]: yes

On R4, the prefix 10.10.10.10/32 is now back into the OSPF database:

R4#sh ip ospf data sum 10.10.10.10
            OSPF Router with ID (172.10.1.1) (Process ID 10)
                Summary Net Link States (Area 2)
  Routing Bit Set on this LSA in topology Base with MTID 0
  LS age: 50
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.10.10.10 (summary Network Number)
  Advertising Router: 11.11.11.11
  LS Seq Number: 80000001
  Checksum: 0x8E57
  Length: 28
  Network Mask: /32
        MTID: 0         Metric: 3

 

From the network diagram, we can see that R1 and R2 are connected differently, while R2 is into area 0 and area 2, R1 has one interface in each areas.

Will this make a difference?

Yes it will, because we are filtering in or out an area, we have to think of it in terms of areas and not routers.

 

So in our case, it’s ok to say that R2 filter the prefix to go out of area 0.

But if we do the same on R1, it doesn’t work because the prefix is also coming from area 3.

Let’s try to filter out of area 3 and out of area 0 on R1:

R1(config-router)#area 0 filter-list prefix DENY_R10 out
R1(config-router)#area 3 filter-list prefix DENY_R10 out

Then it’s ok, we don’t have the prefix on R4 anymore:

 

R4#sh ip ospf data sum 10.10.10.10
            OSPF Router with ID (172.10.1.1) (Process ID 10)
R4#sh ip route 10.10.10.10
% Subnet not in table

 

That’s all for this LSA type 3 filtering, the key here is to think in terms of area and not in terms of router.

 

 

Thank you for reading.

 

OSPF – Implement and troubleshoot filtering – LSA type-3 filtering