Ospf Route Filtering Demystified
Ospf Route Filtering Demystified
Ospf Route Filtering Demystified
Free Resources
View Archives
CCIE Bloggers
Search
Aug
53 Comments
Search
Submit
Intro
There was a lot of blogging related to OSPF topics recently. In this post, I would like to clarify some common
misunderstandings that many people have about OSPF route filtering. I have seen so many folks wrongfully
understanding the underlying behavior so its about time to make the things clear.
Categories
Select Category
CCIE Bloggers
To begin with, avoid using the term LSA filtering with OSPF. You cannot really filter LSAs with the exception of
one special case you filter the network reachability information. To understand this in depth, start by recalling
that OSPF deals with the following data structures:
1) Topological information. Outlines the connections in the graph describing the routers and the links in the
network. This is what OSPF LSAs are about they contain information about attached links. Think of LSAs as the
objects that correspond to the edges of the graph. LSAs are stored in the LSBD link state database. No real
routes are stored in the LSDB, since this is the database for topological objects. However, routing or network
reachability information is attached to the LSAs.
2) Network Reachability information. Contains the actual IP subnets. This information is associated with the
network graph edges and you may think of it as leaves connected to the edges. Routing information does NOT
describe any connectivity, just the prefix associated with the link. This information is contained in the LSAs, but as
an attribute, and is used to populate the routing table i.e. the RIB.
3) Main routing table. This is the routers RIB. This structure is used when OSPF generates new summary or
external LSAs as we see later.
4) Routers routing table. This structure is unique to OSPF, and contains the IP addresses to reach the border
routers ASBRs and ABRs. It is used when calculating the respective inter-area routes, by adding the router path
cost to the respective prefix advertised by this router. You may display the contents of this data structure by using
the command show ip ospf border-routers.
Popular Posts
1) Routers establish adjacencies to flood topological information. The flooding process in OSPF is pretty
complicated, and ensures the LSAs are delivered to all routers in a single area. As mentioned, topological
Available
information is carried in the form of LSAs and cannot be filtered, which it is essential to the OSPF algorithm. The
only thing that limits LSA propagation is the flooding domain associated with the particular LSA type. Using the
topological information learned, all routers within an area build the consistent graph of the network connections.
2) After all routers have a consistent topology view, they may calculate intra-area paths using the SPF algorithm
and finally associate the network reachability information with the paths. This is where the secondary, leaf-level
information comes in play. The leaves are attached to the paths and the routing table entries are calculated. So
keep this in mind first LSA flooding, then LSDB population, then SPF computations, and finally the RIB
population.
3) After the intra-area paths have been calculated, inter-area routes are computed based on type-3/4 LSAs
contents for other area information summarization. This process uses a quick and simple distance-vector
computation algorithm, without the need for SPF computations. The routers routing table is used extensively
during this process.
LSA type 4
This type has always been confusing to many people. This LSA describes the metric that the ABR uses to reach
the respective ASBR. This LSA contains the router-ID of the ASBR and the metric to reach it. ABRs generate type4 LSAs based on the special router routing table which is visible when you issue the command show ip ospf
border-routers. This command is the essense of the distance-vector OSPF behavior. During the inter-area path
calculations, the ABR populates this table with host routing entries for every ABR and ASBR detected with the
respective metrics. This table is never transferred to the main router routing table, but rather used for inter-area
path computations and type-4 LSA generation. Effectively, the metrics in this table are used as metric offsets for
the paths learned from ABRs and ASBRs.
The ABR generates type-4 summary LSAs into every normal attached area, to make sure the routers in there can
reach the prefixes from the ASBR. You cannot really filter the contents of this LSA, as they are taken from the
router routing table. The information from this LSA is used to populate the non-ABR routers special router
routing table. The flooding domain is one area as it stops at the ABR.
LSA type 5
This LSA is originated by an ASBR (router redistributing external routes) and flooded through the whole OSPF
autonomous system. You cannot limit the way this LSA is generated except to controlling the routes redistributed
into OSPF. When a type-5 LSA is being generated, it uses the RIB contents and honors the summary-address
commands in the ABR. You may filter the redistributed routes by using the command distribute-list out
configured under the protocol, which is the source of redistribution or simply applying filtering with your
redistribution.
Method 1:
router ospf 1
distribute-list 10 out rip
!
access-list 1 deny 1.1.1.0
access-list 1 permit any
Method 2:
router ospf
redistribute rip route-map RIP_TO_OSPF
!
route-map RIP_TO_OSPF
match ip address 1
Method 3:
router ospf
summary-address 10.0.0.0 255.255.25.0 no advertise
There is yet one more way to filter the routing information found in type-5 LSAs. If the LSA contains non-zero FA
(forwarding address) field, OSPF process will check for this address to be accessible via RIB (RFC specifies that
only OSPF routes should be considered, but it seems IOS satisfies with any route) before installing the actual
prefix into the RIB. If the FA is not accessible, the corresponding external prefix is not installed into the global
routing table. We will discuss this type of filtering a bit later, when well be looking into type-7 LSAs. However, keep
in mind that FA is non mandatory for type-5 LSA and is only assigned to a type-5 LSA under special conditions,
outlined in the following document Common Routing Problem with OSPF Forwarding Address. Here is the list of the
conditions:
OSPF is enabled on the ASBRs next hop interface AND
ASBRs next hop interface is non-passive under OSPF AND
ASBRs next hop interface is not point-to-point AND
ASBRs next hop interface is not point-to-multipoint AND
ASBRs next hop interface address falls under the network range specified in the router ospf command.
Please refer to the URL provided for more epxplanations.
There is only one more type of OSPF LSAs to discuss.
Type 7 LSA
These only exist at NSSA areas and have the flooding scope of a single area, as opposed to the whole domain for
type-5 LSAs. The type-7 LSAs reaching ABRs are used to populate the local routing table and re-generate the
new type-5 LSAs, originated now by the ABR. This is important since the ABR becomes an ASBR and reoriginates the routes, you may use the command summary-address ADDR MASK no-advertise to block the
type-5 LSA generation. There is another, less obvious way to do things:
When an ABR generates type-5 LSAs, it adds the forwarding-address (FA) based on the information learned in
the type-7 LSA. This information is originally inserted by the ASBR to help in optimal exit point selection. The use
of forwarding-address with the type-7 LSAs is mandatory per the RFC, since there is just one translator, and it
may lie on the sub-optimal path to the ASBR. Thus all routers in the OSPF autonomous system are supposed to
rely on the FA for optimal routing to the translated prefixes. And here is the trick: if you filter the forward-address
IP from the routing table in the ABR, using the command distribute-list in the type-5 LSA will not be generated!.
Look at the following output, where R2 is an ABR for NSSA area 27:
As you can see, R2 generates type-5 LSA with the same forwarding address found in type-7 LSA 150.1.7.7.
Now we filter this IP address from entering R2s routing table:
R2:
access-list 1 deny
150.1.7.7
And we can see that Type-7 to Type-5 translation is not working anymore, as the forwarding address is no longer
reachable in the RIB. Notice that forwarding address should be accessible via the main RIB, not the routers routing
table of OSPF. This special behavior is unique to the routes learned by processing the type-7 LSAs. Now what if
you have to following topology:
And R3 is filtering the forwarding address for the type-5 LSAs originated at R4 using say area X range noadvertise or area X filer-list prefix {in|out} commands, so that R1 has no FA IP in its RIB. In this situation, R3
will have the route to the redistributed prefixes installed (it sees the FA!), but all other routers in the domain with
the exception of the NSSA area internal routers will not. Even though they will receive the type-5 LSA, they will not
be able to process them and use the information for routing the forwarding address will be unreachable. One
way to overcome this issue is by using the command area X nssa suppress-fa to instruct R3 on setting the FA to
itself.
Futher Reading
1) RFC 2328. Dont skip this if you are serious about understanding OSPF
2) OSPF Design Guide by Sam Halabi. Excellent introductory reading on OSPF.
3) Cisco IP Routing by Alex Zinin. A must read to anyone who wants in-depth understanding of IP Routing
internals.
Tags: ccie, filtering, lsa, ospf
Download this page as a PDF
About Petr Lapukhov, 4xCCIE/CCDE:
Petr Lapukhov's career in IT begain in 1988 w ith a focus on computer programming, and progressed into netw orking
w ith his first exposure to Novell NetWare in 1991. Initially involved w ith Kazan State University's campus netw ork
support and UNIX system administration, he w ent through the path of becoming a netw orking consultant, taking part in
many netw ork deployment projects. Petr currently has over 12 years of experience w orking in the Cisco netw orking
field, and is the only person in the w orld to have obtained four CCIEs in under tw o years, passing each on his first
attempt. Petr is an exceptional case in that he has been w orking w ith all of the technologies covered in his four CCIE
tracks (R&S, Security, SP, and Voice) on a daily basis for many years. When not actively teaching classes, developing
self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied
Mathematics.
Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website
Yandy Ramirez
very cool post! thanks for the info
Reply
August 17, 2009 at 5:36 pm
Rizzo
Really Nice one
Thanks
Reply
August 17, 2009 at 6:06 pm
Lejoe
Excellent Article Petr. I guess we can call it manipulation of OSPF prefixes to suppress generation of certain types of LSAs.
Reply
August 17, 2009 at 7:33 pm
Marcos Umino
Wow, incredible explanation on OSPF. If anyone ever asks me for an OSPF article, I know now where to point.
Reply
August 17, 2009 at 7:44 pm
Stan I
Anthony, thanks for the very insightful document and the form it has been presented in. I enjoyed reading it twice and I dont
particularly like re-reading stuffcall meenergy efficient (or part of the green initiative:).
Cheers!
Stan
Reply
August 17, 2009 at 8:17 pm
Reply
August 17, 2009 at 8:19 pm
saj
Thank you Petr,Very useful post
Reply
August 17, 2009 at 9:08 pm
Stan I
Oops, I apologize to Petr, I guess I was so much in a hurry to read the article that I just assumed it was part of the OSPF series.
Thank you for pointing it out Anthony!
Stan
Reply
August 17, 2009 at 9:46 pm
Arwin Erasga
Thanks Petr!
Reply
August 18, 2009 at 12:01 am
sarge
Great post. Thanks to Petr. It would be nice if anyone corrected the typos. They are obvious but sometimes look bad.
Reply
August 18, 2009 at 9:00 am
Reply
August 18, 2009 at 1:27 am
Mohamed Zaki
Amazing article, thanks Petr, you are awesome.
Reply
August 18, 2009 at 3:38 am
Amit Chopra
More reason to have COD of this bootcamp after reading this OSPF explanation
Reply
August 18, 2009 at 6:28 am
John Spaulding
Awesome work!!! I always feel stupid after reading his blogs
Reply
August 18, 2009 at 8:15 am
Chirag
Mr Petr Lapukhov
can I ask my are you so clever
Reply
August 18, 2009 at 8:15 am
Chirag
There is only one Petr :0)
Reply
August 18, 2009 at 11:16 am
Wouter Prins
hi Petr,
You are the man of the bits at INE, shouldnt you mention something about the P-bit in the article?
Reply
August 18, 2009 at 11:28 am
Reply
August 18, 2009 at 12:47 pm
andy jordan
so in order to get to an external ( nssa) destination , does a remote router in some other area use the metric to the FA or the metric to
the network itself ?
Reply
August 18, 2009 at 3:13 pm
Reply
August 18, 2009 at 2:05 pm
Narbik Kocharians
Based on what i hear from my students, Why do you have LSA type 3 Filtering all over your work books?
Reply
August 18, 2009 at 4:20 pm
Reply
August 18, 2009 at 5:21 pm
Narbik Kocharians
HAHAHAHAHA
So its NOT a misunderstanding like you mentioned? Is it? You need to stop and think before you write.
Reply
August 18, 2009 at 5:49 pm
Reply
August 19, 2009 at 5:30 am
Chris Gray
The article actually starts by saying
To begin with, I would have to ask everyone please, avoid using the term LSA filtering with OSPF
with the exception of one special case
Reply
August 19, 2009 at 7:58 am
post was showing the difference between LSA (topological) and NLRI (reachability) concepts.
Reply
August 19, 2009 at 5:36 am
Chirag
Narbik
Why you spoiling things .. if you want to make silly comments please do not here
Regards
Chirag
Reply
August 19, 2009 at 9:58 am
Chris Gray
I wish John Chambers would stop doing that, hes just confusing me man.
Reply
August 22, 2009 at 12:07 pm
Darby Weaver
When is Petr going to be teaching classes?
His articles are excellent and amazingly clear, love to hear everything he has to offer over a 1 or even 2 week class.
Reply
August 22, 2009 at 11:49 pm
Ted
Outstanding work, thats a good read.
Reply
August 23, 2009 at 6:18 am
Olu
Excellent and very clear post Petr
Thanks for this.
- Olu
Reply
August 23, 2009 at 12:51 pm
Daniel Spatig
I wanted to add this, because as I get a little mixed up with this also. The statement The OSPF metric for the summarized route is
taken as the minimal among all intra-area routes is only valid for RFC 1583 they changed the metric calculation in RFC2328 page
136 to be the cost equal to the largest of any of the component networks. to have the metric calculate based on RF2328 you need to
have no compatible rfc1583 because for some reason cisco defaults to rfc1583, or it does for me in ver 12.4
Reply
September 7, 2009 at 3:49 pm
Jorge
Great post Petr. Thank you for being so thorough about clarifying LSA vs route filtering. Super helpful!
Reply
September 9, 2009 at 2:59 am
Ananth Kumar
Much much appreciated Petr, for helping us to fill the gaps I have used these methods and thought that I understood the filtering,
but some point I was not clear about the difference between them.
Once again thanks a lot
at last is that a typo , acl name rip?
Method 1:
router ospf 1
distribute-list 10 out rip
!
access-list 1 deny 1.1.1.0
access-list 1 permit any
Reply
September 9, 2009 at 7:34 am
Reply
September 13, 2009 at 3:12 am
A question
Hi,
I didnt understand the ospf type 3 lsa section..
Can you please tell me the follwoing things1- How does the ABR sends the intra area routes (area 0 routes) to non backbone areas
2- How does the ABR sends the inter area routes (area X routes) to non backnone areas (area Y)
3- If i have 2 ABRs (ABR1 and ABR2)connecting area 0 and area X..
a)Is there a possibility that routes learned from area X on ABR1 will be sent back to ABR2 into area X
b)Is there a possibility that routes learned from area 0 on ABR1 will be sent back to ABR2 into area 0.
Thanx a tonn in advance
Reply
September 13, 2009 at 6:28 pm
Reply
September 13, 2009 at 10:11 pm
A question
Thanx for your answer still a little confused on the below.
> 1- How does the ABR sends the intra area routes (area 0 routes) to non backbone areas
Walks over the routing table looking for area 0 routes, generates type 3 LSAs, performs summarization prior to this if needed
according to area-range table.
Q- So it summarizes only if the area range is configured or by default.
> 2- How does the ABR sends the inter area routes (area X routes) to non backnone areas (area Y)
It walks over the area X routes and generates type-3 LSAs. However, no summarization is performed.
Are these LSAs summaries or specific?
Question 3 and 4 If i change the words route to LSA what would happen then would the LSAs be fed back in case of 2 ABRs,
If yes how would the recieving router react to it and if no, why so?
Reply
September 30, 2009 at 10:01 pm
Alexei Monastyrnyi
Just a quick one, Petr. If we have say a router with Ethernet interface in UP/UP state advertised into OSPF with network statement but
the link it represents is not a transit network, i.e. there is no other OSPF neighbour on that link (it is just connected to L2 dumb
device). Which LSA type that link would be advertised with?
Reply
October 1, 2009 at 1:21 pm
Reply
October 1, 2009 at 2:20 pm
Alexei Monastyrnyi
Right, thanks Petr. Kind of lost it in LSDB.
Link connected to: a Stub Network
(Link ID) Network/subnet number: 11.11.11.0
(Link Data) Network Mask: 255.255.255.0
Number of TOS metrics: 0
TOS 0 Metrics: 1
Reply
November 24, 2009 at 7:53 am
Reply
November 24, 2009 at 8:29 pm
Net_OG
Wow Petr,
this is a classic post. I love that you have a little reading list at the bottom.
Great job putting so much in one post. Part of the problem is: we see these situations in various contexts at different times in labs or
even in Cisco Documents and it is hard to tie them all together into a coherent procedure.
I really appreciate your posts.
Reply
November 25, 2009 at 9:34 am
Net_OG
Petr,
The type-7 LSAs reaching ABRs are used to populate the local routing table and re-generate the new type-5 LSAs, originated now
by the ABR. This is important since the ABR becomes an ASBR and re-originates the routes, you may use the command
summary-address ADDR MASK no-advertise to block the type-5 LSA generation.
The above quote is pretty significant because when reading the documentation it states that you do this summarizing on the ASBR,
but if you didnt think of the ABR as an ASBR you might get confused as to why you are applying the summary-address ADDR MASK
no-advertise command on the ABR.
Here is the link tot he cisco config guide entry:
http://www.cisco.com/en/US/partner/docs/ios/iproute/configuration/guide/irp_ospf_cfg_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1054417
Reply
January 8, 2010 at 11:19 pm
James Huang
Hi Petr,
Thanks for such a clear post. It really demystifies some of the blur area in OSPF.
You mentioned that for type-3 LSA origination by intra-area routes, area filter-list prefix out is applied after all summarizaion is done.
I tested this and found what you said does not seem to be correct. Here is the quote from Ciscos document titled OSPF ABR Type 3
LSA Filtering: For area filter-list out command, if an area-range command has been configured for the area, type 3 LSAs that
correspond to the area range are sent to all other areas only if at least one prefix in the area range matches an entry in the prefix list.
Can you verify again?
Thanks,
James Huang
Reply
January 9, 2010 at 9:20 am
Reply
January 9, 2010 at 12:30 pm
James Huang
HiPetr,
Here are the tests I did to reach the conclusion that area filter-list out is executed BEFORE area range for intra-area routes.
Topology:
area 0: R1s loopback 0, IP 1.1.1.1/32
R1 f1/0, ip 12.0.0.1/24
R2s f1/0, ip 12.0.0.2/24
area 1: R2s f1/1, ip 23.0.0.2/24
R3s f1/0, ip 23.0.0.3/24
area 2: R1s loopback 1, ip 11.11.11.11/32
Test 1:
At R2, add area-range and area filter-list out:
Router#sh running-config | sec ospf
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
area 0 range 1.1.0.0 255.255.0.0
area 0 filter-list prefix area0out out
network 12.0.0.0 0.0.0.255 area 0
network 23.0.0.0 0.0.0.255 area 1
Router#
Router#sh ip prefix-list area0out
ip prefix-list area0out: 3 entries
seq 5 deny 1.1.1.1/32
seq 10 deny 11.11.11.11/32
seq 15 permit 0.0.0.0/0 le 32
Verify at R3:
Router#sh ip route
Codes: L local, C connected, S static, R RIP, M mobile, B BGP
D EIGRP, EX EIGRP external, O OSPF, IA OSPF inter area
N1 OSPF NSSA external type 1, N2 OSPF NSSA external type 2
E1 OSPF external type 1, E2 OSPF external type 2
i IS-IS, su IS-IS summary, L1 IS-IS level-1, L2 IS-IS level-2
ia IS-IS inter area, * candidate default, U per-user static route
o ODR, P periodic downloaded static route, + replicated route
Gateway of last resort is not set
12.0.0.0/24 is subnetted, 1 subnets
O IA 12.0.0.0 [110/2] via 23.0.0.2, 00:06:33, FastEthernet1/0
23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 23.0.0.0/24 is directly connected, FastEthernet1/0
L 23.0.0.3/32 is directly connected, FastEthernet1/0
At R2, the 1.1.1.1/32 intra-area route was filtered out first and area range did not find anything in the range to summarize. So R3 did
not learn 1.1.1.1/32 or 1.1.0.0/16 route.
Test 2:
At R2, modify area0out prefix-list as follows:
Router#sh ip prefix-list area0out
ip prefix-list area0out: 3 entries
seq 5 deny 1.1.0.0/16
seq 10 deny 11.11.11.11/32
seq 15 permit 0.0.0.0/0 le 32
The OSPF configuration is the same as test 1.
Verify at R3,
Router#sh ip route
Codes: L local, C connected, S static, R RIP, M mobile, B BGP
D EIGRP, EX EIGRP external, O OSPF, IA OSPF inter area
N1 OSPF NSSA external type 1, N2 OSPF NSSA external type 2
E1 OSPF external type 1, E2 OSPF external type 2
i IS-IS, su IS-IS summary, L1 IS-IS level-1, L2 IS-IS level-2
ia IS-IS inter area, * candidate default, U per-user static route
o ODR, P periodic downloaded static route, + replicated route
Gateway of last resort is not set
1.0.0.0/16 is subnetted, 1 subnets
O IA 1.1.0.0 [110/3] via 23.0.0.2, 00:00:32, FastEthernet1/0
12.0.0.0/24 is subnetted, 1 subnets
O IA 12.0.0.0 [110/2] via 23.0.0.2, 00:19:31, FastEthernet1/0
23.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 23.0.0.0/24 is directly connected, FastEthernet1/0
L 23.0.0.3/32 is directly connected, FastEthernet1/0
In this test, R2 will filter out 1.1.0.0/16 intra-area route. If R2 were to perform area range first and then area filter-list out, R2 would
not have advertised 1.1.0.0/16 type-3 LSA to R3. But R3s route table shows that R2 did advertise 1.1.0.0/16 to R3. A dump of the
OSPF database at R3 confirms that again:
At R3:
Router#sh ip ospf database summary 1.1.0.0
OSPF Router with ID (3.3.3.3) (Process ID 1)
Summary Net Link States (Area 1)
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 333
Options: (No TOS-capability, DC, Upward)
LS Type: Summary Links(Network)
Link State ID: 1.1.0.0 (summary Network Number)
Advertising Router: 2.2.2.2
LS Seq Number: 80000001
Checksum: 0x48E8
Length: 28
Network Mask: /16
MTID: 0 Metric: 2
James Huang
Reply
September 12, 2010 at 9:46 pm
Al
Question:
If based on area address range, two routes are summarized in one summary LSA and at some point, the topology changes and one
of the mentioned routes is removed, would the summary LSA be flushed? or will it not change given it still covers one reachable
route?
Thanks in advance,
Al.
Reply
June 7, 2011 at 3:07 am
Reply
August 24, 2011 at 3:18 am
David Chosrova
Thanks for this very good post
Reply
September 7, 2011 at 10:19 am
Denis Mikhailov
Hi Petr,
Hope you are doing well ! Thanks for the good article! I met this today since Im on the R&S bootcamp now. The qustion arised is it
possible to filter intra-area OSPF route by any other method then distribute list ? There are tons of examples in the Internet but all of
them describe the same construction: distribute-list in in the OSPF process. As we know it is not a cultural method to do it. Is
where any other method ?
Thank you !
Best Regards,
Denis Mikhailov.
Reply
May 18, 2013 at 11:58 am
Fulvio Allegretti
Method 1:
router ospf 1
distribute-list 10 out rip
!
access-list 1 deny 1.1.1.0
access-list 1 permit any
Should that not be
distribute-list 1 out rip
Fulvio
Reply
August 21, 2013 at 2:54 pm
Roman Shilenko
I know years have passed, but since this article is still actual and useful:
> If the LSA contains non-zero FA (forwarding address) field,
> OSPF process will check for this address to be accessible via RIB
> (RFC specifies that only OSPF routes should be considered,
> but it seems IOS satisfies with any route)
> before installing the actual prefix into the RIB.
No, *any* route doesnt work. I gathered a topology described in the mentioned article Common Routing Problem with OSPF
Forwarding Address and made a static route towards FA:
ip route 3.3.4.4 255.255.255.255 1.1.1.2
OSPF process did NOT make a route for 200.1.1.0/24 out of LSA type-5, because Fail to find route to forwarding addr 3.3.4.4.
Cisco 3725, 12.3(22).
Reply
Leave a Reply
Name (required)
Submit Comment
twitter.com/ine
pdfcrowd.com