OSPF Route Filtering

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we want to talk about how to do OSPF route filtering it may be we want to filter routes from being learn by a router for security reasons we don't want a router to have reach ability to a particular network maybe we're trying to limit the number of entries in our IP routing table maybe we're trying to prevent a routing loop and the question is how do we filter these routes there are three primary ways we can go about this and to illustrate these concepts imagine that we have a network with a couple of areas we've got area zero and connected to area zero we have area one and one of the routers in area one it's connected to another autonomous system and EIGRP speaking autonomous system and a couple of these routers in this topology have special names the ABR has at least one interface in the backbone area area zero it has at least one interface in a non backbone area it's area one in this case we've got an autonomous system boundary router which has at least one interface in an OSPF area area one in this case and at least one interface in another autonomous system in this case it's an e aí GRP speaking autonomous system and when we're doing OSPF route filtering typically will filter the routes either at the ABR or the asbr what kinds of routes are being generated by the ABR let's imagine we have a network in area 1 and that network is being advertised into area 0 how does that network show up in area 0 well it's advertised by a type 3 LSA that's generated by the ABR if we had a network in the eigrp autonomous system and it's being advertised into OSPF that would be advertised via a type 5 LSA that's generated by the ASPR and as a result the ABR might be a very appropriate place to filter a type 3 LSA we can do that with a filter list the asbr that could be an appropriate place to filter a type 5 LSA and that's going to be done as part of a redistribution configuration we've got another module coming up on redistribution so we're not going to consider how to do that in this video but there is one other approach let's imagine that we want to filter a route from just one of those routers inside of area 0 can we do that can we tell oh SPF 2 of a different link state database for just one router in an area no we cannot that violates one of the basic concepts of OSPF that says all of the routers inside of an area need to agree on what that area looks like what is the topology of that area what networks are in that area we're not able to filter selective routes out of an OSPF database for just one or outer in an area however what if we did this what if we let OSPF go ahead and learn the route on that router on which we wanted to filter out a specific route but just because OSPF knows the route that's no guarantee that that route is going to be injected into the routers IP routing table the rat learned by OSPF is just a candidate to be injected into the IP riding table what if we did this what if before OSPF could inject that route into the IP routing table we blocked it we could configure something called a distribute list to block that route from being injected into the IP routing table while not altering the link state database for that router OSPF knows about the route but the IP routing table doesn't learn it because we've blocked it those are the three primary approaches to doing OSPF route filtering and we want to demonstrate two of those in this video setting up a filter list on an ABR to block a type three LSA and configuring a distribute list on a specific router to block a route from being learned just for that routers IP routing table let's go out to the live interface right now and see how to set up a filter list on an ABR on router r1 let's take a look at the IP routing table and we can see from the ia code on some of these routes that these routes have been learned from another area this is an OSPF inter area code we can see for example the loopback IP address of router r2 and router r3 and there are a couple of others on-screen but it's these two networks they're actually just IP addresses because they have a 32-bit subnet mask but it's these two prefixes that we want to filter in this part of the example from going into area 0 what kind of LSA is advertising these networks into area 0 well they're coming from area 1 that means an area border router is advertising them using type 3l SAS we can confirm that with a show IP ospf database command and for our summary lsas in other words the type 3 LSAs here we see 2 2 2 2 & 3 3 dot 3.3 let's filter those out from going into area zeros OSPF database to do that we'll go to router r2 because that's the area border router that's where we would filter type 3 LSAs and we're going to create a prefix list using the command IP prefix - list and we give it a name I'm going to call this no - loop backs and this is process - top-down much like an access control list and I'm going to give this a sequence number this is going to be sequence number 10 and then I'll have a number 20 and a number 30 but this is going to be sequence number 10 and I want this to deny the prefix for router r2s loopback IP address I'll say deny - 2 - 2 / 32 it was the 32 bit subnet mask assigned to that IP address let's do another one for the loopback IP address on router r3 I'll increase the sequence number to a 20 and the IP address for router are threes Lubeck interface was 3.3 3.3 I everything else to get through though we had a couple of other networks I don't want them to be filtered how do I permit everything else well I do one more IP prefix list command and it's going to be no loop backs sequence number 30 this time this time I want to say permit and I'm going to permit everything else here's the way we say everything else 0.0 0.0 / 0 and I want to encompass all prefix lengths that are less than or equal to 32 bits which would encompass all prefix lengths I'll say le meaning less than or equal to 32 now that I've got the prefix list configured I need to apply it to an area and you can apply a prefix list inbound or outbound you can say I want to filter advertisements as they're going into an area or as they're being advertised out of an area in this example let's filter advertisements going into area 0 to do that I'll go into router OSPF configuration mode and I'll say for area 0 let's apply a filter list will say filter - list and we're going to apply a prefix list that we configured so we'll say prefix the name of that prefix list was no - loop backs and we can apply this in the inbound of the outbound direction we're going to apply this coming in to area 0 and we're done let's now go over to router r1 and see if it now knows about 2 - 2 2 & 3 2 3 3 2 3 it did just a moment ago let's go check it out if I now give a show IP route do I know about those loopback IP addresses no they are missing what about the link state database does it know about them let's do a show IP ospf database command now if we look at our type 3 LSAs we're missing a couple that we had before 2 2 2 2 & 3 2 3 3 3 they've now been filtered that's how we can filter type 3l essays from coming into an area and as we mentioned earlier you can filter type 5 LSA is coming into an OSPF autonomous system using redistribution we're not going to demonstrate that here we've got another module on redistribution but the other thing I do want to show you is how we can allow a network to be learned by OSPF on our router but prevent that network or that prefix from being injected into that routers IP routing table we're not able to surgically remove just a network prefix from a link state database on just one router in an area because all the routers in the area need to match but we can prevent that prefix from being injected into the IP routing table on one router let's say for example that we want to filter the 10.22 0/24 network that's the network connected to router r3s fastethernet 0/0 interface let's filter that from showing up on router r1 right now we know about that network here it is 10 to 2.0 size 24 we see it in our link state database let's filter it though and we'll do that here on router r1 and like we did before we're going to create a prefix list let's go into global configuration mode and let's create a prefix list IP prefix - list and I'll name this filter underscore 10 - to 0 that's just the name that I came up with I'll give this a sequence number of 10 and I want to deny a specific prefix I want to deny 10 to - 0/24 I want to allow everything else I'll create a sequence number of 20 and I will permit everything else remember how we did that previously we said 0.0.0.0 slash less than or equal to 32 and we've now created our IP prefix list we're going to apply this now to our OSPF process as a distributist let's go into router OSPF 1 configuration mode and we'll say distribute - list and this is going to be a prefix list that we're applying I'll say prefix and the name of this list is filter underscore 10 - 2 0 and I want to apply this in the inbound direction say N and let's see if this took effect first of all let's see if OSPF knows about the 10 to 2.0 size 24 Network if I do a show IP ospf database command I know about it it's being advertised to me by a type 3 LSA if I do a show IP ospf rib command this is the routing information base for OSPF and it includes that route however the question is has it been injected into this routers IP routing table let's do a show IP route and find out if you take a look at the IP routing table it's not there 10.2 2.0 size 24 it was there a few months ago but we filtered it out you a distribute list

Info

Channel: Kevin Wallace Training, LLC

Views: 57,077

Rating: undefined out of 5

Keywords: Cisco Career Certifications, Kevin Wallace, 1examamonth, 300-101, 200-120, 101-101, ROUTE, Cisco CCNP, Cisco, CCNA, CCNP, CCIE, CCDP, OSPF, Route Filtering, #kwtrain

Id: 781KKv_EH9s

Channel Id: undefined

Length: 10min 11sec (611 seconds)

Published: Thu Sep 04 2014