Filtering OSPF Areas in OSPF

Author
Carole Warner Reece
Architect

I have been recently looking at route summarization in OSPF networks. I have been looking at ways to connect many remote sites on a WAN to a campus network. My plan is for the WAN area to be totally stubby, and for each remote router in the WAN to only announce their connected networks. There may be multiple Layer 3 devices at each remote site. However, I want to control what routes the remote sites are able to announce into the OSPF routing domain (well, one of my buddies wanted this control, so I went to the lab to test how to use OSPF LSA filtering to apply some controls…)

My example scenario for a remote site connected to the enterprise network looks like this:

2011-08-18_ospf_filtering

R1 and R3 are  ABRs for Area 6 and Area 3 respectively. R4 and R6 are totally stubby routers in Area 6. R1 is summarizing some of Area 6 routes being sent to R1.

The basic routing configuration should look like this:

R6#sh run
...
router ospf 1
router-id 110.1.6.1
log-adjacency-changes
area 6 stub
network 110.1.0.0 0.255.255.255 area 6
network 150.100.0.0 0.0.255.255 area 6
!

-------

R4#sh run
...
router ospf 1
router-id 110.1.4.1
log-adjacency-changes
area 6 stub
network 110.1.0.0 0.0.255.255 area 6
!

--------

R1#sh run
...
router ospf 1
router-id 110.1.1.1
log-adjacency-changes
area 6 stub no-summary
area 6 range 110.1.4.0 255.255.252.0
network 110.1.13.0 0.0.0.255 area 0
network 110.1.0.0 0.0.255.255 area 6
!

--------

R3#sh run
...
router ospf 1
router-id 110.1.3.1
log-adjacency-changes
network 110.1.3.0 0.0.0.255 area 3
network 110.1.13.0 0.0.0.255 area 0
!

Note: In the production network I am modelling, R1 would actually have another 50 or so sites connected. The model is quite a simplification for the network – all of the enterprise is just Area 0 on one link and Area 3 on one loopback. In my example all the loopbacks are /24, and are configured as “ip ospf network point-to-point” to make the routing tables loop more like the enterprise I an modeling. The point to point links are similarly /24 addresses.

The defined enterprise routing design states that only routes in the 110.1.0.0/16 address block should be configured in Area 6. But in the scenario illustrated above, R6 has added in some “test” networks that are accidentally being sent into the enterprise, due to misconfiguring the routing statement to be too permissive as shown:

R6#sh run
...
router ospf 1
router-id 110.1.6.1
log-adjacency-changes
area 6 stub
network 110.0.0.0 0.255.255.255 area 6
network 150.100.0.0 0.0.255.255 area 6
!

Here are the routing tables on the routers showing the “illegal” test networks on R6:

R6#sh ip ro
...
Gateway of last resort is 110.1.5.4 to network 0.0.0.0

110.0.0.0/24 is subnetted, 7 subnets
C 110.1.6.0 is directly connected, Loopback0
C 110.2.6.0 is directly connected, Loopback1
C 110.3.6.0 is directly connected, Loopback2

C 110.1.5.0 is directly connected, FastEthernet1/1
O 110.1.4.0 [110/2] via 110.1.5.4, 00:00:47, FastEthernet1/1
O 110.1.1.0 [110/3] via 110.1.5.4, 00:00:47, FastEthernet1/1
O 110.1.145.0 [110/2] via 110.1.5.4, 00:00:47, FastEthernet1/1
O*IA 0.0.0.0/0 [110/3] via 110.1.5.4, 00:00:47, FastEthernet1/1
R6#

-------

R4# sh ip ro
...
Gateway of last resort is 110.1.145.1 to network 0.0.0.0

110.0.0.0/24 is subnetted, 7 subnets
O 110.1.6.0 [110/2] via 110.1.5.6, 00:00:09, FastEthernet1/1
O 110.2.6.0 [110/2] via 110.1.5.6, 00:00:09, FastEthernet1/1
O 110.3.6.0 [110/2] via 110.1.5.6, 00:00:09, FastEthernet1/1

C 110.1.5.0 is directly connected, FastEthernet1/1
C 110.1.4.0 is directly connected, Loopback0
O 110.1.1.0 [110/2] via 110.1.145.1, 00:00:09, FastEthernet1/0
C 110.1.145.0 is directly connected, FastEthernet1/0
O*IA 0.0.0.0/0 [110/2] via 110.1.145.1, 00:00:10, FastEthernet1/0
R4#

---------

R1#sh ip ro
...

Gateway of last resort is not set

110.0.0.0/24 is subnetted, 7 subnets
C 110.1.13.0 is directly connected, FastEthernet1/1
O 110.1.6.0 [110/3] via 110.1.145.4, 00:00:35, FastEthernet1/0
O 110.2.6.0 [110/3] via 110.1.145.4, 00:00:35, FastEthernet1/0
O 110.3.6.0 [110/3] via 110.1.145.4, 00:00:35, FastEthernet1/0

O 110.1.5.0 [110/2] via 110.1.145.4, 00:00:35, FastEthernet1/0
O 110.1.4.0 [110/2] via 110.1.145.4, 00:00:35, FastEthernet1/0
O IA 110.1.3.0 [110/2] via 110.1.13.3, 00:00:35, FastEthernet1/1
C 110.1.1.0 is directly connected, Loopback0
C 110.1.145.0 is directly connected, FastEthernet1/0
R1#

---------

R3#sh ip ro
...
Gateway of last resort is not set

110.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 110.1.13.0/24 is directly connected, FastEthernet1/1
O IA 110.2.6.0/24 [110/4] via 110.1.13.1, 00:00:08, FastEthernet1/1
O IA 110.3.6.0/24 [110/4] via 110.1.13.1, 00:00:08, FastEthernet1/1
O IA 110.1.4.0/22 [110/3] via 110.1.13.1, 00:00:08, FastEthernet1/1
C 110.1.3.0/24 is directly connected, Loopback0
O IA 110.1.1.0/24 [110/2] via 110.1.13.1, 00:00:08, FastEthernet1/1
O IA 110.1.145.0/24 [110/2] via 110.1.13.1, 00:00:09, FastEthernet1/1
R3#

Overall what we want is way to suppress any router in Area 6 from injecting in “bad” routes into the OSPF backbone. To prove the idea works we want to filter out these test routes from the WAN area as well as the enterprise but not change anything on R6. First we will try using OSPF inbound intra-area route filtering at the ABR in Area 6. The inbound intra-area route filtering process works at the router level, and we use route-maps and prefix-lists to specify the acceptable Area 6 routes in the range 110.1.0.0/16 based on our given topology with the following commands:

ip prefix-list Area-249 seq 5 permit 110.1.0.0/16 le 32
ip prefix-list Area-249 seq 10 deny 0.0.0.0/0 le 32
!
ip prefix-list from-ABR seq 10 permit 0.0.0.0/0 le 32
!
route-map Area-249 permit 10
match ip address prefix-list Area-249
match interface FastEthernet1/0
! Fa1/0 connects to R4
!
route-map Area-249 permit 20
match ip address prefix-list from-ABR
match interface FastEthernet1/1
! Fa1/1 connects to R3 another ABR
!
router ospf 1
distribute-list route-map Area-249 in

We clear the OSPF routing process, and then look at the routing tables:

R1#sh ip ro

Gateway of last resort is not set

110.0.0.0/24 is subnetted, 7 subnets
C       110.1.13.0 is directly connected, FastEthernet1/1
O       110.1.6.0 [110/3] via 110.1.145.4, 00:00:56, FastEthernet1/0
O       110.1.5.0 [110/2] via 110.1.145.4, 00:00:56, FastEthernet1/0
O       110.1.4.0 [110/2] via 110.1.145.4, 00:00:57, FastEthernet1/0
O IA    110.1.3.0 [110/2] via 110.1.13.3, 00:00:57, FastEthernet1/1
C       110.1.1.0 is directly connected, Loopback0
C       110.1.145.0 is directly connected, FastEthernet1/0
R1#
R1# ! inbound distribute-list on R1 removes the test routes from R1

--------

R4# sh ip ro
...
Gateway of last resort is 110.1.145.1 to network 0.0.0.0

110.0.0.0/24 is subnetted, 7 subnets
O 110.1.6.0 [110/2] via 110.1.5.6, 00:00:09, FastEthernet1/1
O 110.2.6.0 [110/2] via 110.1.5.6, 00:00:09, FastEthernet1/1
C 110.1.5.0 is directly connected, FastEthernet1/1
O 110.3.6.0 [110/2] via 110.1.5.6, 00:00:09, FastEthernet1/1
C 110.1.4.0 is directly connected, Loopback0
O 110.1.1.0 [110/2] via 110.1.145.1, 00:00:09, FastEthernet1/0
C 110.1.145.0 is directly connected, FastEthernet1/0
O*IA 0.0.0.0/0 [110/2] via 110.1.145.1, 00:00:10, FastEthernet1/0
R4#
R4# ! as expected, inbound distribute-list on R1 does not remove test routes on R4

-------


R3#sh ip ro
...
Gateway of last resort is not set

110.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 110.1.13.0/24 is directly connected, FastEthernet1/1
O IA 110.2.6.0/24 [110/4] via 110.1.13.1, 00:00:08, FastEthernet1/1
O IA 110.3.6.0/24 [110/4] via 110.1.13.1, 00:00:08, FastEthernet1/1

O IA 110.1.4.0/22 [110/3] via 110.1.13.1, 00:00:08, FastEthernet1/1
C 110.1.3.0/24 is directly connected, Loopback0
O IA 110.1.1.0/24 [110/2] via 110.1.13.1, 00:00:08, FastEthernet1/1
O IA 110.1.145.0/24 [110/2] via 110.1.13.1, 00:00:09, FastEthernet1/1
R3#
R3# ! inbound distribute-list on R1 only is not sufficient
R3# ! to remove test routes at R3

Although R1 has filtered the test routes from its routing table, R3 and R4 still see the R6 test routes.  We then apply the same filter on R4 using a route-map that supports the appropriate interfaces on R4:

ip prefix-list Area-249 seq 5 permit 110.1.0.0/16 le 32
ip prefix-list Area-249 seq 10 deny 0.0.0.0/0 le 32
!
ip prefix-list from-ABR seq 10 permit 0.0.0.0/0 le 32
!
route-map Area-249 permit 10
match ip address prefix-list Area-249
match interface FastEthernet1/1
! Fa1/1 connects to R6
!
route-map Area-249 permit 20
match ip address prefix-list from-ABR
match interface FastEthernet1/0
! Fa1/0 connects to R1 the ABR
!
router ospf 1
distribute-list route-map Area-249
!

After clearing the OSPF routing process, we check and see that the test routes from R6 have been removed from R4’s routing table.

R4#sh ip ro

Gateway of last resort is 110.1.145.1 to network 0.0.0.0

110.0.0.0/24 is subnetted, 5 subnets
O 110.1.6.0 [110/2] via 110.1.5.6, 00:00:50, FastEthernet1/1
C 110.1.5.0 is directly connected, FastEthernet1/1
C 110.1.4.0 is directly connected, Loopback0
O 110.1.1.0 [110/2] via 110.1.145.1, 00:00:51, FastEthernet1/0
C 110.1.145.0 is directly connected, FastEthernet1/0
O*IA 0.0.0.0/0 [110/2] via 110.1.145.1, 00:00:51, FastEthernet1/0
R4#
R4# ! inbound distribute-list on R4 removes the test routes from R4

However the test routes still appear in R3’s routing table:

R3#sh ip ro
...
Gateway of last resort is not set

110.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
C 110.1.13.0/24 is directly connected, FastEthernet1/1
O IA 110.2.6.0/24 [110/4] via 110.1.13.1, 00:00:08, FastEthernet1/1
O IA 110.3.6.0/24 [110/4] via 110.1.13.1, 00:00:08, FastEthernet1/1

O IA 110.1.4.0/22 [110/3] via 110.1.13.1, 00:00:08, FastEthernet1/1
C 110.1.3.0/24 is directly connected, Loopback0
O IA 110.1.1.0/24 [110/2] via 110.1.13.1, 00:00:08, FastEthernet1/1
O IA 110.1.145.0/24 [110/2] via 110.1.13.1, 00:00:09, FastEthernet1/1
R3#
R3# ! inbound route-filter on R1 is not sufficient to remove test routes at R3

We can look for clues on R1 and R3:


R1#sh ip ospf data

OSPF Router with ID (110.1.1.1) (Process ID 1)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
110.1.1.1       110.1.1.1       63          0x80000004 0x0058F6 1
110.1.3.1       110.1.3.1       68          0x80000006 0x004CFA 1

Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.13.3      110.1.3.1       68          0x80000005 0x005509

Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.1.0       110.1.1.1       62          0x80000003 0x00E572
110.1.3.0       110.1.3.1       633         0x80000001 0x00C590
110.1.4.0       110.1.1.1       58          0x80000001 0x00C395
110.1.145.0     110.1.1.1       53          0x80000009 0x00A31E
110.2.6.0       110.1.1.1       58          0x80000001 0x00BA97
110.3.6.0       110.1.1.1       58          0x80000001 0x00AEA2


Router Link States (Area 6)

Link ID         ADV Router      Age         Seq#       Checksum Link count
110.1.1.1       110.1.1.1       60          0x80000008 0x00C7F9 2
110.1.4.1       110.1.4.1       61          0x80000012 0x00E4C6 3
110.1.6.1       110.1.6.1       62          0x80000011 0x00505E 4

Net Link States (Area 6)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.5.4       110.1.4.1       61          0x80000003 0x000959
110.1.145.4     110.1.4.1       66          0x80000003 0x00BD1D

Summary Net Link States (Area 6)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         110.1.1.1       60          0x80000002 0x00B813
R1# ! although not associated with Area 6, the test routes still in LSA database as
R1# ! summary net link states for Area 0

-------


R3#sh ip ospf dat

OSPF Router with ID (110.1.3.1) (Process ID 1)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
110.1.1.1       110.1.1.1       141         0x80000004 0x0058F6 1
110.1.3.1       110.1.3.1       144         0x80000006 0x004CFA 1

Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.13.3      110.1.3.1       144         0x80000005 0x005509

Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.1.0       110.1.1.1       140         0x80000003 0x00E572
110.1.3.0       110.1.3.1       710         0x80000001 0x00C590
110.1.4.0       110.1.1.1       136         0x80000001 0x00C395
110.1.145.0     110.1.1.1       130         0x80000009 0x00A31E
110.2.6.0       110.1.1.1       136         0x80000001 0x00BA97
110.3.6.0       110.1.1.1       136         0x80000001 0x00AEA2


Router Link States (Area 3)

Link ID         ADV Router      Age         Seq#       Checksum Link count
110.1.3.1       110.1.3.1       714         0x80000002 0x004C8A 1

Summary Net Link States (Area 3)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.1.0       110.1.3.1       136         0x80000001 0x00E571
110.1.4.0       110.1.3.1       136         0x80000001 0x00BF96
110.1.13.0      110.1.3.1       131         0x8000000B 0x0043FE
110.1.145.0     110.1.3.1       136         0x80000001 0x00AF17
110.2.6.0       110.1.3.1       136         0x80000001 0x00B698
110.3.6.0       110.1.3.1       136         0x80000001 0x00AAA3
R3#

R3# ! R3 receives LSAs for the test routes and installs them in the routing table

The inbound route filter on R1 filters on the routes from the RIB, but they remain in R1’s OSPF database. So not only do we need to filter the LSA inside the area, we also need to filter them so that R1 does not send them out of the area. Therefore we apply an outbound area filter at the ABR using the same prefix list:

router ospf 1
area 6 filter-list prefix Area-249 out  

We again clear the OSPF process. After the neighbors exchange routes, we check again:

R3#sh ip ro

Gateway of last resort is not set

110.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C       110.1.13.0/24 is directly connected, FastEthernet1/1
O IA    110.1.4.0/22 [110/3] via 110.1.13.1, 00:00:23, FastEthernet1/1
C       110.1.3.0/24 is directly connected, Loopback0
O IA    110.1.1.0/24 [110/2] via 110.1.13.1, 00:00:23, FastEthernet1/1
O IA    110.1.145.0/24 [110/2] via 110.1.13.1, 00:00:23, FastEthernet1/1
R3#
R3# ! test routes have been suppressed

Success! R3 no longer sees the the test routes. We also check the status R1’s LSA database:

R1#sh ip ospf data

OSPF Router with ID (110.1.1.1) (Process ID 1)

Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
110.1.1.1       110.1.1.1       80          0x80000007 0x0052F9 1
110.1.3.1       110.1.3.1       86          0x8000000C 0x004001 1

Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.13.3      110.1.3.1       86          0x8000000B 0x00490F

Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.1.0       110.1.1.1       81          0x80000006 0x00DF75
110.1.3.0       110.1.3.1       1901        0x80000001 0x00C590
110.1.4.0       110.1.1.1       76          0x80000001 0x00C395
110.1.145.0     110.1.1.1       81          0x80000014 0x008D29

Router Link States (Area 6)

Link ID         ADV Router      Age         Seq#       Checksum Link count
110.1.1.1       110.1.1.1       77          0x8000000F 0x00B901 2
110.1.4.1       110.1.4.1       83          0x8000001A 0x0001A0 3
110.1.6.1       110.1.6.1       354         0x80000015 0x00A404 4

Net Link States (Area 6)

Link ID         ADV Router      Age         Seq#       Checksum
110.1.5.6       110.1.6.1       354         0x80000003 0x00DE7F
110.1.145.4     110.1.4.1       84          0x80000001 0x00C11B

Summary Net Link States (Area 6)

Link ID         ADV Router      Age         Seq#       Checksum
0.0.0.0         110.1.1.1       79          0x80000005 0x00B216
R1#

Success again! We see that the test routes have been removed from R1’s LSA database.

Summary – In a multi-area OSPF design, two types of OSPF LSA filters are needed to suppress LSAs – one in bound intra-area, and one outbound inter-area from the ABR. If you forget to implement the inter-area filter at ABR, you will see routes that were  filtered from an area’s routing tables in the enterprise Area 0 routing table.

— cwr

__________________________________________________________________________________________

Related Blogs

Other recent NetCraftsmen blogs on OSPF design include:

Discontiguous non-Area 0 Areas in OSPF

2 responses to “Filtering OSPF Areas in OSPF

  1. Hi Carole,

    Note that the no-summary keyword is only needed on the ABR. The ABR decides if the area is totally stubby or not so you can remove this config from R4 and R6.

  2. Thanks Daniel – I updated R4 & R6 to remove the unneeded "no-summary" from their "area 6 stub" config.

    Carole

Leave a Reply

 

Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.

 

Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.

 

John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.