OSPF Inter-Area External Route Filtering

I have a case where I need to filter external routes between areas. Apparently prefix lists using the area x filter-list prefix command does not work on external routes, only summary. Does anyone know of a way to do do this?

For example the following does not work to stop 192.168.1.0/24 from entering area 3 if it is an E2 route in another area 0. It works fine if it is a summary route.

ip prefix-list AREA3_IN seq 10 deny 192.168.1.0/24
ip prefix-list AREA3_IN seq 20 allow 0.0.0.0/0 le 32

router ospf 1
area 3 filter-list prefix AREA3_IN in

I think the only solution may be to create area 3 as a Stub or NSSA and then use statics for the external routes we do want in that area.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

networker050184

I believe the filter-list only applies to type 3 LSAs. Making a stub would work or you could use a distribute list to keep it out of the routing table on the routers in the area.

Cyanic

Thanks,

Another idea is to run different OSPF processes for the "areas" and then redistribute with a filter.

networker050184

That sounds like it would be a lot more trouble than it's worth. I work by the K.I.S.S. rule. Keep It Simple Stupid!

wave

Here's another idea. I haven't labbed this but it might work.

You could use a route-map on the area 3 interface (ip policy route-map) matching your prefix-list, and even match the OSPF external route type.

networker050184

You can't filter LSAs that way.

wave

networker050184 wrote: »

You can't filter LSAs that way.

mmm you're right, after I hit post I suddenly thought "errr".

Cyanic

I would like to keep it simple, but that is not a option in this case. For instance both areas have their own default gateways. The current solution is to have area 3 as an NSSA and to put static routes in that area that point back to certain externals that originate within area 0. Other externals that are redistributed into area 0 should not be passed to area 3 because area 3 should get to these via its default.

Anyway, here is a very through write up on OSPF filtering that might help some.

OSPF Route Filtering Demystified

wave

How about this:

Under the OSPF process: distribute-list route-map BLOCK in

ip prefix-list PREBLOCK seq 5 permit 209.65.200.240/29

route-map BLOCK deny 10
match ip address prefix-list PREBLOCK
match interface Serial1/0.1
match route-type external
!
route-map BLOCK permit 20
!
route-map BLOCK permit 20

Because you can match the interface with a route-map you can essentially match based on the area you want to filter. The only snag is that you can't apply the distribute list outbound, it must be applied inbound. I redistributed that BGP route into OSPF which came through as an E2. The route appeared on the next downstream OSPF router on which I applied the above config. The OE2 route no longer appeared.

networker050184

The distribute list only keeps the route from being allowed into the rib on the local router. Due to the nature of OSPF all routers must contain a consistent LSDB fro the area so LSA filtering is pretty limited.

I do agree (as I suggested above) a distribute list on all routers in the area is a good solution for this scenario.