OSPF Inter-Area External Route Filtering

CyanicCyanic Member Posts: 289
I have a case where I need to filter external routes between areas. Apparently prefix lists using the area x filter-list prefix command does not work on external routes, only summary. Does anyone know of a way to do do this?

For example the following does not work to stop 192.168.1.0/24 from entering area 3 if it is an E2 route in another area 0. It works fine if it is a summary route.

ip prefix-list AREA3_IN seq 10 deny 192.168.1.0/24
ip prefix-list AREA3_IN seq 20 allow 0.0.0.0/0 le 32

router ospf 1
area 3 filter-list prefix AREA3_IN in


I think the only solution may be to create area 3 as a Stub or NSSA and then use statics for the external routes we do want in that area.

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    I believe the filter-list only applies to type 3 LSAs. Making a stub would work or you could use a distribute list to keep it out of the routing table on the routers in the area.
    An expert is a man who has made all the mistakes which can be made.
  • CyanicCyanic Member Posts: 289
    Thanks,

    Another idea is to run different OSPF processes for the "areas" and then redistribute with a filter.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    That sounds like it would be a lot more trouble than it's worth. I work by the K.I.S.S. rule. Keep It Simple Stupid!
    An expert is a man who has made all the mistakes which can be made.
  • wavewave Member Posts: 342
    Here's another idea. I haven't labbed this but it might work.

    You could use a route-map on the area 3 interface (ip policy route-map) matching your prefix-list, and even match the OSPF external route type.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • networker050184networker050184 Mod Posts: 11,962 Mod
    You can't filter LSAs that way.
    An expert is a man who has made all the mistakes which can be made.
  • wavewave Member Posts: 342
    You can't filter LSAs that way.

    mmm you're right, after I hit post I suddenly thought "errr".

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • CyanicCyanic Member Posts: 289
    I would like to keep it simple, but that is not a option in this case. For instance both areas have their own default gateways. The current solution is to have area 3 as an NSSA and to put static routes in that area that point back to certain externals that originate within area 0. Other externals that are redistributed into area 0 should not be passed to area 3 because area 3 should get to these via its default. icon_scratch.gif

    Anyway, here is a very through write up on OSPF filtering that might help some.

    OSPF Route Filtering Demystified
  • wavewave Member Posts: 342
    How about this:


    Under the OSPF process: distribute-list route-map BLOCK in

    ip prefix-list PREBLOCK seq 5 permit 209.65.200.240/29

    route-map BLOCK deny 10
    match ip address prefix-list PREBLOCK
    match interface Serial1/0.1
    match route-type external
    !
    route-map BLOCK permit 20
    !
    route-map BLOCK permit 20

    Because you can match the interface with a route-map you can essentially match based on the area you want to filter. The only snag is that you can't apply the distribute list outbound, it must be applied inbound. I redistributed that BGP route into OSPF which came through as an E2. The route appeared on the next downstream OSPF router on which I applied the above config. The OE2 route no longer appeared.

    ROUTE Passed 1 May 2012
    SWITCH Passed 25 September 2012
    TSHOOT Passed 23 October 2012
    Taking CCNA Security in April 2013 then studying for the CISSP
  • networker050184networker050184 Mod Posts: 11,962 Mod
    The distribute list only keeps the route from being allowed into the rib on the local router. Due to the nature of OSPF all routers must contain a consistent LSDB fro the area so LSA filtering is pretty limited.

    I do agree (as I suggested above) a distribute list on all routers in the area is a good solution for this scenario.
    An expert is a man who has made all the mistakes which can be made.
Sign In or Register to comment.