OSPF Filtering

Answered Question
Sep 16th, 2009

Hi Experts,

I need conceptual clarification on OSPF "DISTRIBUTION-LIST" & "FILTER-LIST".

I labbed it and my result is below:

Using DISTRIBUTION-LIST in/out --- Identified prefix is not installed in AREA 0 but advertised to other non-backbone areas

Using FILTER-LIST in/out ---- Identified prefix is installed in AREA 0 but not advertised to other non-backbone areas

What is the real cause of this behaviour.

I read in one of the artcle as below:

" Now one important aspect of this process. The re-generated summary LSAs are generated AFTER applying the OSPF filter associated with the routing-process via the distribute-list in command. Thus, if you filter some of the inter-area routes from entering the RIB, the respective new summary LSAs will NOT get generated. This will stop routing information propagation into the attached non-backbone areas."

But my observation on DISTRIBUTION-LIST contradictly allows the denied prefix to be advertised to non-backbone areas . but not appearing in RIB of area 0 router. The configuration is below

router ospf 1

area 1 range 10.10.0.0 255.255.252.0

area 2 range 172.16.0.0 255.255.252.0

network 192.168.1.0 0.0.0.3 area 1

network 192.168.1.4 0.0.0.3 area 2

distribute-list 1 in

!

access-list 1 deny 10.10.4.0 0.0.0.255

access-list 1 permit any

Can you share your valuable ideas and shed some light on this

sairam

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 2 months ago

Hello Sairam,

>> Thus I thought RIB information in AREA 0 plays a major role here. Thus I am surprised, how when a route is removed (example 172.16.1.0) from RIB of AREA0 using DISTRIBUTION-LIST, is been sent as LSA 3 to AREA 0.

this is exactly the problem with distribute-list and OSPF.

distribute-list can just influence if an IP prefix is installed in the local routing table but it cannot "filter" the corresponding LSA.

So if you have a router RD in area0 downstream ABR (0,2) and ABR (0,2) has a distribute-list that filters 172.16.1.0/24 the corresponding LSA reaches RD and RD installs the route in its routing table.

I didn't try distribute-list as a way to perform inter-area filtering and I don't recommend it even it would work.

the right tools are the first two methods with area filter list providing the greatest flexibility.

I would suggest you to use books like Jeff Doyle routing TCP vol. I and to look at RFC2328.

Very good but difficult to read is Halabi's introduction to OSPF.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Giuseppe Larosa Wed, 09/16/2009 - 12:42

Hello Sairam,

what you see is correct the right tool for inter-area filtering is

area x filter-list name in|out

command that accepts a prefix-list

distribute-list in OSPF can only influence the installation in the local routing table of ip prefixes but it cannot influence OSPF flooding and LSA propagation.

the older way to filter prefixes at area border is the use of

area range with no-advertise option.

see

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_osp1.html#wp1011184

and

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_osp1.html#wp1011537

Hope to help

Giuseppe

Peter Paluch Wed, 09/16/2009 - 12:50

Hello Sairam,

In link-state protocols, the distribute-list works very differently than in distance vectors. The link-state protocols distribute their routing information not as plain list of reachable networks, but "hidden" inside the individual LSAs. Only after processing these LSAs with the Dijkstra algorithm, you eventually discover the existing destination networks and place them in the routing table. Also, a LSA originated by a particular router may not be modified by any other router. From these facts it follows that

1.) You do not know about particular networks in your area before you run the Dijsktra algorithm so a distribute list that filters networks cannot have an effect before the Dijkstra algorithm is run

2.) After you know your particular networks, you may filter them by a distribute-list for yourself but because you cannot modify other router's LSAs, the distribute-list will not have any effect for anybody else but you.

This gives the reasoning how does the distribute-list work for OSPF and why does it work in such a particular way: A distribute-list in the in direction filters the networks that will be put into your routing table. However, it applies only to your routing table and not to anybody else. The link-state database will not be modified as a result of this command and other routers will see all networks including those you have filtered out for yourself. A distribute-list in the out direction has an effect only if you are an ASBR and redistribute some external networks into OSPF. In this case, the distribute-list is able to filter the networks you will advertise in your LSA5 sent to your neighbors. Note that because you are the originator of your LSA5, you are also authorized to modify their contents according to the distribute-list. However, no other router will have that same privilege. You cannot filter any other networks with the distribute-list out except those you are redistributing into the OSPF yourself.

The filter-list is simply used for filtering inter-area routes that will be advertised to or from a particular area. The inter-area routes are present in LSA3 generated by an ABR. The filter-list filters the networks that are present in the LSA3 sent into that area (the in direction) or generated based upon the networks in that area towards other areas (the out) direction).

I hope this helps a bit.

Best regars,

Peter

snarayanaraju Wed, 09/16/2009 - 22:01

Hi Peter & Guispee,

A nice explanation. Thanks. what made me to raise this fundabmental query is:

I recently learned in a article that Routes thru LSA TYPE 3 from all areas (say for example AREA 1) are sent to backbone area (AREA 0). Here Distance Vector algorithm is implicitly used and routes belong to AREA 1 in RIB of AREA0 router is sent to AREA 2.

Thus I thought RIB information in AREA 0 plays a major role here. Thus I am surprised, how when a route is removed (example 172.16.1.0) from RIB of AREA0 using DISTRIBUTION-LIST, is been sent as LSA 3 to AREA 0. I expected the route 172.16.1.0 will not be sent to AREA 2 from AREA0 as 172.16.1.0 is filtering using DISTRIBUTION-LIST and not appearing in RIB of AREA0 router

Hope I am not complicating the concept.

Please refer the link and focus on LSA3 section, which made me to raise this query

http://blog.internetworkexpert.com/2009/08/17/ospf-route-filtering-demystified/

sairam

Correct Answer
Giuseppe Larosa Wed, 09/16/2009 - 23:05

Hello Sairam,

>> Thus I thought RIB information in AREA 0 plays a major role here. Thus I am surprised, how when a route is removed (example 172.16.1.0) from RIB of AREA0 using DISTRIBUTION-LIST, is been sent as LSA 3 to AREA 0.

this is exactly the problem with distribute-list and OSPF.

distribute-list can just influence if an IP prefix is installed in the local routing table but it cannot "filter" the corresponding LSA.

So if you have a router RD in area0 downstream ABR (0,2) and ABR (0,2) has a distribute-list that filters 172.16.1.0/24 the corresponding LSA reaches RD and RD installs the route in its routing table.

I didn't try distribute-list as a way to perform inter-area filtering and I don't recommend it even it would work.

the right tools are the first two methods with area filter list providing the greatest flexibility.

I would suggest you to use books like Jeff Doyle routing TCP vol. I and to look at RFC2328.

Very good but difficult to read is Halabi's introduction to OSPF.

Hope to help

Giuseppe

Actions

This Discussion