Re: OSPF- Limit route distribution from one OSPF area to another

phil.cappello · ‎11-25-2004

I have two ospf areas 100 and 200 connected via an OSPF backbone in area 0. I am running the same OSPF process of 700 on all routers. Both area 100 and 200 have multiple routers connected to backbone area 0.

I want to limit only certain IP address (172.17.109.40,172.17.110.40) from area 200 to access devices in area 100. Devices in area 200 are management devices for SNMP traps.

What is the best way besides using access lists on the interfaces on my routers?

If access lists is the only solution, do I need to include OSPF neighbour IP address as well as teh OSPF multicast 224.0.0.0?

Can anyone help?

Thanks,

marikakis · ‎11-26-2004

I wouldn't interfere with the OSPF routes,

because this can get quite complex and trouble may come into play.

This case is too specific to worth the effort

to stop routing updates from propagating to a particular area,

while allowing them to propagate to other areas.

The certain IP address (172.17.109.40,172.17.110.40)

are the only IP addresses in the subnets they belong ?

And even if you manage to stop the routing updates from propagating,

communication might still be possible,

just because packets manage to reach (by using default routes)

routers that do have routes covering the hosts you want to block.

I believe the ACLs on the router interfaces are a more neat solution.

You should try to place the ACLs as close as possible to the IPs,

i.e. on the gateway (or gateways) that they are using,

and in both areas.

Don't let traffic traverse area 100 or area 200, or even the backbone,

just to be dropped at the ABRs. The ABRs are probably already busy.

If you use inbound ACLs you should be very careful

if you cannot add a permit all in the end.

If you deny communication between the particular IPs

and permit everything else, you are done.

If you do not want to add a permit all in the end,

there exists the option to specify "permit ospf any any" :

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#c10

Outbound ACLs are less dangerous,

because current router locally originated traffic (such as routing updates),

is not subject to them.

There is another alternative with static routes to null 0

for the 172.17.109.40 and 172.17.110.40

with mask 255.255.255.255 (host route)

on the gateway of the area 100 prohibited devices.

This will block initiative from the area 100 devices.

If you do not further add similar routes

in the gateway of the area 200 prohibited devices,

bidirectional communication will not be achieved,

but some area 200 initiated traffic will reach area 100 devices.

M.

marikakis · ‎11-28-2004

The case with the static routes to null 0 can get tricky

if you are also using redistribution of statics into OSPF.

Those externals should be filtered on the originating ASBR.

I would go for the plain ACLs solution.

M.

rrijk · ‎11-27-2004

You can use a distribute-list or a route-map to only allow 172.17.109.40 and 172.17.110.40 in area 100, but I'm also a sucker for the KISS principle (Keep It Simple, Stupid). So instead of rejecting or accepting routes, you can accept / reject traffic (with Accesslists).

Now you have two options:

1.) Block it on the ABR between area 200 and area 0.

2.) Block it on the ABR between area 100 and are 0.

If you expect a lot of traffic you want to block come from area 100 then put the ACL there. If you expect a lot of traffic you want to block come from area 200 put the ACL on ABR in area 200.

This will save bandwith in area 0 (no unwanting traffic is now traveling over area 0 to get dropped by the ABR on the otherside).

regards,

RdR

marikakis · ‎11-29-2004

I am a fan of the KISS rule, and not only when it comes to the network.

Sometimes KISS fans exaggerate...

However, limiting LSA propagation in OSPF is not a trivial task,

so I think I am not exaggerating this time ;-)

Perhaps I was not quite clear in my initial answer.

The ways you can limit LSA propagation or restrict routes entered in the routing table

are very few and specific in OSPF,

mainly because you would be interacting with the essence and the philosophy of the protocol.

You can't just apply a distribute-list or a route-map anywhere

and expect to filter the routes you want to filter.

http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#q12

There are 4 ways I can think of to limit LSA propagation :

1) specialized area types

2) filtering of externals on the originating ASBR only

3) filtering of summaries on the originating ABR only

4) database filtering

You can also prevent OSPF routes from being added to the routing table,

by using inbound filtering.

What really matters above all in this particular case,

is to accomplish the goal of traffic filtering.

The the main purpose of the LSA propagation limiting features

is not to block traffic, but to conserve network resources.

Even preventing OSPF routes from being added to the routing table might not help.

If a router does not have routes for all the destinations,

this doesn't mean that traffic will not be properly forwarded

by using another router who has more information.

Reachability can still be maintained by the default routes your routers use.

If you decided to use any of the above features,

you would have to get into deep thoughts,

change configuration on many routers in some cases,

and in the end you could find out that communication is still possible!

Or you could find out that none in the network

can communicate with the particular hosts,

so you may as well unplug them from the network ;-)

Routing can be hard sometimes you know.

I wouldn't mess up with the routing protocol for the sake of a few hosts .

M.