cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
533
Views
0
Helpful
5
Replies
Beginner

OSPF Filterting routes

Hello,


I am trying to figure out a way to filter inbound routes.  I want to allow almost all other routes in, except the Default Route.  That one needs to stay local to router itself.  This connection is also connected via IPSec.


The basic design of what this router is going to be is a Backup Connection router.  I have 26 routers out in the field.  The field router is running BGP talking to a ISP provider router.  It also has a fall back static route in case the primary circuit goes down to connect to a wireless backup.  We have found that wireless backup solution to be flaky, so we came up with out own.   We are also trying to make this as simple to deploy in the event of sudden outage and someone that isnt familiar with Networking can take it out and just plug it in and go.  I am trying to make it so that the only things that need to be changed on this hot device is the interface IP address, the static routes to the device behind it and thats it. 


I tried to create a prefix list and filter inbound routes but the best I can find is that It allows all routes in, messing with the default and breaking the VPN tunnel.


Even trying to filter some particular subnets out, it seems that the filtering does not work.  I had to do a hard coded static route to keep the internet and the VPN tunnel alive.  The routes in the prefix list are the only ones I want to allow in the Routing table.  All other networks are not important for this particular router.   In fact, I want to redistribute Static routes outbound as well as this router will be hooked up to another router.

 

Attachment 1 is the Config file and Attachment 2 is the sh Ip Route.

 

Any pointers in the right direction would be greatly appreciated. 

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Engager

Re: OSPF Filterting routes

Hi,

first you need to deny the default-route explicitly and then allow all other routes.

Something like this should do the trick:

 

ip prefix-list TEST seq 10 deny 0.0.0.0/0
ip prefix-list TEST seq 20 permit 0.0.0.0/0 ge 1

!

router ospf 1
 distribute-list prefix TEST in

!

 

HTH

Rolf

5 REPLIES 5
Highlighted
Cisco Employee

Re: OSPF Filterting routes

Hi David,

 

Glancing through the configuration, it looks like you are using "area x filter" command. This is applicable for ABR to filter Type-3 LSA between areas. Within the same area, we cannot filter the LSA. But you can use distribute-list to filter the prefixes to be installed in your RIB table (from OSPF database).

 

If your intention is to filter the default route from RIB installation, try using distribute-list.

 

-Nagendra

Beginner

Re: OSPF Filterting routes

Hi Nagendra,

 

I tried that too but it didnt work.  It either allowed all the routes or none.  I need to specifically filter out the default route and when I use 0.0.0.0/0 it filters out all routes because it covers the Class A,B, and C Private range.  Do I need to do the allow first for the Private Class A,B,and C range and then deny 0.0.0.0/0?

Engager

Re: OSPF Filterting routes

Hi,

first you need to deny the default-route explicitly and then allow all other routes.

Something like this should do the trick:

 

ip prefix-list TEST seq 10 deny 0.0.0.0/0
ip prefix-list TEST seq 20 permit 0.0.0.0/0 ge 1

!

router ospf 1
 distribute-list prefix TEST in

!

 

HTH

Rolf

Beginner

Re: OSPF Filterting routes

That did the trick. 

 

I would like to learn more about ge and le though. Do you have any guides or information handy?

 

It seems that in order to filter out specific subnets or blocks, I am going to either have to use ge or le and some number to accomplish that.  For instance, I want to filter out 12.0.0.0 /8, but putting that in by itself doesn't seem to work. Same with 172.29.0.0/16.

Engager

Re: OSPF Filterting routes

I like the explanations here:

http://www.itcertnotes.com/2011/03/cisco-ios-prefix-list.html

Feel free to ask further if it doesn't answer your questions adequately.

 

P.S.:

Actually, the PL should even work without denying the default-route:

 

ip prefix-list TEST seq 10 permit 0.0.0.0/0 ge 1

 

=> ge 1 does not include the /0 default prefix and there is always an implicit deny all at the end of the list.

 

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards