cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5407
Views
1
Helpful
5
Replies

OSPF Filterting routes

David Lee
Level 1
Level 1

Hello,


I am trying to figure out a way to filter inbound routes.  I want to allow almost all other routes in, except the

Default Route

That one needs to stay local to router itself.  This connection is also connected via IPSec.

The basic design of what this router is going to be is a Backup Connection router.  I have 26 routers out in the field.  The field router is running BGP talking to a ISP provider router.  It also has a fall back static route in case the primary circuit goes down to connect to a wireless backup.  We have found that wireless backup solution to be flaky, so we came up with out own.   We are also trying to make this as simple to deploy in the event of sudden outage and someone that isnt familiar with Networking can take it out and just plug it in and go.  I am trying to make it so that the only things that need to be changed on this hot device is the interface IP address, the static routes to the device behind it and thats it. 


I tried to create a

prefix list

and filter inbound routes but the best I can find is that It allows all routes in, messing with the default and breaking the VPN tunnel.


Even trying to filter some particular subnets out, it seems that the filtering does not work.  I had to do a hard coded static route to keep the internet and the VPN tunnel alive.  The routes in the

prefix list

are the only ones I want to allow in the Routing table.  All other networks are not important for this particular router.   In fact, I want to redistribute Static routes outbound as well as this router will be hooked up to another router.

 

Attachment 1 is the Config file and Attachment 2 is the sh Ip Route.

 

Any pointers in the right direction would be greatly appreciated. 

1 Accepted Solution

Accepted Solutions

Hi,

first you need to deny the

default-route

explicitly and then allow all other routes.

Something like this should do the trick:

ip prefix-list TEST seq 10 deny 0.0.0.0/0
ip prefix-list TEST seq 20 permit 0.0.0.0/0 ge 1

!

router ospf 1
 distribute-list prefix TEST in

!

 

HTH

Rolf

View solution in original post

5 Replies 5

Nagendra Kumar Nainar
Cisco Employee
Cisco Employee

Hi David,

Glancing through the configuration, it looks like you are using

area x filter

command. This is applicable for ABR to filter Type-3 LSA between areas. Within the same area, we cannot filter the LSA. But you can use

distribute-list

to filter the prefixes to be installed in your RIB table (from OSPF database).

If your intention is to filter the

default route

from RIB installation, try using

distribute-list

-Nagendra

Hi Nagendra,

 

I tried that too but it didnt work.  It either allowed all the routes or none.  I need to specifically filter out the

default route

and when I use

0.0.0.0/0

it filters out all routes because it covers the Class A,B, and C Private range.  Do I need to do the allow first for the Private Class A,B,and C range and then

deny 0.0.0.0/0

?

Hi,

first you need to deny the

default-route

explicitly and then allow all other routes.

Something like this should do the trick:

ip prefix-list TEST seq 10 deny 0.0.0.0/0
ip prefix-list TEST seq 20 permit 0.0.0.0/0 ge 1

!

router ospf 1
 distribute-list prefix TEST in

!

 

HTH

Rolf

That did the trick. 

 

I would like to learn more about ge and le though. Do you have any guides or information handy?

 

It seems that in order to filter out specific subnets or blocks, I am going to either have to use ge or le and some number to accomplish that.  For instance, I want to filter out 12.0.0.0 /8, but putting that in by itself doesn't seem to work. Same with 172.29.0.0/16.

I like the explanations here:

http://www.itcertnotes.com/2011/03/cisco-ios-prefix-list.html

Feel free to ask further if it doesn't answer your questions adequately.

 

P.S.:

Actually, the PL should even work without denying the

default-route
ip prefix-list TEST seq 10 permit 0.0.0.0/0 ge 1

=> ge 1 does not include the

 /0 default prefix

and there is always an implicit deny all at the end of the list.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: