How exactly does ospf "filter-list...in" work?

steven.crutchley · ‎09-09-2012

I have the following network:

All I wish to do is to apply a filter-list on R3 to stop 88.88.88.0/24 and 88.88.87.0/24 from getting into Area 62. These two networks are loopbacks that are being redistributed into OSPF using the redistribute connected command on R7. OSPF is running on all routers with (for the purposes of this question) all defaults. All neighborships are up and running.

I am putting the following commands into R3:

ip prefix-list BLOCK-88 seq 5 deny 88.88.0.0/16 ge 24 le 24

ip prefix-list BLOCK-88 seq 10 permit 0.0.0.0/0 le 32

router ospf 1

router-id 3.3.3.3

log-adjacency-changes

area 0 authentication message-digest

area 62 filter-list prefix BLOCK-88 in

network 10.62.0.0 0.0.255.255 area 62

network 172.16.0.0 0.0.255.255 area 0

But the OSPF database and routing table still has these Type LSAs and the routing table still has routes for these networks.

I have even tried setting my prefix-list to block EVERYTHING but still nothing seems to be getting filtered. I am guessing that I am getting something wrong with the syntax of the command but I cannot figure out what it is.

Can anyone help? Thanks in advance.

John Blakley · ‎09-09-2012

Steven,

I haven't labbed this, so I'm going off of what you've said. I believe the problem is that you're redistributing the routes as connected routes which means they're not type-3 lsas. Instead, you'll see that the 88.x.x.x networks are seen as external routes (type-5) in your ospf database. Try not redistributing, and instead only advertising the network into area 19 and I'm almost sure you'll see a different result. If not, I'll lab it up

HTH,

John

HTH, John *** Please rate all useful posts ***

Peter Paluch · ‎09-09-2012

John,

You beat me to it By the way, what do you think about tracking the routes I've suggested in the other thread?

Best regards,

Peter

John Blakley · ‎09-09-2012

I think it's awesome! I've never used that track command, so later on today I'm going to play with gns to see if I have any images that support it. I'll definitely let you know though

HTH, John *** Please rate all useful posts ***

Peter Paluch · ‎09-09-2012

Hello Steven,

If the networks in question are redistributed then the area filter-list command does not apply to them. This command applies only to intra-area and inter-area routes, or in other words, to networks for which LSAs are regenerated at ABRs. These networks are

intra-area routes from non-backbone routes as they are advertised into backbone area 0
intra-area and inter-area routes from backbone area 0 as they are advertised into non-backbone areas

This is caused by the fact that these networks are carried by LSA-3, and the LSA-3 are always reoriginated at ABRs. The LSA-5 are originated at ASBRs and other routers may not modify them. Therefore, an ABR cannot modify foreign LSA-5.

Best regards,

Peter

steven.crutchley · ‎09-09-2012

So you are saying the Type-5 (and I assuming Type-7 also) cannot be filtered using filter-lists precisely because they are external ASBR originating LSA....

Could I apply a filter-list on the router that does the redistribution? (R7 in this case)

Peter Paluch · ‎09-09-2012

Hi Steven,

So you are saying the Type-5 (and I assuming Type-7 also) cannot be  filtered using filter-lists precisely because they are external ASBR  originating LSA....

Correct. Remember a basic rule about OSPF: an LSA can be modified only by a router that has originated it. LSA-5 and LSA-7 are originated by ASBRs and are not reoriginated at any other router in the network. That means that no other router except the ASBR is allowed to perform their filtering.

Could I apply a filter-list on the router that does the redistribution? (R7 in this case)

No, it would not have any effect because this command applies only to networks carried in LSA-3. If you wanted to filter redistributed networks, you would either use a route-map during redistribution, or use the distribute-list out command.

Best regards,

Peter