For those who have forgotten how LSA’s work between Area’s, let us refresh your memory:
- Type 1 and 2 LSA’s live within their own Areas to create the SPF Tree
- ABR’s extract the Network / Subnet Mask information to create a Type 3 LSA which it then floods into the other Area (Summary LSA in Database)
We cannot filter routes within an Area because that breaks the SPF Tree rule that all OSPF routers in an Area must match the LSDB’s, however, there is a way to keep routes from propagating out of the Area via ABR’s creating type 3 LSA’s which is a Filter-List.
Now I’ve already written about Distribute-List vs Filter-List, but I’ll demonstrate both again quickly to do a quick refresher.
A distribute-list will allow the ABR to create the Type 3 LSA, but not create a route for it in its IP route table, while a filter-list will stop the Type 3 LSA from being created at all.
We will pick on 3.3.3.3 shown here when I issue the command “sh ip ospf data” and filter out a LOT of output from other Area’s and their Summary advertisements:
R1#sh ip ospf data
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
1.1.1.1 1.1.1.1 1795 0x80000001 0x0047EC
2.2.2.2 2.2.2.2 1460 0x80000001 0x00FA31
3.3.3.3 3.3.3.3 1514 0x80000001 0x00AE75
172.12.15.0 1.1.1.1 1532 0x80000003 0x0076F7
172.12.23.0 2.2.2.2 1406 0x80000003 0x00FF62
172.12.23.0 3.3.3.3 1461 0x80000003 0x00E17C
Also, the “sh ip route ospf” to verify its a route:
R1#sh ip route ospf
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/65] via 172.12.123.2, 00:23:47, Serial0/0/0
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/65] via 172.12.123.3, 00:25:51, Serial0/0/0
172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA 172.12.23.0/24 [110/65] via 172.12.123.3, 00:25:51, Serial0/0/0
[110/65] via 172.12.123.2, 00:23:47, Serial0/0/0
R1#
So lets get to work. First I will demonstrate it learning the Type 3 LSA but not creating a route, and then I will move onto it not creating the Type 3 (Summary) LSA at all.
Note in the exam, you may be asked to filter a route so the router DOES NOT KNOW ABOUT IT AT ALL, and for this you will use filter-list or the router will know about the route via the Type 3 LSA.
That being said, lets get cookin:
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip prefix-list KillTheWabbit seq 10 deny 3.3.3.3/32
R1(config)#ip prefix-list KillTheWabbit seq 20 permit 0.0.0.0/0
R1(config)#router ospf 1
R1(config-router)#distribute-list prefix KillTheWabbit in
R1(config-router)#do sh ip route ospf
Gateway of last resort is not set
R1(config-router)#
Well, that is not what I was expecting, let me try adjusting my prefix-list here a bit:
R1(config-router)#exit
R1(config)#no ip prefix-list KillTheWabbit seq 20 permit 0.0.0.0/0
R1(config)#ip prefix-list KillTheWabbit seq 20 permit 0.0.0.0/0 le 32
R1(config)#do sh ip route ospf
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/65] via 172.12.123.2, 00:00:14, Serial0/0/0
172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA 172.12.23.0/24 [110/65] via 172.12.123.3, 00:00:14, Serial0/0/0
[110/65] via 172.12.123.2, 00:00:14, Serial0/0/0
R1(config)#
Much better, just had to indicate that my default route is “less than or equal to any”, which still kind of confuses me with prefix-lists but with all the information I’ve been absorbing over the last few months its hard to keep anything straight.
So what about our Summary LSA’s for Area 0, I expect we still have that:
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
1.1.1.1 1.1.1.1 566 0x80000002 0x0045ED
2.2.2.2 2.2.2.2 216 0x80000002 0x00F832
3.3.3.3 3.3.3.3 269 0x80000002 0x00AC76
172.12.15.0 1.1.1.1 308 0x80000004 0x0074F8
172.12.23.0 2.2.2.2 216 0x80000004 0x00FD63
172.12.23.0 3.3.3.3 269 0x80000004 0x00DF7D
We sure do, so lets get that out of the Summary list on R1, but first I want to show you my mistake when configuring the Filter-List:
R1(config)#router ospf 1
R1(config-router)#no distribute-list prefix KillTheWabbit in
R1(config-router)#filter-list prefix KillTheWabbit in
^
% Invalid input detected at ‘^’ marker.
It needs “Area # …” to prepend the command, to make it more difficult to remember the syntax, because Cisco is out to get me. Anyways I got the correct syntax here, and lets take a look if I struck gold:
R1(config-router)#area 0 filter-list prefix KillTheWabbit in
R1(config-router)#do sh ip route ospf
Gateway of last resort is not set
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/65] via 172.12.123.2, 00:03:11, Serial0/0/0
3.0.0.0/32 is subnetted, 1 subnets
O IA 3.3.3.3 [110/65] via 172.12.123.3, 00:03:11, Serial0/0/0
172.12.0.0/16 is variably subnetted, 5 subnets, 2 masks
O IA 172.12.23.0/24 [110/65] via 172.12.123.3, 00:03:11, Serial0/0/0
[110/65] via 172.12.123.2, 00:03:11, Serial0/0/0
R1(config-router)#
Siiiiiiiiigh. This tells me immediately it has that Type 3 LSA, I don’t even need to look. So I know OSPF has some odd directional behaviors when typing in or out like “in”to an Area or “out” to an Area, so let me take this command one step at a time:
R1(config-router)#area 0 filter-list ?
prefix Filter prefixes between OSPF areas
R1(config-router)#area 0 filter-list prefix ?
WORD Name of an IP prefix-list
R1(config-router)#area 0 filter-list prefix KillTheWabbit ?
in Filter networks sent to this area
out Filter networks sent from this area
Ok I see here, this router is acting as the filter into other Areas, but cannot filter it from being in Area 0. So that being said, lets see how R5 feels about never knowing 3.3.3.3 existed! :
R5#sh ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O IA 1.1.1.1 [110/2] via 172.12.15.1, 00:51:34, FastEthernet0/1
2.0.0.0/32 is subnetted, 1 subnets
O IA 2.2.2.2 [110/66] via 172.12.15.1, 00:16:53, FastEthernet0/1
172.12.0.0/24 is subnetted, 3 subnets
O IA 172.12.23.0 [110/66] via 172.12.15.1, 00:16:53, FastEthernet0/1
O IA 172.12.123.0 [110/65] via 172.12.15.1, 00:51:34, FastEthernet0/1
R5#sh ip ospf data
OSPF Router with ID (5.5.5.5) (Process ID 1)
Router Link States (Area 15)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1191 0x80000006 0x001182 1
5.5.5.5 5.5.5.5 1109 0x80000004 0x001959 1
Net Link States (Area 15)
Link ID ADV Router Age Seq# Checksum
172.12.15.1 1.1.1.1 1191 0x80000002 0x0097BC
Summary Net Link States (Area 15)
Link ID ADV Router Age Seq# Checksum
1.1.1.1 1.1.1.1 1449 0x80000002 0x0045ED
2.2.2.2 1.1.1.1 1028 0x80000001 0x009B54
172.12.23.0 1.1.1.1 1028 0x80000001 0x00A483
172.12.123.0 1.1.1.1 1449 0x80000002 0x00487B
R5#
Now this is odd, not a trace of 3.3.3.3, but I filtered out on Area 0, let me look at R1 again:
R1(config-router)#do sh ip ospf data
OSPF Router with ID (1.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1298 0x80000003 0x00DAA3 1
2.2.2.2 2.2.2.2 1206 0x80000003 0x009CD8 1
3.3.3.3 3.3.3.3 1258 0x80000003 0x005E0E 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.12.123.1 1.1.1.1 1052 0x80000003 0x0025BD
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
1.1.1.1 1.1.1.1 1556 0x80000002 0x0045ED
2.2.2.2 2.2.2.2 1206 0x80000002 0x00F832
3.3.3.3 3.3.3.3 1258 0x80000002 0x00AC76
172.12.15.0 1.1.1.1 1298 0x80000004 0x0074F8
172.12.23.0 2.2.2.2 1206 0x80000004 0x00FD63
172.12.23.0 3.3.3.3 1258 0x80000004 0x00DF7D
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1556 0x80000002 0x00D152 1
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
2.2.2.2 1.1.1.1 1135 0x80000001 0x009B54
172.12.15.0 1.1.1.1 1298 0x80000004 0x0074F8
172.12.23.0 1.1.1.1 1135 0x80000001 0x00A483
172.12.123.0 1.1.1.1 1556 0x80000002 0x00487B
Router Link States (Area 15)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1298 0x80000006 0x001182 1
5.5.5.5 5.5.5.5 1218 0x80000004 0x001959 1
Net Link States (Area 15)
Link ID ADV Router Age Seq# Checksum
172.12.15.1 1.1.1.1 1298 0x80000002 0x0097BC
Summary Net Link States (Area 15)
Link ID ADV Router Age Seq# Checksum
1.1.1.1 1.1.1.1 1556 0x80000002 0x0045ED
2.2.2.2 1.1.1.1 1135 0x80000001 0x009B54
172.12.23.0 1.1.1.1 1135 0x80000001 0x00A483
172.12.123.0 1.1.1.1 1556 0x80000002 0x00487B
R1(config-router)#
Ooooook, now I get it, it doesn’t prevent it from creating the route, but it prevents it from creating Type 3 LSA’s in any other Area’s as seen above under “Summary”.
So what happens then if I put “in” at the end, anything? I’ll spare the output, but it did nothing at all, I assume this would need to be configured on the source R3 so lets go do that quick to prove beyond reasonable doubt and so I can keep my sanity:
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip prefix-list KillTheRoute seq 10 deny 3.3.3.3/32
R3(config)#ip prefix-list KillTheRoute seq 20 permit 0.0.0.0/0 le 32
R3(config)#router ospf 1
R3(config-router)#area 0 filter-list prefix KillTheRoute out
R3(config-router)#
ASR#1
[Resuming connection 1 to r1 … ]
R1(config)#do sh ip ospf data
OSPF Router with ID (1.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1725 0x80000003 0x00DAA3 1
2.2.2.2 2.2.2.2 1633 0x80000003 0x009CD8 1
3.3.3.3 3.3.3.3 1686 0x80000003 0x005E0E 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.12.123.1 1.1.1.1 1479 0x80000003 0x0025BD
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
1.1.1.1 1.1.1.1 1983 0x80000002 0x0045ED
2.2.2.2 2.2.2.2 1633 0x80000002 0x00F832
3.3.3.3 3.3.3.3 1686 0x80000002 0x00AC76 <- WTF
172.12.15.0 1.1.1.1 1725 0x80000004 0x0074F8
172.12.23.0 2.2.2.2 1633 0x80000004 0x00FD63
172.12.23.0 3.3.3.3 1686 0x80000004 0x00DF7D
OOoooooh:
R1(config-router)#area 0 filter-list prefix KillTheWabbit ?
in Filter networks sent to this area
out Filter networks sent from this area
So lets try one more time from R3:
R3(config-router)#no area 0 filter-list prefix KillTheRoute out
R3(config-router)#area 3 filter-list prefix KillTheRoute out
R3(config-router)#
ASR#1
[Resuming connection 1 to r1 … ]
R1(config)#do sh ip ospf data
OSPF Router with ID (1.1.1.1) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1945 0x80000003 0x00DAA3 1
2.2.2.2 2.2.2.2 1853 0x80000003 0x009CD8 1
3.3.3.3 3.3.3.3 1906 0x80000003 0x005E0E 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.12.123.1 1.1.1.1 1700 0x80000003 0x0025BD
Summary Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
1.1.1.1 1.1.1.1 215 0x80000003 0x0043EE
2.2.2.2 2.2.2.2 1853 0x80000002 0x00F832
172.12.15.0 1.1.1.1 1945 0x80000004 0x0074F8
172.12.23.0 2.2.2.2 1853 0x80000004 0x00FD63
172.12.23.0 3.3.3.3 1906 0x80000004 0x00DF7D
Router Link States (Area 1)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 215 0x80000003 0x00CF53 1
Summary Net Link States (Area 1)
Link ID ADV Router Age Seq# Checksum
2.2.2.2 1.1.1.1 1782 0x80000001 0x009B54
172.12.15.0 1.1.1.1 1945 0x80000004 0x0074F8
172.12.23.0 1.1.1.1 1782 0x80000001 0x00A483
172.12.123.0 1.1.1.1 215 0x80000003 0x00467C
Router Link States (Area 15)
Link ID ADV Router Age Seq# Checksum Link count
1.1.1.1 1.1.1.1 1945 0x80000006 0x001182 1
5.5.5.5 5.5.5.5 1865 0x80000004 0x001959 1
Net Link States (Area 15)
Link ID ADV Router Age Seq# Checksum
–More–
Tadaaaaa!
So for Filter-Lists and defining the Area, “in” means to filter any Type 3 LSA’s being sent from the local router to other Areas attached if its an ABR, where as “out” you will want to define the Area on which the route resides in, and of course that means on that local Router.
It will still populate the Type 1 LSA’s within its Area, nothing stops that, not even the Terminator from Part 2 when he has the mini-gun, but it will stop it from Propagating the Type 3 LSA throughout other networks.
That is all I have to say about that, as I have a lot of ground to cover to finish OSPF tonight and move onto… everything else!
The DEVNET GRIND! 