- Different ways to filter traffic:
1. Filter list - The ABRs can filter network addresses being advertised by type 3 LSA's either into or out of an area.
- filter type 3 LSAs at the point where the LSA would normally created.
command set:
- 1st line: Matches 192.168.1.0/24 exactly to be denied
- 2nd line: Permits everything else
ip prefix LIST1 seq 10 deny 192.168.1.0/24
ip prefix LIST1 seq 20 permit 0.0.0.0/0 le 32
- Filters traffic leaving out of (from) area 0, matching the prefix-list
- This will apply to all areas that the local router is connected to
- Filters traffic sent into area 25 , ie don’t send 192.168.1.0
- Does the same as above, but only for area 25
router ospf 1
area 0 filter-list prefix LIST1 out
area 25 filter-list prefix LIST1 in
area 0 filter-list prefix LIST1 out
area 25 filter-list prefix LIST1 in
In-lists : Filters LSA's before they are sent into a area.
Out-lists : Filters LSA's leaving an area to prevent those LSA's from entering any other areas attached to that router.
2. Distribute-list - Note that distribute-lists ONLY blocks routes from entering the LOCAL RIB, it DOES NOT stop LSA propagation, it means it still in the OSPF database.
- filters what ends up in the IP routing table.
- Using a distribute-list out has NO effect within an OSPF area since all routers in a area must have the same database.
- Using a route-map the following 'match route-type' criteria can used with ospf:
a. external external route (BGP, EIGRP and OSPF type 1/2)
b. internal internal route (including OSPF intra/inter area)
c. local locally generated route
d. nssa-external nssa-external route (OSPF type 1/2)
Rules govern in distribute-list
1. distribute-list can be used only for inbound filtering. because filtering outbound ospf information could mean filtering LSAs not routes.
2. inbound logic does not filter inbound LSAs, instead filters routes that spf choses.
3. if the distribute-list include the incoming interface is checked as is if were the outgoing interface of the route.
command sets:
- This filter applies ONLY to routes entered into the local RIB
- This stops 192.168.1.0 from entering the RIB, but it’s still in LSA-DB
ip prefix LIST1 seq 10 deny 192.168.1.0/24
ip prefix LIST1 seq 20 permit 0.0.0.0/0 le 32
!
distribute-list {acl|prefix|route-map} in
distribute-list prefix LIST1 in
ip prefix LIST1 seq 10 deny 192.168.1.0/24
ip prefix LIST1 seq 20 permit 0.0.0.0/0 le 32
!
router ospf 1
distribute-list prefix LIST1 in s0/0
using route-map:
i.e R5------------R2--192.168.1.0/24
RID= 2.2.2.2
access-list 1 permit 192.168.1.0
access-list 2 permit 2.2.2.2
!
route-map denyroute deny 10
match ip address 1
match ip route-source 2
route-map denyroute permit 20
!
router ospf 1
distribute-list route-map denyroute in3. Distance command.
command sets:
- Assign admin distance 255 for routes matching ACL-99 from src 192.168.1.5
- Change the distance of OSPF routes
distance 255 192.168.1.5 0.0.0.0 99
distance ospf {external | inter-area | intra-area} 4. Area range command - another process to prevent an ABR from creating specific type 3 LSAs.
- supresses LSA type 1, 2, 3
- is used to filter type 3 between areas
command sets:
- Disables creation of the Null route when using the area range command
no discard-route
- Specifies the area to which the summary address belongs
area 15 range 10.0.0.0 255.0.0.0 [advertise] [not-advertise] [cost]
- [advertise] Advertise more specifics (default) generate type 3 LSA
- [not-advertise] Do NOT advertise more specifics, hide summary ( does the filtering function as well)
- [cost] User specified metric for this range
5. Summarization - supresses LSA type 5 and 7.
With the "summary-address" command on a NSSA ABR for external prefix filtering
- used for external routes via redistribution.
command sets;
- Summarizes type 5 and type 7 LSA's
- Any more-specifics which are within the range will be suppressed
- the not-advertise keyword functions as a filtering, this means that it will not be advertised to other areas.
summary-address 160.1.60.0 255.255.255.0 not-advertise
6. NSSA no-redistribute - this happens when the ABR is also an ASBR for nssa areas.
- this will create type5 and type7 for the same subnets.
to remove the type7
area 1 nssa no-redistribute
7. Database filter out - this is to filter all LSA going to neighbhors.
- in a sorts it makes the router run in a passive mode
router ospf 1
neighbor 155.1.0.2 database-filter all out
interface Vlan79
ip ospf database-filter all out
No comments:
Post a Comment