Thursday, February 24, 2011

Lab 19 - OSPF External Prefix Filtering

Prerequisites: CCNP level skills.

Topology and configuration as per initial configuration in the lab 18.

Topology

Pic. 1 - OSPF Multi-Area.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task 1
Configure all routers according to the topology diagram. Make area 13 NSSA area. 

Task 2
On R3 create two new loopback interfaces:
  • Loopback 1 = 192.168.3.3 255.255.255.0
  • Loopback 2 = 192.168.33.3 255.255.255.0
Task 3
Redistribute both networks (loopback 1 and loopback 2) into OSPF.

Task 4
Creating filtering so R2 does not have 192.168.33.0/24 in its routing table. Do not filter out 192.168.3.0/24.

Lab Solution

Task 1
Configure all routers according to the topology diagram. Make area 13 NSSA area.

R1 OSPF Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 13 nssa
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 13
 network 172.16.101.1 0.0.0.0 area 0
!

R2 OSPF Configuration:
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 10.1.12.2 0.0.0.0 area 0
 network 172.16.102.2 0.0.0.0 area 0
!

R3 OSPF Configuration:
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 13 nssa
 network 10.1.13.3 0.0.0.0 area 13
 network 172.16.103.3 0.0.0.0 area 13
!

Task 2
On R3 create two new loopback interfaces:
  • Loopback 1 = 192.168.3.3/24
  • Loopback 2 = 192.168.33.3/24
R3 Configuration:
!
interface Loopback1
 ip address 192.168.3.3 255.255.255.0
!
interface Loopback2
 ip address 192.168.33.3 255.255.255.0
!

Task 3
Redistribute both networks (loopback 1 and loopback 2) into OSPF.

R3 Configuration:
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 13 nssa
 redistribute connected subnets
 network 10.1.13.3 0.0.0.0 area 13
 network 172.16.103.3 0.0.0.0 area 13
!

Verification:
Pic. 2 - R2's Routing Table.
Task 4
Creating filtering so R2 does not have 192.168.33.0/24 in its routing table. R2's routing table must still have 192.168.3.0/24 entry.

R1 Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 13 nssa
 summary-address 192.168.33.0 255.255.255.0 not-advertise
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 13
 network 172.16.101.1 0.0.0.0 area 0
!

Verification:

Pic. 3 - R2 Routing Table After Filtering on R1.

Wednesday, February 23, 2011

Lab 18 - OSPF FA Suppression in Translated Type-5 LSAs

Prerequisites: CCNP level skills.
Topology

Pic. 1 - OSPF
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task 1
Configure IP addresses and OSPF according to the topology diagram (pic. 1). Advertise loopback interfaces in the appropriate areas as stub networks.

Task 2
Create a loopback1 interface on R3 with IP address 192.168.3.3/24.

Task 3
Configure area 13 as NSSA. Redistribute R3's loopback1 interface into OSPF.

Task 4
Verify if R1 receives the E2 prefix 192.168.3.0/24.

Task 5
On ABR filter out 172.16.103.3/32. R2 should not receive 192.168.3.0/24 anymore. The reason: the forwarding address (172.16.103.3) is no longer reachable.

Task 6
Change the forwarding address for 192.168.3.0/24 so R1 becomes the gateway (forwarding address = 0.0.0.0).

Lab Solution

Task 1
Configure IP addresses and OSPF according to the topology diagram (pic. 1). Advertise loopback interfaces in the appropriate areas as stub networks.

R1 OSPF Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 13
 network 172.16.101.1 0.0.0.0 area 0
!

R2 OSPF Configuration:
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 network 10.1.12.2 0.0.0.0 area 0
 network 172.16.102.2 0.0.0.0 area 0
!

R3 OSPF Configuration:
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 10.1.13.3 0.0.0.0 area 13
 network 172.16.103.3 0.0.0.0 area 13
!

Task 2
Create a loopback1 interface on R3 with IP address 192.168.3.3/24.

R3 Configuration:
!
interface Loopback1
 ip address 192.168.3.3 255.255.255.0
!

Task 3
Configure area 13 as NSSA. Redistribute R3's loopback1 interface into OSPF.

R1 Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 13 nssa
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 13
 network 172.16.101.1 0.0.0.0 area 0
!

R3 Configuration:
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 13 nssa
 redistribute connected subnets
 network 10.1.13.3 0.0.0.0 area 13
 network 172.16.103.3 0.0.0.0 area 13
!

Verification:

Pic. 2 - R3's OSPF Database (NSSA).
Pic. 3 - R1's OSPF Database (NSSA).

Pic. 4 - R1 OSPF Database (External).
Note!
On all routers R3's loopback becomes the forwarding address to 192.168.3.0/24.

Note!
I removed OSPF from R3 and re-created it, but this time R3 does NOT advertise 172.16.103.3/32.

R3 New OSPF Configuration:
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 13 nssa
 redistribute connected subnets
 network 10.1.13.3 0.0.0.0 area 13
!

Note!
Without loopback0 (172.16.103.3) being advertised on R3, all routers use 10.1.13.3 as the forwarding address. It must be reachable in order to get to 192.168.3.0/24.

(I have brought back the original configuration on R3 (with loopback0 being advertised.)

Task 4
Verify if R1 receives the E2 prefix 192.168.3.0/24.

Pic. 5 - R2 Receives 192.168.3.0/24 (forwarding address 172.16.103.3)
Task 5
On ABR filter out 172.16.103.3/32. R2 should not receive 192.168.3.0/24 anymore. The reason: the forwarding address (172.16.103.3) is no longer reachable.

R1 Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 13 nssa
 area 13 range 172.16.103.0 255.255.255.0 not-advertise
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 13
 network 172.16.101.1 0.0.0.0 area 0
!

Verification:

Pic. 6 - R2 Routing Table Missing.

Note!
The forwarding address 172.16.103.3 has been filtered out and is inaccessible. As a result of that, 192.168.3.0/24 cannot be used in the routing table.

Pic. 7 - R2 OSPF Database External.
 
Task 6
Change the forwarding address for 192.168.3.0/24 so R1 becomes the gateway (forwarding address = 0.0.0.0).

R1 Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 13 nssa translate type7 suppress-fa
 area 13 range 172.16.103.0 255.255.255.0 not-advertise
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 13
 network 172.16.101.1 0.0.0.0 area 0
!

Verification: 
Pic. 8 - R2 Routing Table.
Pic. 9 - R2's OSPF Database (External).

Tuesday, February 22, 2011

Lab 17 - OSPF NSSA Totally Stub Area

Prerequisites: CCNP level skills.

Note!
Use topology Lab14. OSPF should be enabled on all interfaces with the most specific wildcard mask.

Topology

Pic. 1 - OSPF Multi-Area Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task List

Task 1
On R1 create a new loopback interface with the IP address 192.168.1.1/24. Advertise this network in OSPF as external prefix. Make sure that no other interfaces created in the future will get advertised.

Task 2
On R5 create a new loopback interface with IP address 192.168.5.5/24. Advertise this network as external E2 into OSPF domain. 

Task 3
Configure routers in the area 1 so they do not accept any external and inter-area prefixes. Routers in area 1 must be able to reach the newly created networks. Routers in area 2 should be able to reach these networks as well.

Lab Solution

Task 1
On R1 create a new loopback interface with the IP address 192.168.1.1/24. Advertise this network in OSPF. Make sure that no other interfaces created in the future will get advertised.

R1 Configuration:
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
route-map CONNECTED permit 10
 match interface Loopback1
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 redistribute connected subnets route-map CONNECTED
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 1
 network 172.16.101.1 0.0.0.0 area 0
!

Verification:

Pic. 2 - R2 Receives External E2 Prefix.

Task 2
On R5 create a new loopback interface with IP address 192.168.5.5/24. Advertise this network as external E2 into OSPF domain.

R5 Configuration:
!
interface Loopback1
 ip address 192.168.5.5 255.255.255.0
!
router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 redistribute connected subnets
 network 10.1.35.5 0.0.0.0 area 1
 network 172.16.105.5 0.0.0.0 area 1
!

Verification:

Pic. 3 - R6 Receives External E2 Prefixes.

Task 3
Configure routers in area 1 so they do not accept any external and inter-area prefixes. Routers in area 1 must be able to reach the newly created networks. Routers in area 2 should be able to reach these networks as well.

Note!
Area 1 must filter LSA5 but also introduces external prefixes (192.168.5.0/24, 192.168.5.0/24). Area 1 CANNOT be configured as totally stubby area then. NSSA totally stub area is the solution. ABR will inject a default route into area that is NSSA totally stubby area (default behavior).

R1 Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 1 nssa no-summary
 redistribute connected subnets route-map CONNECTED
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 1
 network 172.16.101.1 0.0.0.0 area 0
!

R3 Configuration:
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 1 nssa
 network 0.0.0.0 255.255.255.255 area 1
!

R5 Configuration:
!
router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 area 1 nssa
 redistribute connected subnets
 network 10.1.35.5 0.0.0.0 area 1
 network 172.16.105.5 0.0.0.0 area 1
!

Verification:

Pic. 4 - R5's Routing Table.

External and Inter-Area prefixes are gone (no E2 or 0 IA).

Pic. 5 - R3's Routing Table.

Pic. 6 - R1's Routing Table.

Final ping tests.
Pic. 7 - Ping Between R5 and R1 NSSA Prefixes.

Pic. 8 - R6's Routing Table.
Both prefixes show as LSA5 in the area 2.

Pic. 9 - R6 Pings Both Networks.

Lab 16 - OSPF NSSA Area LSA7-to-5 Translation

Prerequisites: CCNP level skills.

Note!
Use topology  Lab 6. OSPF should be enabled on all interfaces with the most specific wildcard mask.

Topology

Pic. 1 - OSPF Multi-Area Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task List

Task 1
On R3 create a loopback interface with IP address 192.168.3.3/24. Redistribute it into OSPF as external E2 prefix.

Task 2
On R4 advertise a network 192.168.4.0/24 as external E2 prefixes. Do not create loopback interfaces to accomplish that. Area 1 must not accept LSA type 5. R4 must be able to ping 192.168.3.3. 

Task 3
Make sure that R1 is the translator of LSA7-to-5 and not R2. 

Task4
On R4 test connectivity to 192.168.3.3.

Lab Solution

Task 1
On R3 create a loopback interface with IP address 192.168.3.3/24. Redistribute it into OSPF as external E2 prefix. 

R3 Configuration:
!
interface Loopback2
 ip address 192.168.3.3 255.255.255.0
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 redistribute connected subnets
 network 10.1.13.3 0.0.0.0 area 0
 network 10.1.23.3 0.0.0.0 area 0
 network 172.16.103.3 0.0.0.0 area 0
 network 172.16.133.3 0.0.0.0 area 0
 
!

Verification:

Pic. 2 - R1 Receives 192.168.3.0/24

Task 2
On R4 advertise a network 192.168.4.0/24 as external E2 prefixes. Do not create loopback interfaces to accomplish that. Area 1 must not accept LSA type 5. R4 must be able to ping 192.168.3.3.  

R4 Configuration:
!
ip route 192.168.4.0 255.255.255.0 Null0
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 1 nssa
 redistribute static subnets
 network 10.1.124.4 0.0.0.0 area 1
 network 172.16.104.4 0.0.0.0 area 1
 network 172.16.144.4 0.0.0.0 area 1
!

R1 Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 1 nssa default-information-originate
 network 10.1.13.1 0.0.0.0 area 0
 network 10.1.124.1 0.0.0.0 area 1
 network 172.16.101.1 0.0.0.0 area 0
!

R2 Configuration:
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 area 1 nssa default-information-originate
 network 10.1.23.2 0.0.0.0 area 0
 network 10.1.124.2 0.0.0.0 area 1
 network 172.16.102.2 0.0.0.0 area 0
!


Verification:
Pic. 3 - Area 0 Receives 192.168.4.0/24.

Pic. 4 - Area 1 Receives the Default Route to External Networks.

Note!
ABRs in NSSA area do NOT inject the default route. That's why both R1 and R2 have been configured with 'area 1 nssa default-information-originate' command. 

Task 3
Make sure that R1 is the translator of LSA7-to-5 and not R2. 

R1 Configuration:
!
router ospf 1
 router-id 10.10.10.10
!

Note!
Changing the Router ID in situation the router has already established neighbor adjacency requires the clearing of ip ospf process.

Verification:

Pic. 5 - R1 is the LSA7-to-5 Translator.

Pic. 6- R2 Receives 192.168.4.0/24 from the LSA7-to-5 Translator (R1).

Pic. 7 - R1 OSPF Database.
Note!
If two ABRs are connected to NSSA area, the one with the HIGHEST Router ID becomes the translator of LSA7-to-5. That's why I needed to change the Router ID on R1 so it's higher than R2's. 

Task 4
On R4 test connectivity to 192.168.3.3.

Pic. 8 - R4 Reaches 192.168.3.3

Monday, February 21, 2011

Lab 15 - OSPF Totally Stubby Area

Prerequisites: CCNP level skills.

Note!
Use the Lab 14 final configuration in this one.

Topology

Pic. 1 - OSPF Multi-Area Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task List

Step 1
Check the routing table on R4. Area 2 should accept all LSAs (LSAs 1-5).

Step 2
Configure router(s) so area 2 does not receive the following LSAs:
  • LSA5
  • LSA4
  • LSA3
Step 3
Verify the results.

Lab Solution

Step 1
Check the routing table on R4. Area 2 should accept all LSAs (LSAs 1-5).
Pic. 2 - All LSAs on R4.

Step 2
Configure router(s) so area 2 does not receive the following LSAs:
  • LSA5
  • LSA4
  • LSA3
R2 Configuration:
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 area 2 stub no-summary
 network 10.1.12.2 0.0.0.0 area 0
 network 10.1.24.2 0.0.0.0 area 2
 network 172.16.102.2 0.0.0.0 area 0
!


R4 Configuration:
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 2 stub
 network 0.0.0.0 255.255.255.255 area 2
!


R6 Configuration:
!
router ospf 1
 router-id 6.6.6.6
 log-adjacency-changes
 area 2 stub
 network 0.0.0.0 255.255.255.255 area 2
!

Step 3

Verify the results.

Pic. 3 - R4's routing table.

Lab 14 - OSPF Stub Area

Prerequisites: CCNP level skills.

Topology

Pic. 1 - OSPF Multi-Area Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task List

Step 1
In R1 configure two additional loopback interfaces with IP addresses 192.168.1.1/28 and 192.168.1.17/28. Advertise these IP addresses as OSPF external prefixes. 192.168.1.0/28 should show as E1, 192.168.1.16/28 should show as E2.

Step 2
Check if R3 and R5 receive these prefixes.

Step3
Configure area 1 so R3 and R5 do not receive any LSA type 5 but have reachability towards 192.168.1.1 and 192.168.1.17.

Step 4
Check the results.

Lab Solution

Step1
In R1 configure two additional loopback interfaces with IP addresses 192.168.1.1/28 and 192.168.1.17/28. Advertise these IP addresses as OSPF external prefixes. 192.168.1.0/28 should show as E1, 192.168.1.16/28 should show as E2.

R1 Configuration:
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.240
!
interface Loopback2
 ip address 192.168.1.17 255.255.255.240
!
route-map CONNECTED permit 10
 match interface Loopback1
 set metric-type type-1
!
route-map CONNECTED permit 20
 match interface Loopback2
 set metric-type type-2
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 redistribute connected subnets route-map CONNECTED
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 1
 network 172.16.101.1 0.0.0.0 area 0
!

Step 2
Check if R3 and R5 receive these prefixes.

Pic. 2 - External Prefixes in R5.


Pic. 3 - External Prefixes in R3.

Step 3
Configure area 1 so R3 and R5 do not receive any LSA type 5 but have reachability towards 192.168.1.1 and 192.168.1.17.

Note!
All routers in the area 1 must be configured as 'stub' since this is the flag that must match between neighbors along with: hello/dead intervals, area ID, authentication.

R1 Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 1 stub
 redistribute connected subnets route-map CONNECTED
 network 10.1.12.1 0.0.0.0 area 0
 network 10.1.13.1 0.0.0.0 area 1
 network 172.16.101.1 0.0.0.0 area 0
!

R3 Configuration:
!
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 area 1 stub
 network 0.0.0.0 255.255.255.255 area 1
!

R5 Configuration:
!
router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 area 1 stub
 network 0.0.0.0 255.255.255.255 area 1
!

Step 4
Check the results.

Note!
ABR (R1) filters out LSA5 (external routes) while sending updates into area 1. Instead, it installs a default route on R3 (further passed onto R5). This allows R3 and R5 to reach external destinations.

Pic.4 - R3's Routing Table.
Pic. 5 - R5's Routing Table.

Pic. 6 - R5's Reachability to External Prefixes.

Sunday, February 20, 2011

Lab 13 - OSPF LSA Flood Filtering

Prerequisites: CCNP level skills.

Note!
Routers use OSPF configuration from the lab 6.
One thing to remember is that all routers within the same OSPF area share the EXACT same LSA database! This will affect how we can filter OSPF updates.

There are a few filtering methods:
  1. Ingress filtering using a 'distribute-list'. 
  2. Ingress filtering using a 'distribute-list' with a 'route-map'. 
  3. Ingress filtering by changing the Administrative Distance of the prefixes to UNKNOWN (255).
  4. Type 3 LSA filtering using 'area area-number range' command (applied on ABR).
  5. Type 3 LSA filtering using 'filter-list' command.
  6. LSA Flooding Filtering.
The first three methods (1-3) prevent prefixes from entering the routing table. The LSAs are still going to be present in the LSDB since all routers in OSPF area must be synchronized (the same LSDB). These methods are the intra-area filters.

The last three methods (4-5) are inter-area filters preventing LSAs from entering LSDB.

Topology

Pic. 1 - OSPF Multi-Area Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task List

Task 1
On R3, check the routing table. It should receive all prefixes from area 1.

Task 2
Configure router(s) so R3 does not receive any prefixes from R1 and R2.  Prefixes advertised by R3 should be learned in R1 and R2 and propagated to R4. Do not use access-list, distribute-list or any other command in the router ospf context.

Task 3
Verify the results.  

Lab Solution

Task 1
On R3, check the routing table. It should receive all prefixes from area 1.

The highlighted are the area 1 prefixes R3 learns from the two ABRs (R1 and R2).

Pic. 2 - R3's Routing Table.
Task 2
Configure router(s) so R3 does not receive any prefixes from R1 and R2.  Prefixes advertised by R3 should be learned on R1 and R2 and propagated to R4. Do not use access-list, distribute-list or any other command in the router ospf context.

R1 Configuration:
!
interface Serial0/1
 ip address 10.1.13.1 255.255.255.0
 ip ospf database-filter all out
!

R2 Configuration:
!
interface Serial0/2
 ip address 10.1.23.2 255.255.255.0
 ip ospf database-filter all out
!

Note!
This command does not prevent OSPF from sending hello packets out the interface. It only filters out LSAs (all of them). R1 and R2 still learn prefixes advertised by R3.

Note!
Clearing ospf process is required for the changes to take effect (I could not see the change without clearing the process off).

Note!
In point-to-multipoint mode I can use:

!
router ospf 1
 neighbor address database-filter all out
!

Task 3
Verify the results.

Pic. 3 - The Results on R3.
Pic. 4 - The Results on R4.
Note!
R4 learns prefixes advertised by R3.

Lab 12 - OSPF Filtering with Area Filter-List

Prerequisites: CCNP level skills.

Note!
Routers use OSPF configuration from the lab 6.
One thing to remember is that all routers within the same OSPF area share the EXACT same LSA database! This will affect how we can filter OSPF updates.

There are a few filtering methods:
  1. Ingress filtering using a 'distribute-list'. 
  2. Ingress filtering using a 'distribute-list' with a 'route-map'. 
  3. Ingress filtering by changing the Administrative Distance of the prefixes to UNKNOWN (255).
  4. Type 3 LSA filtering using 'area area-number range' command (applied on ABR).
  5. Type 3 LSA filtering using 'filter-list' command.
  6. LSA Flooding Filtering.
The first three methods (1-3) prevent prefixes from entering the routing table. The LSAs are still going to be present in the LSDB since all routers in OSPF area must be synchronized (the same LSDB). These methods are the intra-area filters.

The last three methods (4-5) are inter-area filters preventing LSAs from entering LSDB.

Topology

Pic. 1 - OSPF Multi-Area Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task List

Task 1
On R3, check the routing table. Make sure that it shows prefixes: 172.16.104.0/24 and 172.16.144.0/24.

Task 2
Configure router(s) so R3 does not receive 172.16.104.0/24 and 172.16.144.0/24 prefixes.

Task 3
Check the results.

Lab Solution

Task 1
On R3, check the routing table. Make sure that it shows prefixes: 172.16.104.0/24 and 172.16.144.0/24. 
 Pic. 2 -  R3's Routing Table.

Task 2
Configure router(s) so R3 does not receive 172.16.104.0/24 and 172.16.144.0/24 prefixes. 

Note!
'Filter-list' command can only take a prefix-list as its argument (as of the time of writing this post).

R1 Configuration:
!
ip prefix-list DENY_R4_LOOPBACKS seq 5 deny 172.16.104.0/24
ip prefix-list DENY_R4_LOOPBACKS seq 10 deny 172.16.144.0/24
ip prefix-list DENY_R4_LOOPBACKS seq 15 permit 0.0.0.0/0 le 32
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 1 filter-list prefix DENY_R4_LOOPBACKS out
 network 10.1.13.1 0.0.0.0 area 0
 network 10.1.124.1 0.0.0.0 area 1
 network 172.16.101.1 0.0.0.0 area 0
!

R2 Configuration:
!
ip prefix-list DENY_R4_LOOPBACKS seq 5 deny 172.16.104.0/24
ip prefix-list DENY_R4_LOOPBACKS seq 10 deny 172.16.144.0/24
ip prefix-list DENY_R4_LOOPBACKS seq 15 permit 0.0.0.0/0 le 32
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 1 filter-list prefix DENY_R4_LOOPBACKS out
 network 10.1.13.1 0.0.0.0 area 0
 network 10.1.124.1 0.0.0.0 area 1
 network 172.16.101.1 0.0.0.0 area 0
!

Task 3
Check the results.

Pic. 3 - R3's Routing Table with Filter-List.
The prefixes in question no longer show in R3's routing table.

Lab 11 - OSPF Filtering with Area Range

Prerequisites: CCNP level skills.

Note!
Routers use OSPF configuration from the lab 6.
One thing to remember is that all routers within the same OSPF area share the EXACT same LSA database! This will affect how we can filter OSPF updates.

There are a few filtering methods:
  1. Ingress filtering using a 'distribute-list'. 
  2. Ingress filtering using a 'distribute-list' with a 'route-map'. 
  3. Ingress filtering by changing the Administrative Distance of the prefixes to UNKNOWN (255).
  4. Type 3 LSA filtering using 'area area-number range' command (applied on ABR).
  5. Type 3 LSA filtering using 'filter-list' command.
  6. LSA Flooding Filtering.
The first three methods (1-3) prevent prefixes from entering the routing table. The LSAs are still going to be present in the LSDB since all routers in OSPF area must be synchronized (the same LSDB). These methods are the intra-area filters.

The last three methods (4-5) are inter-area filters preventing LSAs from entering LSDB.

Topology

Pic. 1 - OSPF Multi-Area Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task List

Task 1
On R4, check the routing table. Make sure that it shows prefixes: 172.16.103.0/24 and 172.16.133.0/24.

Task 2
Configure router(s) so the 172.16.103.0/24 and 172.16.133.0/24 are not advertised to R4. Do not use 'filter-list' command.

Task 3
Check the results. R4's LSDB and the routing table should not contain the two prefixes in question.

Lab Solution

Task 1
On R4, check the routing table. Make sure that it shows prefixes: 172.16.103.0/24 and 172.16.133.0/24.

Pic. 2 -  R4's LSDB before Filter (172.16.103.0/24).
Note!
172.16.133.0/24 is also advertised by the two ABRs (R1 and R2) but not shown here. 

Pic. 3 - R4's Routing Table.
Task 2
Configure router(s) so the 172.16.103.0/24 and 172.16.133.0/24 are not advertised to R4. Do not use 'filter-list' command.

R1 Configuration:
!
router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
 area 0 range 172.16.103.0 255.255.255.0 not-advertise
 area 0 range 172.16.133.0 255.255.255.0 not-advertise
 network 10.1.13.1 0.0.0.0 area 0
 network 10.1.124.1 0.0.0.0 area 1
 network 172.16.101.1 0.0.0.0 area 0
!

R2 Configuration
!
router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes
 area 0 range 172.16.103.0 255.255.255.0 not-advertise
 area 0 range 172.16.133.0 255.255.255.0 not-advertise
 network 10.1.23.2 0.0.0.0 area 0
 network 10.1.124.2 0.0.0.0 area 1
 network 172.16.102.2 0.0.0.0 area 0
!

Task 3
Check the results. R4's LSDB and the routing table should not contain the two prefixes in question.

Pic. 4 - R4's Routing Table with the Filter.
Here, just a quick check of the routing table (LSDB checked but not shown here). Filtering has worked as expected.

Saturday, February 19, 2011

Lab 10 - OSPF Filtering with Distance

Prerequisites: CCNP level skills.

Note!
Routers use OSPF configuration from the lab 6.
One thing to remember is that all routers within the same OSPF area share the EXACT same LSA database! This will affect how we can filter OSPF updates.

There are a few filtering methods:
  1. Ingress filtering using a 'distribute-list'. 
  2. Ingress filtering using a 'distribute-list' with a 'route-map'. 
  3. Ingress filtering by changing the Administrative Distance of the prefixes to UNKNOWN (255).
  4. Type 3 LSA filtering using 'area area-number range' command (applied on ABR).
  5. Type 3 LSA filtering using 'filter-list' command.
  6. LSA Flooding Filtering.
The first three methods (1-3) prevent prefixes from entering the routing table. The LSAs are still going to be present in the LSDB since all routers in OSPF area must be synchronized (the same LSDB). These methods are the intra-area filters.

The last three methods (4-6) are inter-area filters preventing LSAs from entering LSDB.

Topology

Pic. 1 - OSPF Multi-Area Topology.
Icons designed by: Andrzej Szoblik - http://www.newo.pl

Task List

Task 1
On R3, check the routing table. Make sure that it shows prefixes: 172.16.101.0/24 and 172.16.102.0/24.

Task 2
Configure R3 so prefixes 172.16.101.0/24 and 172.16.102.0/24 do not show in the routing table but show in the LSDB. Do not use distribute-list to accomplish this. Make sure that you match on the router-id of advertising routers.

Task 3
Check the results. Both prefixes in question should be removed from the routing table but should be still seen in the LSDB.

Lab Solution

Task 1
On R3, check the routing table. Make sure that it shows prefixes: 172.16.101.0/24 and 172.16.102.0/24.
Pic. 2 - R3's Routing Table.

Task 2
Configure R3 so prefixes 172.16.101.0/24 and 172.16.102.0/24 do not show in the routing table but show in the LSDB. Do not use distribute-list to accomplish this.Make sure that you match on the router-id of advertising routers.

R3 Configuration:
!
ip access-list standard FILTER
 permit 172.16.101.0 0.0.0.255 
 permit 172.16.102.0 0.0.0.255
router ospf 1
 router-id 3.3.3.3
 log-adjacency-changes
 network 0.0.0.0 255.255.255.255 area 0
 distance 255 1.1.1.1 0.0.0.0 FILTER
 distance 255 2.2.2.2 0.0.0.0 FILTER
!


Task 3
Check the results. Both prefixes in question should be removed from the routing table but should be still seen in the LSDB.

R3#show ip ospf database router

Pic. 3 - R3's Routing Table with Filter.

The prefixes 172.16.101.0/24 and 172.16.102.0 are gone!

Pic. 4 - LSDB with the Filter (172.16.101.0/24).

Pic. 4 - LSDB with the Filter (172.16.102.0/24).