Tuesday, September 17, 2013

OSPF Filtering Using Distribute-List with Route-Map


Pic. 1 - Topology Diagram.


Task 1
Remove OSPF filtering applied in the previous lab.

Task 2
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Use distribute-list in OSPF process with route-map and ACL as your matching tool.

Task 3
Configure the same filtering as specified in Task 2. Use distribute-list and route-map with ip prefix-list as your matching tool.

Questions
Try to answer the following questions:
  1. What type of prefixes can distribute list with options filter out?
  2. What type of options does distribute-list take to filter prefixes?
  3. What would you do if you had to do the same filtering but the task stipulated that no distribution-list were allowed (crying is not an option, nor is 'cannot be done'? 
Lab Solution

Solution configuration below: 

Task 1
Remove OSPF filtering applied in the previous lab.

R4 Config:
!
no ip access-list standard BLOCK_R4_L0
!
router ospf 1
 no distribute-list BLOCK_R4_L0 in
!

Verification:
Pic. 2 - Prefix 10.0.2.2/32 Back in the Routing Table.

Task 2
Configure OSPF filtering on R4, so that 10.0.2.2/32 does not show in its routing table. Use distribute-list in OSPF process with route-map and ACL as your matching tool.

R4 Config:
!
access-list 1 deny 10.0.2.2
access-list 1 permit any
!
route-map BLOCK permit 10
 match ip address 1
!
router ospf 1
 distribute-list route-map BLOCK in
!

Verification:
Pic.3 - Prefix 10.0.2.2/32 Filtered Out.

Pic. 4 - Match against ACL.

Task 3
Configure the same filtering as specified in Task 2. Use distribute-list and route-map with ip prefix-list as your matching tool.

Removing configuration from TASK 2. You know how to verify that 10.0.2.2/32 is back in the routing table, don't you?

R4 Config:
!
no access-list 1
!
no route-map BLOCK
!
router ospf 1
 no distribute-list route-map BLOCK in
!

R4 Config:
!
ip prefix-list DENY_R4_LO deny 10.0.2.2/32

ip prefix-list DENY_R4_LO permit 0.0.0.0/0 le 32
!
route-map BLOCK permit 10
 match ip address prefix-list DENY_R4_LO
!
distribute-list route-map BLOCK in
!

Verification:
Pic. 5 - Hits against IP Prefix-List Deny Entry.

Pic. 6 - Prefix 10.0.2.2/32 Removed from the Routing Table.

Study Drill

The most significant observation is that distribute-list applied into OSPF is only able to filter what is being introduced into the routing table. The prefixes are still learned as intra-area LSAs (LSA1 or LSA2), and placed in LSDB. This is because OSPF assumes that in order to build the same topology map, all routers within the area must share EXACT same information. So far, we have inspected a few options allowing us to do the filtering. However, these are not the only ones available (as of writing of this post). Try do do some digging on the Net to find other options. Alternatively, look at my next lab to see what else is available.
;)