OSPF Filtering
Intra-routing–protocol description presents some appropriate challenges with link-state acquisition protocols
like OSPF. Link-state protocols do not acquaint routes—they acquaint cartography information.
Also, SPF bend blockage relies on anniversary router in the aforementioned breadth accepting an identical archetype of the
LSDB for that area. Description could conceivably accomplish the LSDBs alter on altered routers,
causing acquisition irregularities.
IOS supports three variations of what could about be categorized as OSPF avenue filtering. These
three above types of OSPF description are as follows:
■ Description routes, not LSAs—Using the distribute-list in command, a router can analyze the
routes its SPF action is attempting to add to its acquisition table, after affecting the LSDB.
■ ABR blazon 3 LSA filtering—A action of preventing an ABR from creating accurate blazon 3
summary LSAs.
■ Application the breadth ambit no-advertise option—Another action to anticipate an ABR from
creating specific blazon 3 arbitrary LSAs.
Each of these three capacity is discussed in arrangement in the abutting few sections.
Filtering Routes Application the distribute-list Command
For RIP and EIGRP, the distribute-list command can be acclimated to analyze admission and outgoing
routing updates. The action is straightforward, with the distribute-list command apropos to
ACLs or prefix lists. With OSPF, the distribute-list command filters what ends up in the IP routing
table, and on alone the router on which the distribute-list command is configured.
The afterward rules administer the use of administer lists for OSPF, back not acclimated for route
redistribution with added acquisition protocols:
■ Administer lists can be acclimated alone for entering filtering, because description any outbound OSPF
information would beggarly description LSAs, not routes.
■ The entering argumentation does not analyze entering LSAs; it instead filters the routes that SPF chooses
to add to that one router’s acquisition table.
■ If the administer account includes the admission interface parameter, the admission interface is
checked as if it were the approachable interface of the route.
That aftermost ammo could use a little clarification. For example, if R2 learns routes via RIP or EIGRP
updates that access R2’s s0/0 interface, those routes about use R2’s s0/0 interface as the outgoing
NOTE The distribute-list command, back acclimated for avenue administration amid OSPF and
other acquisition protocols, does ascendancy what enters and leaves the LSDB. Affiliate 10 covers more
on avenue redistribution.
282 Affiliate 9: OSPF
interface of the routes. The OSPF LSAs may accept been abounding into a router on several interfaces,
so an OSPF router checks the approachable interface of the avenue as if it had abstruse about the routes
via updates advancing in that interface.
Example 9-10 shows an archetype of two administer lists on R5 from Amount 9-6. The archetype shows
two options to accomplish the aforementioned goal. In this case, R5 will analyze the avenue to 10.4.8.0/24 via R5’s
S0.2 subinterface (to R2), instead application the avenue abstruse from R1. Later, it uses a avenue map to
achieve the aforementioned result.
Example 9-10 shows alone two means to analyze the routes. The distribute-list route-map option,
added in Cisco IOS Software Release 12.2(15)T, allows a abundant greater array of matching
parameters, and abundant added abundant argumentation with avenue maps. For instance, this archetype showed
Example 9-10 Description Routes with OSPF distribute-list Commands on R5
! R5 has a avenue to 10.4.8.0/24 through R2 (10.5.25.2, s0.2)
R5# sh ip avenue ospf | incl 10.4.8.0
O IA 10.4.8.0/24 [110/1623] via 10.5.25.2, 00:00:28, Serial0.2
! Next, the distribute-list command refers to a prefix account that permits 10.4.8.0
! /24.
ip prefix-list prefix-9-4-8-0 seq 5 abjure 10.4.8.0/24
ip prefix-list prefix-9-4-8-0 seq 10 admittance 0.0.0.0/0 le 32
!
Router ospf 1
distribute-list prefix prefix-9-4-8-0 in Serial0.2
! Below, agenda that R5’s avenue through R2 is gone, and instead R5 uses its route
! through R1 (s0.1). But the LSDB is unchanged!
R5# sh ip avenue ospf | incl 10.4.8.0
O IA 10.4.8.0/24 [110/1636] via 10.5.15.1, 00:00:03, Serial0.1
! Not shown: the beforehand distribute-list command is removed.
! Below, agenda that the distribute-list command with the route-map advantage does not
! accept an advantage to accredit to an interface, so the avenue map itself has been
! configured to accredit to the announcement router’s RID (2.2.2.2).
Router ospf 1
distribute-list route-map lose-9-4-8-0 in
! Next, ACL 48 matches the 10.4.8.0/24 prefix, with ACL 51 analogous R2’s RID.
access-list 48 admittance 10.4.8.0
access-list 51 admittance 2.2.2.2
! Below, the avenue map matches the prefix (based on ACL 48) and the advertising
! RID (ACL 51, analogous R2’s 2.2.2.2 RID). Clause 20 permits all added prefixes.
route-map lose-9-4-8-0 abjure 10
match ip abode 48
match ip route-source 51
route-map lose-9-4-8-0 admittance 20
! Above, agenda the aforementioned after-effects as the antecedent administer list.
R5# sh ip avenue ospf | incl 10.4.8.0
O IA 10.4.8.0/24 [110/1636] via 10.5.15.1, 00:01:18, Serial0.1
OSPF Agreement 283
matching a prefix as able-bodied as the RID that advertised the LSA to R5, namely 2.2.2.2 (R2). Accredit to
Chapter 11 for a added complete analysis of avenue maps and the bout command.
OSPF ABR LSA Blazon 3 Filtering
ABRs do not advanced blazon 1 and 2 LSAs from one breadth into another, but instead actualize blazon 3 LSAs
for anniversary subnet authentic in the blazon 1 and 2 LSAs. Blazon 3 LSAs do not accommodate abundant information
about the cartography of the basal area; instead, anniversary blazon 3 LSA represents a subnet, and a cost
from the ABR to that subnet. The beforehand breadth “LSA Blazon 3 and Inter-Area Costs” covers the
details and provides an example.
The OSPF ABR blazon 3 LSA description affection allows an ABR to analyze blazon 3 LSAs at the point breadth the
LSAs would commonly be created. By description at the ABR, afore the blazon 3 LSA is injected into another
area, the claim for identical LSDBs central the breadth can be met, while still description LSAs.
To configure blazon 3 LSA filtering, you use the breadth cardinal filter-list prefix name in | out command
under router ospf. The referenced prefix account is acclimated to bout the subnets and masks to be filtered. The
area cardinal and the in | out advantage of the breadth filter-list command assignment together, as follows:
■ Back in is configured, IOS filters prefixes activity into the configured area.
■ Back out is configured, IOS filters prefixes advancing out of the configured area.
Example 9-11 should analyze the basal operation. ABR R1 will use two another breadth filter-list
commands, both to analyze subnet 10.3.2.0/23, the subnet that exists amid R3 and R33 in
Figure 9-6. Bethink that R1 is affiliated to areas 0, 3, 4, and 5. The aboriginal breadth filter-list
command shows description the LSA as it goes out of breadth 3; as a result, R2 will not inject the LSA
into any of the added areas. The additional case shows the aforementioned subnet actuality filtered activity into
area 0, acceptation that the blazon 3 LSA for that subnet still gets into the breadth 4 and 5 LSDBs.
Example 9-11 Blazon 3 LSA Description on R1 with the breadth filter-list Command
! The command lists three curve of extracted output. One band is for the
! blazon 3 LSA in breadth 0, one is for breadth 4, and one is for breadth 5.
R1# appearance ip ospf abstracts arbitrary | accommodate 10.3.2.0
Link State ID: 10.3.2.0 (summary Arrangement Number)
Link State ID: 10.3.2.0 (summary Arrangement Number)
Link State ID: 10.3.2.0 (summary Arrangement Number)
! Below, the two-line prefix account denies subnet 10.3.2.0/23, and afresh permits
! all others.
ip prefix-list filter-type3-9-3-2-0 seq 5 abjure 10.3.2.0/23
ip prefix-list filter-type3-9-3-2-0 seq 10 admittance 0.0.0.0/0 le 32
Next, the breadth filter-list command filters blazon 3 LSAs activity out of breadth 3.
R1# conf t
Enter agreement commands, one per line. End with CNTL/Z.
R1(config)# router ospf 1
284 Affiliate 9: OSPF
Filtering Blazon 3 LSAs with the breadth ambit Command
The third adjustment to analyze OSPF routes is to analyze blazon 3 LSAs at an ABR application the breadth range
command. The breadth ambit command performs avenue summarization at ABRs, cogent a router to
cease announcement abate subnets in a accurate abode range, instead creating a distinct blazon 3
LSA whose abode and prefix beset the abate subnets.
When the breadth ambit command includes the not-advertise keyword, not alone are the smaller
component subnets not advertised as blazon 3 LSAs, the arbitrary avenue is not advertised as a type
3 LSA either. As a result, this command has the aforementioned aftereffect as the breadth filter-list command with
the out keyword, description the LSA from activity out to any added areas. An archetype breadth range
command is apparent at the end of Archetype 9-11.
Virtual Articulation Configuration
OSPF requires that anniversary non-backbone breadth be affiliated to the courage breadth (area 0). OSPF also
requires that the routers in anniversary breadth accept a abutting intra-area aisle to the added routers in the
same area, because after that path, LSA calamity central the breadth would fail. However, in some
designs, affair these requirements ability be a challenge. You can use OSPF basic links to
overcome these problems.
For instance, in the top allotment of Amount 9-12, breadth 33 connects alone to breadth 3, and not to breadth 0.
R1(config-router)# breadth 3 filter-list prefix filter-type3-9-3-2-0 out
R1(config-router)# ^Z
! Below, R1 no best has any blazon 3 LSAs, in areas 0, 4, and 5. For
! comparison, this command was issued a few commands ago, advertisement 1 line
! of achievement for anniversary of the added 3 areas besides breadth 3.
R1# appearance ip ospf abstracts | accommodate 10.3.2.0
! Below, the antecedent breadth filter-list command is replaced by the abutting command
! below, which filters blazon 3 LSAs activity into breadth 0, with the aforementioned prefix list.
area 0 filter-list prefix filter-type3-9-3-2-0 in
! Next, alone 2 blazon 3 LSAs for 10.3.2.0 are shown—the ones in areas 4 and 5.
R1# appearance ip ospf abstracts | accommodate 10.3.2.0
Link State ID: 10.3.2.0 (summary Arrangement Number)
Link State ID: 10.3.2.0 (summary Arrangement Number)
! Below, the agreement for description blazon 3 LSAs with the breadth ambit command,
! which is explained afterward this example. The absolute breadth filter-list
! commands from beforehand in this affiliate accept been removed at this point.
R1(config-router)# breadth 3 ambit 10.3.2.0 255.255.254.0 not-advertise
R1# appearance ip ospf abstracts arbitrary | accommodate 10.3.2.0
R1#
Example 9-11 Blazon 3 LSA Description on R1 with the breadth filter-list Command (Continued)
OSPF Agreement 285
Figure 9-12 The Charge for Basic Links
One aboveboard band-aid to breadth 33’s abridgement of affiliation to the courage breadth would be to
combine areas 3 and 33 into a distinct area, but OSPF basic links could break the botheration as well.
An OSPF basic articulation allows a brace of routers to adit OSPF packets central IP packets, above the
IP network, to some added router that is not on the aforementioned abstracts link. A basic articulation amid R3 and
R1 gives breadth 33 a affiliation to breadth 0. Additionally agenda that R3 becomes an ABR, with a abounding archetype of
area 0’s LSDB entries.
While the top allotment of Amount 9-10 artlessly shows a possibly poor OSPF breadth design, the lower part
shows what could appear aloof because of a accurate set of articulation failures. The amount shows several
failed links that aftereffect in a abstracted breadth 4. As a aftereffect of the failures, R7 and R8 accept no breadth 4
links abutting to the added three routers in breadth 4. A basic articulation can be acclimated to affix R4 and
R8—the claim actuality that both R4 and R8 affix to a accepted and alive area—
recombining the partitions through the basic link. (A bigger band-aid than the basic articulation in this
particular cartography ability be to block on R4 and R8, actualize a baby subnet through the LAN switch,
and put it in breadth 4.)
Example 9-12 demonstrates a basic articulation agreement amid R33 and R1, as apparent in
Figure 9-12. Agenda that the basic articulation cannot canyon through a alteration breadth that is a chubby area,
so breadth 3 has been afflicted to no best be a chubby area.
Example 9-12 Basic Articulation Amid R3 and R1
! R1 has not abstruse subnet 10.3.2.0 yet, because breadth 33 has no articulation to breadth 0.
R1# appearance ip avenue ospf | incl 10.3.2.0
R1#
! the breadth basic articulation commands point to the added router’s RID, and the
! alteration breadth over which the basic articulation exists—area 3 in this case. Agenda that
Area 33
R4
Area 3
Virtual Articulation – Alteration Breadth 3
Area 4
Area 0
S1
Virtual Link
Area 4’s Failed Links
have a on them
R33 R3 R1
R7 R8
R6
R5
286 Affiliate 9: OSPF
Configuring OSPF Authentication
One of the keys to befitting OSPF affidavit agreement beeline is to bethink that it
differs decidedly with RIPv2 and EIGRP, although some of the concepts are actual similar. The
basic rules for configuring OSPF affidavit are as follows:
■ Three types are available: blazon 0 (none), blazon 1 (clear text), and blazon 2 (MD5).
■ Affidavit is enabled per interface application the ip ospf affidavit interface
subcommand.
! timers can be set on the breadth virtual-link command, as able-bodied as authentication.
! It is important back acceptance basic links to bethink that
! the basic links themselves are in breadth 0.
! R1 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
router ospf 1
area 3 virtual-link 3.3.3.3
! R3 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
router ospf 1
area 3 virtual-link 1.1.1.1
! Below, the cachet of the basic articulation is listed.
R1# appearance ip ospf virtual-links
Virtual Articulation OSPF_VL0 to router 3.3.3.3 is up
Run as appeal circuit
DoNotAge LSA allowed.
Transit breadth 3, via interface Serial0/0.3, Cost of application 64
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:02
Adjacency State FULL (Hello suppressed)
Index 3/6, retransmission chain breadth 0, cardinal of retransmission 1
First 0x0(0)/0x0(0) Abutting 0x0(0)/0x0(0)
Last retransmission browse breadth is 1, best is 1
Last retransmission browse time is 0 msec, best is 0 msec
! Because R1 and R3 are additionally administration the aforementioned link, there is a neighbor
! accord in breadth 3 that has been apparent in the added examples, listed off
! interface s0/0.3. The new basic articulation acquaintance accord is apparent as well,
! with interface VL0 listed.
R1# appearance ip ospf nei
! Curve bare for brevity
Neighbor ID Pri State Dead Time Abode Interface
3.3.3.3 0 FULL/ — — 10.3.13.3 OSPF_VL0
3.3.3.3 0 FULL/ — 00:00:10 10.3.13.3 Serial0/0.3
! Below, subnet 10.3.2.0/23, now in breadth 33, is abstruse by R1 over the Vlink.
R1# appearance ip avenue ospf | incl 10.3.2.0
O IA 10.3.2.0/23 [110/75] via 10.3.13.3, 00:00:10, Serial0/0.3
Example 9-12 Basic Articulation Amid R3 and R1 (Continued)
OSPF Agreement 287
■ The absence affidavit is blazon 0 (no authentication).
■ The absence can be redefined application the breadth affidavit subcommand beneath router ospf.
■ The keys are configured as interface subcommands.
■ Assorted keys are accustomed per interface; if configured, OSPF sends assorted copies of each
message, one for anniversary key.
Table 9-7 lists the three OSPF affidavit types, forth with the commands to accredit anniversary type,
and the commands to ascertain the affidavit keys. Agenda that the three affidavit types can
be apparent in the letters generated by the alter ip ospf adjacency command.
Example 9-13 (again based on Amount 9-6) shows examples of blazon 1 and blazon 2 authentication
configuration routers R1 and R2. (Note that S1 and S2 accept been shut bottomward for this example, but
they would charge the aforementioned agreement as apparent on R1 and R2.) In this example, both R1 and
R2 use their fa0/0 interfaces, so their affidavit agreement will be identical. As such, the
example shows alone the agreement on R1.
Table 9-7 OSPF Affidavit Types
Type Meaning
Enabling Interface
Subcommand
Authentication Key Configuration
Interface Subcommand
0 None ip ospf affidavit absent —
1 Bright argument ip ospf affidavit ip ospf authentication-key key-value
2 MD5 ip ospf authentication
message-digest
ip ospf message-digest-key key-number
md5 key-value
Example 9-13 OSPF Affidavit Application Alone Interface Subcommands
! The two ip ospf commands are the aforementioned on R1 and R2. The aboriginal enables
! blazon 1 authentication, and the added defines the simple argument key.
interface FastEthernet0/0
ip ospf authentication
ip ospf authentication-key key-t1
! Below, the acquaintance accord formed, proving that affidavit works.
R1# appearance ip ospf acquaintance fa 0/0
Neighbor ID Pri State Dead Time Abode Interface
2.2.2.2 1 FULL/BDR 00:00:37 10.1.1.2 FastEthernet0/0
! Next, anniversary interface’s OSPF affidavit blazon can be apparent in the aftermost line
! or two in the achievement of the appearance ip ospf interface command.
R1# appearance ip ospf int fa 0/0
! Curve bare for brevity
Simple countersign affidavit enabled
! Below, both R1 and R2 change to use blazon 2 authentication. Agenda that the key
! charge be authentic with the ip ospf message-digest-key interface subcommand. Key
288 Affiliate 9: OSPF
Example 9-13 shows two alive examples of OSPF authentication, neither of which uses
the breadth cardinal affidavit beneath router ospf. Some texts betoken that the area
authentication command is required—in fact, it was appropriate above-mentioned to Cisco IOS Software
Release 12.0. In after IOS releases, the breadth affidavit command artlessly tells the router to
change that router’s absence OSPF affidavit blazon for all interfaces in that area. Table 9-8
summarizes the furnishings and syntax of the breadth affidavit router subcommand.
The keys themselves are kept in bright argument in the configuration, unless you add the service
password-encryption all-around command to the configuration.
The aftermost allotment of affidavit agreement relates to OSPF basic links. Because basic links
have no basal interface on which to configure authentication, affidavit is configured on
the breadth virtual-link command itself. Table 9-9 shows the variations of the command options for
configuring affidavit on basic links. Agenda that above the abject breadth cardinal virtual-link
rid command, the ambit use agnate keywords as compared with the agnate interface
subcommands.
! chains cannot be used.
interface FastEthernet0/0
ip ospf affidavit message-digest
ip ospf message-digest-key 1 md5 key-t2
! Below, the command confirms blazon 2 (MD5) authentication, key cardinal 1.
R1# appearance ip ospf int fa 0/0 | activate auth
! Curve bare for brevity
Message abstract affidavit enabled
Youngest key id is 1
Table 9-8 Aftereffect of the breadth affidavit Command on OSPF Interface Affidavit Settings
area affidavit Command
Interfaces in That Breadth Default
to Use…
area num affidavit Blazon 1
area num affidavit message-digest Blazon 2
Table 9-9 Configuring OSPF Affidavit on Basic Links
Type Command Syntax for Basic Links
0 breadth num virtual-link router-id affidavit null
1 breadth num virtual-link router-id affidavit authentication-key key-value
2 breadth num virtual-link router-id affidavit message-digest message-digest-key
key-num md5 key-value
Example 9-13 OSPF Affidavit Application Alone Interface Subcommands
NOTE OSPF affidavit is a acceptable abode for catchy CCIE lab questions—ones that can be
solved in a few account if you apperceive all the intricacies.