Cisco – Prevent OSPF routes advertised by other routers from entering the routing table

ciscoospfroute-filterrouterrouting

I have a fairly complicated scenario that I've managed to duplicate with GNS3. Please see the attached image. In this scenario I have four "Branch Offices" each with their own router connected to each other with a /30 network between them. Each branch office has a simple layer 2 dumb switch with two hosts.

NetworkA and NetworkB are in OSPF area 0. While NetworkC and NetworkD are in area 1 with NetworkD connecting both areas.

OSPF adjacencies are formed between:

  • NetworkA and NetworkB
  • NetworkB and NetworkD
  • NetworkD and NetworkC
  • An OSPF adjacency is NOT formed between NetworkA and NetworkC.

For the sake of this question we're going to pretend that we're not allowed to form an OSPF adjacency between NetworkA and NetworkC. We're also going to pretend that we actually don't know what IPs are found behind NetworkA; even though the picture shows that the 192.168.1.16/29 subnet is there. For this reason we've set the gateway of last resort on NetworkC to point toward NetworkA.

So right now, NetworkA is advertising it's networks to NetworkB, which in turn is advertising it's networks to NetworkD and then finally they're being advertised to NetworkC. If a host on NetworkC (PC-3) attempts to ping a host on NetworkA (PC-2) then the packet goes all the way around to NetworkD, then to NetworkB, and then finally through NetworkA. Rather than taking the path directly between NetworkC and NetworkA. This is because there are OSPF routes in NetworkC's routing table telling it to forward them through NetworkD.

I'd like to find a way for traffic destined to NetworkA from NetworkC to go through the gateway of last resort. I believe what I need to do is setup a way for NetworkC to suppress any OSPF routes that it receives for NetworkA and rely entirely on it's gateway of last resort to access anything behind NetworkA.

I can make this work by simply adding static routes on both NetworkA and NetworkC but for this question we're pretending that we don't know what IPs are behind NetworkA (despite them being displayed in the diagram). For that reason I can't use a static route on NetworkCRouter to the 192.168.1.16/29 network and vice versa on NetworkARouter to 192.168.1.24/29 network.

I've been looking at OSPF Inbound Filtering by using a route-map with a distribution list to match on specific routes and deny them from being added to the routing table. But I can't figure out how to implement it correctly. Is this something you would do? Or I believe an alternative is to divide them up by using separate OSPF process ids. But I'm not sure how to get that to work either.

enter image description here

Best Answer

You cannot have a default route (0.0.0.0/0) be a preferred route. The route with the longest match in a routing table is always the one chosen to which a router will forward traffic. Any route with a mask length longer than 0 (any route other than a default route) that matches the destination will be chosen before the default route.

It would be possible using PBR (Policy-Based Routing) to construct a policy to send traffic to Router A, but you would again need to know the network(s) behind Router A to create the policy.

If you block Router C from learning the route from Router D, then you would lose any path to the network(s) behind Router A if the link from Router C to Router A fails (see below*), but you would need to know which route(s) to block, or you could block advertising the route(s) to Router C on Router D.


*Also, don't forget about AD (Administrative Distance). For Cisco devices, the AD of OSPF is 110, but the AD for a statically defined route is only 1. That means that the statically defined route is preferred (AD is like golf, the lower score wins).

Simply placing a static route for the 192.168.1.16/29 network pointing to 192.168.1.10 in Router C will cause Router C to send any traffic destined for that network to Router A. If the interface toward router A fails, the route will be withdrawn, and the route learned via OSPF will be placed in the routing table.


Edit:

This is one way (there are several) that you could do it with an area filter:

Router D:

interface Loopback0
 ip address 192.168.1.253 255.255.255.255
!
interface GigabitEthernet0/0
 description Interface to Router C GigabitEthernet0/0
 ip address 192.168.1.5 255.255.255.252
!
interface GigabitEthernet0/1
 description Interface to Router B GigabitEthernet0/1
 ip address 192.168.1.13 255.255.255.252
!
interface GigabitEthernet0/2
 description Interface to Switch D Ethernet0
 ip address 192.168.1.41 255.255.255.248
!
router ospf 1
 network 192.168.1.4 0.0.0.3 area 1   ! Network to Router C
 network 192.168.1.12 0.0.0.3 area 0
 network 192.168.1.40 0.0.0.7 area 0
 network 192.168.1.253 0.0.0.0 area 0
 area 0 filter-list prefix NetworkA out
!
ip prefix-list NetworkA seq 10 deny 192.168.1.16/29
ip prefix-list NetworkA seq 10 permit 0.0.0.0/0 ge 0
!

Router C:

interface Loopback0
 ip address 192.168.1.251 255.255.255.255
!
interface GigabitEthernet0/0
 description Interface to Router D GigabitEthernet0/0
 ip address 192.168.1.6 255.255.255.252
!
interface GigabitEthernet0/1
 description Interface to Switch C Ethernet0/0
 ip address 192.168.1.24 255.255.255.252
!
interface GigbitEthernet0/3
 description Interface to Router A GigabitEthernet0/0
 ip address 192.168.1.9 255.255.255.248
!
router ospf 1
 passive interface GigabitEthernet0/3   ! No OSPF to Router A
 network 0.0.0.0 255.255.255.255 area 1 ! Include all networks in OSPF
!
ip route 0.0.0.0 0.0.0.0 192.168.1.10   ! Default route to Router A
!

Using an area filter, you can permit or deny any networks between areas. It has the in and out keywords, and you can place the filter on any area connected to the ABR, e.g. out from Area 0 or in to Area 1. Remember that an ABR must be connected to Area 0 because all inter-area traffic goes through Area 0.


Cisco has several documents about OSPF filtering, e.g. ABR Type 3 LSA filtering, just search for them.