Get creative: OSPF route filters

A few of the readers pointed out that I've forgotten about OSPF route filters in the post I wrote about running OSPF across the firewall. Actually I didn't, as it's only available in IOS, not in ASA/PIX. However, this is not the familiar route update filtering available in EIGRP, BGP or RIP. The route updates (LSAs) are not filtered (as they should not be in a link-state protocol); the filters control the transfer of the IP prefixes from the SPF tree to the IP routing table.

To keep the record straight, I have to point out that this is not a new feature. You could have achieved similar results (almost) forever with the distance 255 command (remember: 255 = totally unbeliavable = not installed). Later on, you could use the distribute-list in router configuraton command and in 12.2T this command has been extended to accept a route-map.

However, as this functionality is totally different from the distance vector route filters and doesn't play well with OSPF concepts, you have to use it very carefully. Every OSPF router still propagates all the LSAs, but if it fails to install the resulting IP prefixes in the IP routing table, it's a potential blackhole (see the following figure).


With all this being said, I cannot see the “OSPF inbound filtering” as it's slightly inappropriately named being widely used. Do you have any great scenarios where this feature would be really helpful?

7 comments:

  1. Deployed in every OSPF router in the domain, would prevent insertion of extraneous routing table entries into the FIB.

    Imagine someone running OSPF and BGP, and a network engineer doing a "redistribute bgp" into OSPF - and image how those poor OSPF speakers would feel :)

    Add a distribute-list in only allowing networks you know to be in your domain - filter everything else.

    ReplyDelete
  2. If you're deploying the same filter on every OSPF router in the domain, it's much easier (and more resource-effective) to filter the incoming prefixes in the redistribution points. Obviously I have to reiterate: the distribute-list in used in OSPF does NOT reduce the number of LSAs, memory consumption or CPU usage, just the prefixes that are transferred into the IP routing table.

    Furthermore … I've been teaching, writing and saying this for 15 year, but obviously the myth persists: you should NOT (repeat NOT) redistribute BGP into IGP. You might have to in the CCIE scenarios to get points, but should never do it in real life. And the distribute-list in will not help you; the routers will still drown under the type-5 LSAs, the CPU utilization will still go through the roof, only you won't see the routes in the show ip route printout.

    ReplyDelete
  3. I was trying to say "this would be a measure to prevent ERRORS"

    Kind of "last time someone SNAFU'ed and did a redistribute of BGP into OSPF by mistake, we crashed 80% of the routers"

    So, this is the cure :)

    ReplyDelete
  4. Whether your OSPF routers survive messed-up redistribution of BGP routes depends on a number of factors. The LSAs are still there (on all routers) and the partial SPF is still run, so the memory, bandwidth and CPU consumptions are high.

    You do, however, reduce the IP routing table and CEF table sizes (assuming the OSPF routers are not running BGP as well), which might be enough to save you.

    ReplyDelete
  5. You should clarify that you should never redistribute *Internet* BGP prefixes into an IGP.

    If you are running enterprise MPLS VPNs with a service provider that requires BGP, BGP<->IGP redistribution is going to be the rule rather than the exception.

    On the topic at hand, I would say that the maximum-prefix feature, along with careful use of TACACS authorization, are better ways to prevent redistribution mistakes than maintaining a lot of route filters.

    ReplyDelete
  6. @js: You're absolutely right, it applies primarily to the Internet scenarios ... although even MPLS VPNs are simpler if you can use default route into VPN IGP ;)

    I have to test the maximum-prefix feature to figure out what it drops and under what circumstances.

    ReplyDelete
  7. I had to filter OSPF routes from a PIX that was sending host routes for all of it's NATed addresses out of two interfaces with the same cost.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.