Got it

Filtering inside OSPF Process/Area

Created: Sep 20, 2018 09:48:39Latest reply: Sep 27, 2018 03:25:42 1072 7 0 0 0
  Rewarded HiCoins: 0 (problem resolved)
This post was last edited by Robyn at 2018-09-20 09:59. Hey!I'm looking for a construct to filter outgoing routes inside a OSPF-Process with one area.The default-route should be redistribute to the ospf-peers but no more, like 1:n. Border Router sends default-route and receivs routes from cpe's. CPE's send own routes and receive only the default-route (every cpe has a single network with the board router)
What's wrong? Filtering inside OSPF Process/Area-2756259-1


For example, different tested and no success:
#
ospf 2 router-id 123.123.123.123
 default-route-advertise
 filter-policy route-policy cpe-filter import
 filter-policy acl-name ospf2cpe export ospf 2 filter-policy ip-prefix defaultroute export
 area 0.0.0.1
  filter 2111 export
#
ip ip-prefix defaultroute index 10 permit 0.0.0.0 0
#
acl number 2111
 rule 5 permit source 0.0.0.0 0
#
acl name ospf2cpe basic
 rule 5 permit source 0.0.0.0 0
 rule 10 deny
#
  • x
  • convention:

Featured Answers
chenhui
Admin Created Sep 21, 2018 02:04:53

This post was last edited by user_3154845 at 2018-09-21 02:06.
Posted by Robyn at 2018-09-21 02:06Hello Fathy,1. yes i have two domains.- Process 1 with area 0 for Backbone Connections Domain (imp ...

Hello Robyn,I supposes that you upload a simple topology,this can help us understand your meaning better.

Actually,I don't get what you mean in second point.What I learn from your description is that two OSPF areas,process 1 with area 0 should have all the network routes from area 1,and process 2 with area 1 keeps only defaultroute from area 0,is that right?If I describe it correctly,why not trying OSPF totally stub or OSPF totally NSSA.

What's more,command filter-policy acl-name ospf2cpe export ospf 2 filter-policy ip-prefix defaultroute export would't  works on the outbound direction since OSPF is a link-state protocol,it advertises LSA,not routes.

Moreover,if this command works,it will bring new problem,CPE router import default-route and CPE's peer receives default-route advertised by CPE,this will make CPE and CPE's peer have the default-route towards to each other,which is a route-loop.
View more
  • x
  • convention:

All Answers
Fathy
Fathy Created Sep 20, 2018 11:01:48

This post was last edited by Fathy at 2018-09-20 11:03. Hello Robyn,

Could you please clarify below information so we can get More detailed about your desired Solution :

1- Do you have two Routing Domains , like OSPF and RIP ? Or between Two OSPF areas ? if yes so waht are those two areas ?
2- ( According to ospf process 2 Area 0.0.0.1 )are you aiming to filter routes  incoming to Area 1 , or outgoing from Area 1 ?
3- More details will be better to understand your Scenario , also better if you can share a Simple Topology about your Solution .
View more
  • x
  • convention:

Robyn
Robyn Created Sep 20, 2018 11:20:28

Posted by Fathy at 2018-09-20 11:01 Hello Robyn,Could you please clarify below information so we can get More detailed about your desire ...
Hello Fathy,
1. yes i have two domains.
- Process 1 with area 0 for Backbone Connections Domain (import ospf 2 area1, direct, static)
- Process 2 with area 1 as customer/cpe Domain (import/advertise only defaultroute)

2. inside the area 1, the customer routers should only see the defaultroute, no routes from other cpe's. The area 0 should only see the customer routes (already works with: filter-policy route-policy cpe-filter import )

3. a simply/secure/overhead-reduction area 1 is the goal with working filtering - just see what's important to you

(like "distribute-list route-map list-ospf2ospf out" on other manufacturer with a corresponding route map)



View more
  • x
  • convention:

Fathy
Fathy Created Sep 20, 2018 11:43:29

Hello Robyn,

this Scenario need to record New SR to collect More Logs and Topology , so please contact our TAC Public mail on the following Lists :

Middle East and Africa Region / Pakistan : measupport@huawei.com
Europe TAC : Eusupport@huawei.com
Asia TAC : apsupport@huawei.com
View more
  • x
  • convention:

Sergio93
Sergio93 Created Sep 20, 2018 11:52:28

This post was last edited by Sergio93 at 2018-09-20 06:54. Hello,

Please check if the following example is useful, you can block all the other routers though an ACL and let to advertise/receive only the default route:
Networking diagram for filtering received and advertised routes 
fig_dc_cfg_route-policy_002001.png
showDiagramEn.png

Networking Requirements

RouterA receives routes from the Internet and provides these routes for the OSPF network. A user wants devices on the OSPF network to access only the network segments 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24, and RouterC to access only the network segment 172.1.18.0/24.

Configuration Roadmap

The following configurations are performed on the RouterThe configuration roadmap is as follows:

  1. Configure an ACL on RouterA so that RouterA advertises only the 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24 routes to RouterB. In this situation, the OSPF network can access only 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24.

  2. Configure an ACL on RouterC so that RouterC receives only the 172.1.18.0/24 routes. In this situation, the network connected to RouterC can access only the network segments 172.1.18.0/24.

Procedure

  1. Assign an IP address to each interface.

    # Configure IP addresses for all interfaces of RouterA.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] interface gigabitethernet 1/0/0
    [RouterA-GigabitEthernet1/0/0] undo portswitch
    [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 255.255.255.0
    [RouterA-GigabitEthernet1/0/0] quit

    The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here.

  2. Configure basic OSPF functions.

    # Configure RouterA.

    [RouterA] ospf
    [RouterA-ospf-1] area 0
    [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [RouterA-ospf-1-area-0.0.0.0] quit
    [RouterA-ospf-1] quit

    # Configure RouterB.

    [RouterB] ospf
    [RouterB-ospf-1] area 0
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
    [RouterB-ospf-1-area-0.0.0.0] quit

    # Configure RouterC.

    [RouterC] ospf
    [RouterC-ospf-1] area 0
    [RouterC-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
    [RouterC-ospf-1-area-0.0.0.0] quit
    [RouterC-ospf-1] quit

    # Configure RouterD.

    [RouterD] ospf
    [RouterD-ospf-1] area 0
    [RouterD-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255
    [RouterD-ospf-1-area-0.0.0.0] quit

  3. Configure five static routes on RouterA and import these routes into OSPF.

    [RouterA] ip route-static 172.1.16.0 24 NULL 0
    [RouterA] ip route-static 172.1.17.0 24 NULL 0
    [RouterA] ip route-static 172.1.18.0 24 NULL 0
    [RouterA] ip route-static 172.1.19.0 24 NULL 0
    [RouterA] ip route-static 172.1.20.0 24 NULL 0
    [RouterA] ospf
    [RouterA-ospf-1] import-route static
    [RouterA-ospf-1] quit

    # Check the IP routing table on RouterB. You can see that the five static routes are imported into OSPF.

    [RouterB] display ip routing-table
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 18       Routes : 18       
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
         172.1.16.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.1.17.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.1.18.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.1.19.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.1.20.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
        192.168.1.0/24  Direct  0    0           D   192.168.1.2     GigabitEthernet1/0/0
        192.168.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
      192.168.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
        192.168.2.0/24  Direct  0    0           D   192.168.2.1     GigabitEthernet3/0/0
        192.168.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet3/0/0
      192.168.2.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet3/0/0
        192.168.3.0/24  Direct  0    0           D   192.168.3.1     GigabitEthernet2/0/0
        192.168.3.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0
      192.168.3.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0
    255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

  4. Configure a route advertisement policy.

    # Configure ACL 2002 on RouterA to allow only 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24 to pass.

    [RouterA] acl number 2002
    [RouterA-acl-basic-2002] rule permit source 172.1.17.0 0.0.0.255
    [RouterA-acl-basic-2002] rule permit source 172.1.18.0 0.0.0.255
    [RouterA-acl-basic-2002] rule permit source 172.1.19.0 0.0.0.255
    [RouterA-acl-basic-2002] quit
    

    # Configure a route advertisement policy on RouterA and associate ACL 2002 with the policy to filter routes.

    [RouterA] ospf
    [RouterA-ospf-1] filter-policy 2002 export static
    [RouterA-ospf-1] quit

    # View the IP routing table on RouterB. RouterB has received only the three routes defined in ACL 2002.

    [RouterB] display ip routing-table
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 16       Routes : 16       
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
         172.1.17.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.1.18.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
         172.1.19.0/24  O_ASE   150  1           D   192.168.1.1     GigabitEthernet1/0/0
        192.168.1.0/24  Direct  0    0           D   192.168.1.2     GigabitEthernet1/0/0
        192.168.1.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
      192.168.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
        192.168.2.0/24  Direct  0    0           D   192.168.2.1     GigabitEthernet3/0/0
        192.168.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet3/0/0
      192.168.2.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet3/0/0
        192.168.3.0/24  Direct  0    0           D   192.168.3.1     GigabitEthernet2/0/0
        192.168.3.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0
      192.168.3.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet2/0/0
    255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    

  5. Configure a route receiving policy.

    # Configure ACL 2003 on RouterC to allow only 172.1.18.0/24 to pass.

    [RouterC] acl number 2003
    [RouterC-acl-basic-2003] rule permit source 172.1.18.0 0.0.0.255
    [RouterC-acl-basic-2003] quit

    # Configure a route receiving policy on RouterC and associate ACL 2003 with the policy to filter routes.

    [RouterC] ospf
    [RouterC-ospf-1] filter-policy 2003 import
    [RouterC-ospf-1] quit

    # View the IP routing table on RouterC. RouterC has received only the route defined in ACL 2003.

    [RouterC] display ip routing-table
    Route Flags: R - relay, D - download to fib
    ------------------------------------------------------------------------------
    Routing Tables: Public
             Destinations : 8        Routes : 8        
    
    Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface
    
          127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
          127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
    127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
         172.1.18.0/24  O_ASE   150  1           D   192.168.2.1     GigabitEthernet1/0/0
        192.168.2.0/24  Direct  0    0           D   192.168.2.2     GigabitEthernet1/0/0
        192.168.2.2/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
      192.168.2.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0
    255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

View more
  • x
  • convention:

chenhui
chenhui Admin Created Sep 21, 2018 02:04:53

This post was last edited by user_3154845 at 2018-09-21 02:06.
Posted by Robyn at 2018-09-21 02:06Hello Fathy,1. yes i have two domains.- Process 1 with area 0 for Backbone Connections Domain (imp ...

Hello Robyn,I supposes that you upload a simple topology,this can help us understand your meaning better.

Actually,I don't get what you mean in second point.What I learn from your description is that two OSPF areas,process 1 with area 0 should have all the network routes from area 1,and process 2 with area 1 keeps only defaultroute from area 0,is that right?If I describe it correctly,why not trying OSPF totally stub or OSPF totally NSSA.

What's more,command filter-policy acl-name ospf2cpe export ospf 2 filter-policy ip-prefix defaultroute export would't  works on the outbound direction since OSPF is a link-state protocol,it advertises LSA,not routes.

Moreover,if this command works,it will bring new problem,CPE router import default-route and CPE's peer receives default-route advertised by CPE,this will make CPE and CPE's peer have the default-route towards to each other,which is a route-loop.
View more
  • x
  • convention:

faysalji
faysalji Author Created Sep 24, 2018 07:17:31

Hope the problem is solved
View more
  • x
  • convention:

Mysterious.color
Mysterious.color Created Sep 27, 2018 03:25:42

try to use ACL
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.