Filtering out External Links in OSPF

[Multivitamin86]

Hi, I'm bit of a nomad in IT.

I've been trying in GNS to come up with a configuration to filter out my external links in OSPF to some routers but not others. It's part of the way but the more I think into how this is going to be completed, I'm beginning to see it will be more complicated. So here's what I'm trying to do any help is appreciated.

R1 has two OSPF WAN networks and 1 internet break out. Internet breakout is via the trusted interface, 192.168.100.2

R1
gi 1/0/1
description [OSFP-to-R2-R3]
no sw
ip address 172.16.120.1 255.255.255.224
ip ospf priority 200
no shut

gi 1/0/2
description [OSPF-to-R4-R5]
no sw
ip address 172.16.120.33 255.255.255.224
ip ospf priority 200
no shut

int vlan 2
description [LAN-PCs]
ip address 192.168.100.1 255.255.255.0
no shut

ip route 0.0.0.0 0.0.0.0 192.168.100.2

router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
no passive interface gi 1/0/2
network 172.16.120.0 0.0.0.31 area 0
network 172.16.120.32 0.0.0.31 area 0
network 192.168.100.0 0.0.0.255 area 0
default-information originate

R2 has two OSPF WAN networks and 1 internet break out. Internet breakout is via the trusted interface, 192.168.101.2 It needs to use its own internet breakout. Hence the internet breakout.

gi 1/0/1
description [OSFP-to-R1-R3]
no sw
ip address 172.16.120.2 255.255.255.224
ip ospf priority 200
no shut

gi 1/0/2
description [OSPF-to-R4-R5]
no sw
ip address 172.16.120.34 255.255.255.224
ip ospf priority 200
no shut

int vlan 3
description [Aber-LAN-PCs]
ip address 192.168.101.1 255.255.255.0
no shut

access-list 1 deny 0.0.0.0
access-list 1 permit any

ip route 0.0.0.0 0.0.0.0 192.168.101.2

router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
no passive interface gi 1/0/2
network 172.16.120.0 0.0.0.31 area 0
network 172.16.120.32 0.0.0.31 area 0
network 192.168.101.0 0.0.0.255 area 0
default-information originate
distribute-list 1 in

R3 Single OSFP WAN link to R1 & R2. R3 needs to use R1's internet breakout. I've configured the firewall trusted interface on the LAN network at R1 to accept traffic from R3 and that's fine but since adding R2 I need to filter the default route from R2 out to R3 and R1.

gi 1/0/1
description [OSFP-to-R1-R2]
no sw
ip address 172.16.120.3 255.255.255.224
ip ospf priority 200
no shut

int vlan 4
description [Inver-LAN-PCs]
ip address 192.168.102.1 255.255.255.0
no shut

router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.0 0.0.0.31 area 0
network 192.168.102.0 0.0.0.255 area 0
default-information originate

R4

gi 1/0/1
description [OSFP-to-R1-R2-R5]
no sw
ip address 172.16.120.35 255.255.255.224
ip ospf priority 200
no shut

int vlan 40
description [LAB-LAN-PCs]
ip address 192.168.200.1 255.255.255.0
no shut

router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.32 0.0.0.31 area 0
network 192.168.200.0 0.0.0.255 area 0
default-information originate

R5

gi 1/0/1
description [OSFP-to-R1-R2-R5]
no sw
ip address 172.16.120.36 255.255.255.224
ip ospf priority 200
no shut

int vlan 40
description [LAB2-LAN-PCs]
ip address 192.168.201.1 255.255.255.0
no shut

router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.32 0.0.0.31 area 0
network 192.168.200.0 0.0.0.255 area 0
default-information originate

I suppose at this point I stopped wanting to filter incoming OSPF external routes and want to stop them being sent out over specific interfaces.

I want R2, R4 and R5 to use R2's internet breakout and R1 and R3 to use R1's internet BO. So on R2 I've stopped the default route coming in with the distribute in command using a fairly basic access-list when connected over gi 1/0/1. In my GNS labs I can the default route changing in the show ip route command on R3. I need this to only be received from R1. I was thinking I would have to need to use a route map on R2 for the networks at R3 and only allow the 2 networks and block the advertising of my default route from the R2. Something like the below.

////To stop the advertising out////

....
access-list 2 permit 172.16.120.0 0.0.0.31
access-list 2 permit 192.168.101.0 0.0.0.255
access-list 2 deny 0.0.0.0

router ospf 10
.....
distribute list 2 out gi 1/0/1

////To allow it out////

access-list 3 permit 172.16.120.0 0.0.0.31
access-list 3 permit 192.168.101.0 0.0.0.255
access-list 3 allow 0.0.0.0
.....
route ospf 10
distribute list 3 out gi 1/0/2

Is this possible or am I coming at it from the wrong angle?

Thanks MV

 

[baddos]

So all you are wanting to do is have the router use the closest default route correct?

 

[Multivitamin86]

In a way yes. It's more a network required internet breakout. R1 and R3 need to use ISP 1 and R2, R4 & R5 need to use ISP2.

Are you thinking I should be applying a distance metric to the router id based on the router source?

I had another thought earlier but I may have read too many conflicting articles elsewhere.

Could I do a route-map on the default-information originate ROUTE-EXT as per the below and remove the ip route 0.0.0.0 0.0.0.0 192.168.100.2 ?

R1
.....
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 2 permit 192.168.100.2
route-map ROUTE-EXT permit 10
match ip address 1
set ip default next-hop 2
.....
router ospf 10
default-information originate ROUTE-EXT

R3
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 2 permit 192.168.100.2
route-map ROUTE-EXT permit 10
match ip address 1
set ip default next-hop 2
default-information originate ROUTE-EXT

Or is PBR too far in this case?

 

[unclerico]

the solution is incredibly easy if you stop and think about the different types of areas and how LSA's are propagated from one to another. a very easy win in this case is to split this up into two areas:
- gi1/0/1 on R1, gi1/0/1 on R2, and gi1/0/1 on R3 in Area 0
- gi1/0/2 on R1, gi1/0/2 on R2, gi1/0/1 on R4, and gi1/0/1 on R5 in Area 1. Make Area 1 an NSSA. On R2 add area 1 nssa default-information-originate
- remove default-information originate from all of your routers except for R1

What does this do? An NSSA permits you to have an ASBR in a stub area, but it also filters certain LSA types. An NSSA will filter Type 5 LSA's (external) which is what R1 generates when you add default-information originate so R4 and R5 will not receive a default from R1. Also, since you are generating a default route into the NSSA and not the backbone from R2, R3 will not receive a default from R2. R2 will have a Type 5 LSA for the default being generated by R1, but it will not use it as its best path.

If you can't use multiple area's then you are stuck with some funky engineering using distribute-lists inbound on each router matching the default either from R1 or from R2. Note that this will only filter the route from the routing table, not from the LSA Database. Route filtering is very tricky in OSPF especially if you are only using a single area.

A few other things:
- Only use default-information originate on routers that you actually want to generate a default route
- The OSPF priority values you have set on your interfaces are really doing nothing useful in terms of DR/BDR placement. Since they are all set to 200 it would be no different if you just left them at the default of 1.
- Your network statements should be more specific. Remember that the network statements in IGP's simply tell the routing process which interfaces should be activated and begin sending/receiving hello's. It isn't like BGP where the network statement is the actual prefix being advertised.