Routing filtering throug sham-link

Hi Experts

Can we configure route filtering on the base of prefix/access-list throug SHAM Link.

Comments

  • Hello,

     

    A sham-link is a logical link that belongs to the area (intra-area) so the general rules of OSPF filtering apply here as well. As you can't do filtering intra-area filtering (because of LSA sync database between intra routers) you can't do it with sham-link.

  • That Intra-area filtering only allows LSA3, what if we required LSA5 or a specific prefix. without sham-link it works fine, I can perform the filtering during the redistribution of OSPF into MBGP but when the requirement is to establish a SHAM-LINK and prefix filter as well, those prefixes belong to external network, and should not pass to remote CE through MPLS backbone, it does not work.


    On Tue, Jul 20, 2010 at 3:40 PM, 7elfathi <[email protected]> wrote:

    Hello,

     

    A sham-link is a logical link that belongs to the area (intra-area) so the general rules of OSPF filtering apply here as well. As you can't do filtering intra-area filtering (because of LSA sync database between intra routers) you can't do it with sham-link.



    --
    View this message online at: http://ieoc.com/forums/p/12452/113666.aspx#113666

    Regards,

    Ahmad Zia ul Hassan

    Cisco Network Certified
    Pakistan, Lahore.

  • Sorry i don't understand exactly what you want to do. Can you draw me the picture?

  • Ok, here I will try to draw the issue.



    _____________________SUPER_BACKBONE_SHAMLINK______________________
    PE1----------------------------------------------------MBGP---------------------------------------------------PE2

    -                                                                                                                          -
    -                                                                                                                          -

    -
    -                                                                                                                          -
    C1-----------------------------------------------------------------------------------------------------------------------C2


    Every thing is standard, I have routing table on C2 something like that.


    O       XX.XX.XX.1
    O       XX.XX.XX.2
    O       XX.XX.XX.3
    O       XX.XX.XX.4
    O IA   XX.XX.XX.5
    O E2  YY.YY.YY.1
    O E1  YY.YY.YY.2


    Now, I don't want to inject all prefixes into MPLS backbone and pass to C1 through BACKBONE link and requirement is to filter few prefixes. let say. I want to filter all external routes.
    In case I am not using SHAM link, that  was very easy to apply a route-map during the redistribution, and it works, once I configured sham-link to give pref over backdoor link, it leaks the filtered routes and pass to C1 over backbone. distribute-list in OSPF is also not helpful because it effect only on P2 RIB but routes will be passed to C1.

    In fact it becomes a kind of black-hole as C1 can see the routes but cannot ping due to filtering in BGP. How can we resolve that issue.



    Regards,

    Ahmad.











    On Tue, Jul 20, 2010 at 5:56 PM, 7elfathi <boun[email protected]> wrote:

    Sorry i don't understand exactly what you want to do. Can you draw me the picture?



    --
    View this message online at: http://ieoc.com/forums/p/12452/113681.aspx#113681



    Regards,

    Ahmad Zia ul Hassan

    Cisco Network Certified
    Pakistan, Lahore.

  • i don;t know which one is yours ASBR...in this digram..if u wanna filter all external routes..u can do it on ASBR...using summary adress with NO-advertise at the end...ooh its C2 i rechecked...mistake

  • I tried out the configuration and like a normal OSPF adjacency the sham-link sends all of the LSAs across.  Even with no redistribution between OSPF and BGP on the PE routers the routes are still valid and in the OSPF database on the other CE router - but unreachable via the VPN.  Also without 'match external'  applied to the BGP redistribution the routes are still in the CE routing tables but not accessible via the VPN.

    Potential Options:


    - As fragilemohi says filtering at the ASBR is one option, but if this is on CE2 then you'll break connectivity for that route, also an OSPF outbound distribute list won't work on a per interface basis (so you can't be selective towards the PE).
    - If the PE1 --> CE1 OSPF link can be configured as a stub or NSSA then that would allow you to filter external routes at the PE1 ABR.
    - Could you not increase the admin distance for the E2 routes advertised from PE1 on CE1?
    - Depending on whether PE1 / PE2 are in the same area you could use an Type3 filter on an ABR to filter the Type5 forwarding addresses for the E2 routes, although this may break something else.

    You cannot filter Type 5 LSAs other than on the ASBR, so from what you said it seems impossible - are you sure you've interpreted the question correctly...?












  •  

    I am sure about my question. I don’t think that stub is possible
    on virtual links or increase administrative distance also not a solution, because,
    sham-link is to give preference over VPN link, otherwise we have backdoor
    links.

    Area filter command will not filter LSA 5, but actually I am not
    talking about filtering based on LSA, I am talking about filtering based on
    prefixes, through prefix list or acl.

    That works perfect without sham-link but once sham-link is up,
    it cause route leaking.

    How can we stop that?

    Or we can declare it a sham-link bug.

     

     

     

    From: [email protected]
    [mailto:[email protected]] On Behalf Of Rich

    Sent: Thursday, July 22, 2010 1:16 AM

    To: [email protected]

    Subject: Re: [CCIE R&S] Routing filtering throug sham-link

     

    I tried out the configuration and like a normal OSPF adjacency the sham-link
    sends all of the LSAs across.  Even with no redistribution between OSPF
    and BGP on the PE routers the routes are still valid and in the OSPF database
    on the other CE router - but unreachable via the VPN.  Also without 'match
    external'  applied to the BGP redistribution the routes are still in the
    CE routing tables but not accessible via the VPN.



    Potential Options:



    - As fragilemohi says filtering at the ASBR is one option, but if this is on
    CE2 then you'll break connectivity for that route - also an OSPF outbound
    distribute list won't work on a per interface basis (so you can't be selective
    towards the PE).

    - If the PE1 --> CE1 OSPF link can be configured as a stub or NSSA then that
    would allow you to filter external routes at the PE1 ABR.

    - Could you not increase the admin distance for the E2 routes advertised from
    PE1 on CE1?

    - Depending on whether PE1 / PE2 are in the same area you could use an Type3
    filter on an ABR to filter the Type5 forwarding addresses for the E2 routes,
    although this may break something else.



    You cannot filter Type 5 LSAs other than on the ASBR, so from what you said it
    seems impossible - are you sure you've interpreted the question correctly...?







    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx





  • You can use an area filter to filter a Type5 LSA, although not directly.  By filtering the forwarding address the route will not be installed in the routing table, but will be installed in the database.  Not something you'd normally do but then we are talking about the CCIE....!

     

    Also regarding the distance command, you can be selective with an ACL so wouldn't this meet your requirement?

  • Hello Ahmad, it is not a bug :), but the aim of sham-link.

    Otherwise the solution provided by Rich seems doing the job with the distance command and a value of 255 with the router-id of PE1 as source and the prefixes you want to filter.

Sign In or Register to comment.