OSPF Suppress Forward Address


Scenario:

You are the senior network engineer for a company that runs the show “Two and a half Router”. To increase OSPF performance your colleague has implemented a NSSA area and some prefix filters. Strangely enough you now have problems with reachability. Let’s see what you can do about it.

Goal:

  • All IP addresses have been preconfigured for you.
  • Configure OSPF and use the correct areas. Ensure Area 1 is a NSSA.
  • Configure RIP between router Charlie and Evelyn.
  • Create a loopback0 interface on router Evelyn with IP address 1.1.1.1 /24 and advertise it in RIP.
  • Redistribute between RIP and OSPF.
  • Configure a prefix-list on router Jake which filters network 192.168.13.0 /24.
  • Ensure you can still reach network 1.1.1.0 /24 from all routers without removing the prefix-list. You are only allowed to use OSPF commands.

IOS:

c3640-jk9s-mz.124-16.bin

Topology:

OSPF Suppress Forward Address Topology

Configuration Files

You need to register to download the GNS3 topology file. (Registration is free!)

Once you are logged in you will find the configuration files right here.

Opt In Image
Do you want your CCNA or CCNP Certificate?

The How to Master series helps you to understand complex topics like spanning-tree, VLANs, trunks, OSPF, EIGRP, BGP and more.

Written by René Molenaar - CCIE #41726

You May Also Like

About the Author: Rene Molenaar

René - CCIE #41726 is the creator of GNS3Vault.com where he shares CCNA, CCNP and CCIE R&S labs. He also blogs about networking on http://networklessons.com

34 Comments

  1. This one is a bit tricky, I don’t have time now to post the video/solution but I’ll help you a little here.

    Once you have configured everything you’ll notice you have reachability issues. You can confirm why this is happening by using the [b]show ip ospf database external[/b] command. Look for the advertising router and the forward address. This should tell you what is going wrong.

    You can solve it by suppressing the forward address. It’s a little tricky where to find the command but look in the direction of the [b]area nssa translate type7[/b] command.

    Good luck!

  2. I think I have this, but I dont have the routes.

    1. For filtering I’ve configured a prefix list to deny 192.168.13.0/24, and then associated this with a distribute list in on my ospf process.

    2. I’ve then checked both the route table and my OSPF DB, and I can still see i’m referencing the 13.3 router – so all good to this point, it wont work I’m happy.

    3. I then apply the supress forwarding, on jake – I can see that my advertising router is 13.1 which is alan, and my forwarding address is 0.0.0.0 but i still have no route.

    What am I missing? give me a clue and not the answer – I want to figure this out.

  3. I think you need to apply the route-map to filter incoming updates not ‘out’ in the ospf process on Jake.

  4. I stil don’t understand.

    This is my config from Jake. Once I apply the filter in the area router Berta no longer see the RIP network. Therefore Berta cannot ping 1.1.1.1.

    hostname Jake
    !
    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    ip ospf 1 area 0
    !
    interface FastEthernet1/0
    ip address 192.168.24.2 255.255.255.0
    ip ospf 1 area 2
    !
    router ospf 1
    area 0 filter-list prefix filter out
    !
    ip prefix-list filter seq 10 deny 192.168.13.0/24
    ip prefix-list filter seq 20 permit 0.0.0.0/0 le 32

  5. There’s a certain trick to this lab to finish it. I’m a little busy but I’ll try to record the solution asap.

  6. Hi,

    i have solved this lab by using clue given by Rene. Configured area 1 nssa translate type7 suppress-fa command in Alan after configuring prefix list in Jake. It had made forwarding address to 0.0.0.0 and then router Berta is able to ping 1.1.1.1

    Configured mutual redistribution between ospf and rip on Charlie and it worked out.

    1. Hi I was wondering if you could do only the solution you have added or you have add both yours and Anjelo’s solution which is above yours. I tried only Ajelo’s solution by it self and it did work. I tried your solution by its self and yours failed pls advise. Cheers !!!

  7. Thanks guys for your help.. I eventually had time to come back and do the lab again. This was a good lab… I don’t think it will be on the CCNP lab.

  8. Hi Guys,

    Good to hear you figured it out. I’ve been so busy that I didn’t have time to record the video yet. This one is way above CCNP level, it’s CCIE ;D

    Rene

  9. Hi,

    I tried this topology and was successfull but i have some doubts.

    1. When i make a filter list on Jake still i can see the route of 192.168.13.0 in the routing table of jake and i can reach 1.1.1.1.My Filter is mentioned below
    area 0 filter-list prefix filter in
    ip prefix-list filter seq 10 deny 192.168.13.0/24
    ip prefix-list filter seq 20 permit 0.0.0.0/0 le 32
    I think the route should not be there……

    2. When i enable suppress forward address on the Alan i see in the ospf external database that the forward address is changed to 0.0.0.0 but my question is why i suppress the forward address even i can reach 1.1.1.1

  10. I can ping 1.1.1.1 while filtering 192.168.13.0/24 via this config:

    On ALAN:
    router ospf 1
    log-adjacency-changes
    area 1 nssa translate type7 suppress-fa
    network 192.168.12.0 0.0.0.255 area 0
    network 192.168.13.0 0.0.0.255 area 1

    On Jake:
    router ospf 1
    log-adjacency-changes
    network 192.168.12.0 0.0.0.255 area 0
    network 192.168.24.0 0.0.0.255 area 2
    distribute-list prefix 10 in
    !
    !
    ip prefix-list 10 seq 15 deny 192.168.13.0/24
    ip prefix-list 10 seq 20 permit 0.0.0.0/0 le 32

  11. Hello all!
    Good lab! From my understanding the filter-list on Jake should be applied "out" of area 0 – anything leaving area 0 and going into any other area, in this case there is only area 2 connected to Jake. The same should be achieved by a filter-list "in" on area 2.

    As I understand, forward suppression on Alan, causes the "Forward Address" on the ospf database external to point to 0.0.0.0, which in turn means: when looking for the prefix 1.1.1.0/24 (external network) go to the advertising OSPF router, which is the ABR router translating Type7 LSAs into Type5 (namely Jake).

  12. Agree with Dardoufa @The same should be achieved by a filter-list "in" on area 2.
    This will have the effect of removing the 1.0.0.0/24 route on Berta.
    The area nssa translate type7 command should make it reappear on Berta, which is the objective.

  13. Thanks Renee, great lab. It clarified some of the OSPF concepts that I "know", but did not really understand. For example, the rule that requires that the database has to be the same for all routers in an area. So in this example, you can’t filter this route inbound on area 0 on Jake. If you could, then Jake would have a different database than Alan. Instead, you have to filter outbound from area 0, or you could filter inbound to area 2.

    Also, I noticed the following at the top of the "sh ip ospf database external 1.1.1.0" command before the routes were filtered, and 1.1.1.0 was in the routing table:
    Routing Bit Set on this LSA

    After filtering, but before suppressing FA, this was missing from the same command output, and the route was not in the table. Once FA was suppressed, the route was back in the table, and the "Routing Bit Set on this LSA" returned. So it looks like this output is telling us whether or not the LSA is actually being placed in the routing table.

  14. Hey Rene,, great work.. nice lab..
    Please advise if I can these commands on Jake.

    Jake#sh run
    router ospf 1
    log-adjacency-changes
    area 0 filter-list prefix Block13 out
    network 192.168.12.0 0.0.0.255 area 0
    network 192.168.24.0 0.0.0.255 area 3
    default-information originate always seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 68/84/116 ms

    1. it is also a OSPF command so i gues you can use it, i tried it on my lab and it worked just fine without the area 1 nssa translate type7 suppress-fa

  15. Hi Rene,

    after configuring i am able to ping 1.1.1.1 from each router, i have just configured alen and charlie routers in nssa . and also redistributed the rip and ospf in each other on router charlie.
    i can see in alen’s routing table the networks 1.1.1.0 and 192.168.35.0 as lsa 7 (N2). and same routes as E2 in routing table of jake and berta. i cant find any issue regarding reachability.help me if i am wrong in configuration.

    C 192.168.12.0/24 is directly connected, FastEthernet1/0
    O N2 1.0.0.0/8 [110/20] via 192.168.13.3, 00:24:30, FastEthernet0/0
    C 192.168.13.0/24 is directly connected, FastEthernet0/0
    O IA 192.168.24.0/24 [110/2] via 192.168.12.2, 00:24:30, FastEthernet1/0
    O N2 192.168.35.0/24 [110/20] via 192.168.13.3, 00:24:30, FastEthernet0/0
    Alan#
    ………………………………

    C 192.168.12.0/24 is directly connected, FastEthernet0/0
    O E2 1.0.0.0/8 [110/20] via 192.168.12.1, 00:25:28, FastEthernet0/0
    O IA 192.168.13.0/24 [110/2] via 192.168.12.1, 00:25:33, FastEthernet0/0
    C 192.168.24.0/24 is directly connected, FastEthernet1/0
    O E2 192.168.35.0/24 [110/20] via 192.168.12.1, 00:25:28, FastEthernet0/0
    Jake#
    ……………………………………….
    O IA 192.168.12.0/24 [110/2] via 192.168.24.2, 01:17:21, FastEthernet0/0
    O E2 1.0.0.0/8 [110/20] via 192.168.24.2, 00:26:07, FastEthernet0/0
    O IA 192.168.13.0/24 [110/3] via 192.168.24.2, 00:26:12, FastEthernet0/0
    C 192.168.24.0/24 is directly connected, FastEthernet0/0
    O E2 192.168.35.0/24 [110/20] via 192.168.24.2, 00:26:07, FastEthernet0/0
    Berta#
    ………………………………………………………..
    R 192.168.12.0/24 [120/5] via 192.168.35.3, 00:00:18, Serial0/0
    1.0.0.0/24 is subnetted, 1 subnets
    C 1.1.1.0 is directly connected, Loopback0
    R 192.168.13.0/24 [120/5] via 192.168.35.3, 00:00:18, Serial0/0
    R 192.168.24.0/24 [120/5] via 192.168.35.3, 00:00:18, Serial0/0
    C 192.168.35.0/24 is directly connected, Serial0/0
    Evelyn#
    ………………………………………………..
    Gateway of last resort is not set

    O IA 192.168.12.0/24 [110/2] via 192.168.13.1, 00:27:30, FastEthernet0/0
    R 1.0.0.0/8 [120/1] via 192.168.35.5, 00:00:12, Serial1/0
    C 192.168.13.0/24 is directly connected, FastEthernet0/0
    O IA 192.168.24.0/24 [110/3] via 192.168.13.1, 00:27:30, FastEthernet0/0
    C 192.168.35.0/24 is directly connected, Serial1/0
    Charlie#
    ……………………………………………..

  16. For this Lab keep in mind that:
    "The distribute-list and distance commands do not affect link state packet progagation"

  17. Here is what I have as the solution:

    [b]Router Alan#[/b]

    interface FastEthernet0/0
    ip address 192.168.13.1 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 192.168.12.1 255.255.255.0
    duplex auto
    speed auto
    !
    router ospf 1
    log-adjacency-changes
    [b] area 1 nssa translate type7 suppress-fa[/b]
    network 192.168.12.0 0.0.0.255 area 0
    network 192.168.13.0 0.0.0.255 area 1
    !
    =======================================================================

    [b]Router Jake#[/b]

    interface FastEthernet0/0
    ip address 192.168.12.2 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 192.168.24.2 255.255.255.0
    duplex auto
    speed auto
    !
    router ospf 1
    log-adjacency-changes
    network 192.168.12.0 0.0.0.255 area 0
    network 192.168.24.0 0.0.0.255 area 2
    [b]distribute-list prefix DENY_192.168.13.0 in FastEthernet0/0[/b]
    !
    no ip http server
    no ip http secure-server
    !
    ip forward-protocol nd
    !
    !
    !
    [b]ip prefix-list DENY_192.168.13.0 seq 5 deny 192.168.13.0/24[/b]
    [b]ip prefix-list DENY_192.168.13.0 seq 10 permit 0.0.0.0/0 le 32[/b]

    =========================================================================

    [b]Router Charlie#[/b]

    interface FastEthernet0/0
    ip address 192.168.13.3 255.255.255.0
    duplex auto
    speed auto
    !
    interface Serial1/0
    ip address 192.168.35.3 255.255.255.0
    serial restart-delay 0
    !
    interface Serial1/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial1/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    router ospf 1
    log-adjacency-changes
    area 1 nssa
    redistribute rip subnets
    network 192.168.13.0 0.0.0.255 area 1
    !
    router rip
    version 2
    redistribute ospf 1 metric 2
    network 192.168.35.0
    no auto-summary
    !

    ===================================================================

    [b]Router Evelyn#[/b]

    interface Loopback0
    ip address 1.1.1.1 255.255.255.0
    !
    interface Serial0/0
    ip address 192.168.35.5 255.255.255.0
    serial restart-delay 0
    !
    interface Serial0/1
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial0/2
    no ip address
    shutdown
    serial restart-delay 0
    !
    interface Serial0/3
    no ip address
    shutdown
    serial restart-delay 0
    !
    router rip
    version 2
    network 1.0.0.0
    network 192.168.35.0
    no auto-summary
    !

    ===================================================================

    [b]Router Berta#[/b]

    interface FastEthernet0/0
    ip address 192.168.24.4 255.255.255.0
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    no ip address
    duplex auto
    speed auto
    !
    router ospf 1
    log-adjacency-changes
    network 192.168.24.0 0.0.0.255 area 2
    !

    =================================================================

    [b]Here is the ip route table after the config:[/b]

    Berta#sh ip route
    Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP
    D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
    N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
    E1 – OSPF external type 1, E2 – OSPF external type 2
    i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
    ia – IS-IS inter area, * – candidate default, U – per-user static route
    o – ODR, P – periodic downloaded static route

    Gateway of last resort is not set

    O IA 192.168.12.0/24 [110/2] via 192.168.24.2, 00:35:09, FastEthernet0/0
    1.0.0.0/24 is subnetted, 1 subnets
    O E2 1.1.1.0 [110/20] via 192.168.24.2, 00:10:18, FastEthernet0/0
    C 192.168.24.0/24 is directly connected, FastEthernet0/0
    O E2 192.168.35.0/24 [110/20] via 192.168.24.2, 00:11:28, FastEthernet0/0
    Berta#
    Berta#
    Berta#ping 1.1.1.1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 76/84/92 ms
    Berta#

  18. i knew how to solve this just from experience… but i could not tell you the “why”.

    after doing this lab, i now understand the “why”… good stuff 🙂

    Jake#sh run | se router ospf
    router ospf 1
    router-id 2.2.2.2
    passive-interface default
    no passive-interface FastEthernet0/0
    no passive-interface FastEthernet0/1
    network 192.168.12.2 0.0.0.0 area 0
    network 192.168.24.2 0.0.0.0 area 2

    Jake#sh ip ospf database external | i Adv|Link|Forward
    Type-5 AS External Link States
    LS Type: AS External Link
    Link State ID: 1.1.1.0 (External Network Number )
    Advertising Router: 11.11.11.11
    Forward Address: 192.168.13.3
    LS Type: AS External Link
    Link State ID: 192.168.35.0 (External Network Number )
    Advertising Router: 11.11.11.11
    Forward Address: 192.168.13.3

    Jake#sh ip cef 1.1.1.1
    1.1.1.0/24
    nexthop 192.168.12.1 FastEthernet0/0

    Jake#sh ip cef 192.168.13.0/24
    192.168.13.0/24
    nexthop 192.168.12.1 FastEthernet0/0

    Jake#debug ip routing

    Jake(config)#router ospf 1
    Jake(config-router)#distribute-list prefix FILTER in
    Jake(config-router)#end
    Jake(config-router)#distribute-list prefix FILTER in
    Jake#

    RT: delete route to 1.1.1.0/24
    RT: delete route to 111.111.111.111/32
    RT: delete route to 192.168.13.0/24
    RT: delete route to 192.168.35.0/24
    RT: updating ospf 111.111.111.111/32 (0x0):
    via 192.168.12.1 Fa0/0 1048578

    RT: add 111.111.111.111/32 via 192.168.12.1, ospf metric [110/2]
    RT: rib validate nexthop return code: 3

    Jake#sh ip ospf database external | i Adv|Link|Forward
    Type-5 AS External Link States
    LS Type: AS External Link
    Link State ID: 1.1.1.0 (External Network Number )
    Advertising Router: 11.11.11.11
    Forward Address: 192.168.13.3
    LS Type: AS External Link
    Link State ID: 192.168.35.0 (External Network Number )
    Advertising Router: 11.11.11.11
    Forward Address: 192.168.13.3

    Jake#sh ip cef 1.1.1.1
    0.0.0.0/0
    no route

    Jake#sh ip cef 192.168.13.0/24
    %Prefix not found

    Alan#
    Alan#conf t
    Alan(config)#router ospf 1
    Alan(config-router)#area 1 nssa translate type7 suppress-fa
    Alan(config-router)#end
    Alan#
    Alan#

    Jake#
    Jake#
    Jake#
    RT: updating ospf 1.1.1.0/24 (0x0):
    via 192.168.12.1 Fa0/0 1048578

    RT: add 1.1.1.0/24 via 192.168.12.1, ospf metric [110/20]
    RT: updating ospf 192.168.35.0/24 (0x0):
    via 192.168.12.1 Fa0/0 1048578

    RT: add 192.168.35.0/24 via 192.168.12.1, ospf metric [110/20]
    Jake#
    Jake#
    Jake#

    Jake#sh ip ospf database external | i Adv|Link|Forward
    Type-5 AS External Link States
    LS Type: AS External Link
    Link State ID: 1.1.1.0 (External Network Number )
    Advertising Router: 11.11.11.11
    Forward Address: 0.0.0.0
    LS Type: AS External Link
    Link State ID: 192.168.35.0 (External Network Number )
    Advertising Router: 11.11.11.11
    Forward Address: 0.0.0.0

    Jake#sh ip cef 1.1.1.1
    1.1.1.0/24
    nexthop 192.168.12.1 FastEthernet0/0

    Jake#sh ip cef 192.168.13.0/24
    %Prefix not found

  19. I configured all the routers with the right configuration. I can ping 1.1.1.1 from Berta. However, I cannot ping from Berta to Charlie and vice versa. Can anyone please tell why. Thx

  20. My successful solution is as follows

    router ospf 1
    router-id 2.2.2.2
    log-adjacency-changes
    network 1.1.1.0 0.0.0.255 area 0
    network 192.168.12.0 0.0.0.255 area 0
    network 192.168.24.0 0.0.0.255 area 2
    distribute-list prefix FILTER in
    !
    !
    ip prefix-list FILTER seq 5 deny 192.168.13.0/24
    ip prefix-list FILTER seq 10 permit 0.0.0.0/0 le 32

Comments are closed.