Thursday, July 21, 2011

My Note (Switching)

Private VLAN (PVLAN)
What private vlan do, is split broadcast domain into multi isolated broadcast subdomains. Simple concept is VLAN inside a VLAN. Private vlan defined as a pairing of a Primary VLAN (normal vlan) with a Secondary VLAN (isolated & community vlans).
Isolated VLAN – The end point of all ports assigned to an isolated private vlan; cannot communicate with one another nor with host ports in any other private vlans.
Community VLAN – End point attached to community ports can communicate with one another, but not with ports in other private vlans.
An access port assigned to a private vlan operates in one of two modes
Host – The port inherits its behavior from the type of private vlan it is assigned to.
Promiscuous – The port can communicate with any other private vlan port in the same primary vlan. (usually connects to a router)
--------------------------------------------------------------------------
STP

The hello time is 2 seconds. The Max Age Timer is 10x the the hello timer. This is important. Because it's not always 20 seconds, it's 20 seconds because the hello timer is 2 seconds.

STP has 4 states: blocking, listening, learning and then forwarding.

Once a port is in blocking state, it stays there for 20 seconds. Then moves onto listening at 15 seconds, then learning at 15 seconds. That's where you get your 50 seconds.

RSTP
The max age is 3x the hello. So a max of 6 seconds. There's no blocking port in RSTP. It's discarding state. Discarding replaces blocking and listening. So only have discarding, learning and forwarding.

The main difference in RSTP is that all bridges can send BPDU, not just the root.

The BPDU's come from all switches with RSTP whereas with STP it come from the root down to the switches.

So in the instance of a switch goes down, any switch that has a link connected to it will notice (as its link has gone down) this switch will then bring up its alternative port and send out a BPDU to neighbor switch still alive to say it has done so. (so no timer need to time out, this happens almost instantly). This BPDU then travel through the network update all other switch resulting in sub second fail over and convergence of the network.
--------------------------------------------------------------------------
Loop Guard

DO NOT enable loop guard on PortFast-enabled or dynamic VLAN ports.
DO NOT enable PortFast on loop guard-enabled ports.
DO NOT enable loop guard if root guard is enabled.
DO NOT enable loop guard on ports that are connected to a shared link.
Note: Recommend that enable loop guard on root ports and alternate root ports on access switches.

Root Guard
It guards the integrity of the root bridge.  In other words, rootguard makes sure that the switch you want to be the root bridge in your spanning-tree topology remains the root bridge. (Root guard forces a port to always be designated as the root port. )
Rootguard is generally configured on designated ports and prevents the port from becoming a root port

Good explanation of rootguard is http://astorinonetworks.com/2011/10/28/understanding-stp-rootguard/





Friday, July 15, 2011

Reset password on Riverbed Steelhead

To reset your password on a Steelhead appliance, you must have access to the serial console

or monitor and be able to see the entire boot process to perform these steps:

1. Start, or reboot the appliance.

2. Once you see the "Press any key to continue" message, press a key.

3. Immediately press E.

A GNU GRUB menu appears.

For a Steelhead upgraded to 4.0 from 2.0 or 3.0, the menu prompts you to select the Riverbed

Steelhead, diagnostics, or a restore/recovery image. Select Riverbed Steelhead and skip to

Step 5.

For a Steelhead manufactured with 4.0 (that has not had previous versions), the menu prompts

you to select the disk image to use. Continue with Step 4.

For software versions prior to 4.0, the menu displays root and kernel parameters. Skip to Step

6.

4. Press V or ^ to select the disk image to boot.

5. Press E.

Another GRUB menu appears, with options similar to these:

------------------

0: root (hd0,1)

1: kernel /vmlinuz ro root=/dev/sda5 console=tty0 console=ttyS0,9600n8

-----------------

6. Press V or ^ to select the kernel boot parameters entry.

7. Press E to edit the kernel boot parameters.

You should be given a partially filled in line of text.

8. Append " single fastboot" at the end of this line. Note the space before 'single', it is very

important. (And do not enter the quotes.)

9. The line of text will contain TWO "console=" entries. Delete the one containing "tty0" (unless

you are using a keyboard/monitor on the Steelhead, in which case delete the one containing

"ttyS0").

TIP: Use the arrow keys to access the entire command line.

10. Press Enter.

11. Press the B key to continue booting.

The system starts.

12. Once at the command prompt, type "/sbin/resetpw.sh" and press Enter.

The password will be blank.

13. Type "reboot" and press Enter to reboot the appliance.

Sunday, July 10, 2011

My Note (BGP)

BGP synchronisation rule is
R1(As-100)-------R2(AS-200)----------R3(AS-200)-------R4(AS-300)
R3 is also connected to R10 (As-200)

R1 lo 0 - 1.1.1.1/24 & this is advertised in the BGP network command.
Since R1 and R2 are eBGP neighbors R1 will send this route to R2.
R2 recieves this route and puts it in his BGP table(sh ip bgp) as well as routing table(sh ip route).
R2 & R3 are iBGP peers
R3 has synchronisation ON .
Now R2 sends the route (1.1.1.0/24) to R3.
R3 will not use the route i.e R3 will keep 1.1.1.0/24 in its bgp table BUT will not give it '>' best path which means that 1.1.1.0/24 will not be kept in the routing table of R3.

So now to the
definition of SYNCHRONISATION.
A route learnt via an iBGP peer will not be forwarded to an eBGP peer and NOT put into the routing table(i.e the route will not be used) until and unless the same route has been learnt via an IGP(e.g OSPF,RIP etc..)
This is when Synchronisation is ON.

If Synchronisation is OFF i.e
R3 #router bgp 200
no sync

Then R3 will put 1.1.1.0/24 in its BGP table giving it '>' best path which means this route will also go to the routing table.
SPLIT-HORIZON rule in IGP and BGP

In BGP the split horizon rule is different.
It means routes learnt via an iBGP peer will not be sent to another iBGP peer
eg
R1(As-100)------------R2(AS-100)-------------R3(As-100)
R1 - R2 --------> iBGP
R2 - R3 ---------->iBGP

Routes which R2 learn from R1 will not be sent to R3. It is R1's job to send routes to R3.
This s how split horizon in BGP works.

In IGP (RIP,EIGRP). Ospf doesn't support Split horizon

definition is 'What routes i receive in interface1, I will not send the same routes back in interface1, but i can send it in any other interface.
-----------------------------------------------------------------------
ebgp-multihop: In EBGP, neighbor relationships are only formed if we have directly connected networks. We would require to use ebgp-multihop keyword with neighbor statement so that neighbors which are not directly connected can form relationship with each other. We need to specify a number with ebgp-multihop keyword, number can be between 1-255. This number represents how many hop counts is the router away.

The disable-connect-check command is used when you want to establish peering of directly connect routers using the loopback interface (using the loopback as the BGP source is configured with neighbor update-source).

update-source: We need to specify the interface which will be used to update neighbor table incase routers are not directly connected. Without update-source we will not be able to form BGP neighbor relationships. update-source keyword will update the interface which will be used to form neighbor relationship.



next-hop-self: When ebgp relation replicates , next hop always changes. IBGP routers only connected with other ibgp routers in same AS will not be able to talk with routers outside the AS, if they are not directly connected with each other. We would require a next-hop-self keyword in the ibgp router which is directly connected with ebgp neighbor so that other router in same AS (IBGP) can talk with ebgp routers.


-----------------------------------------------------------------------

Influencing Route Selection

BGP uses different attribute to implement these polices in route selection process between different autonomous systems. There are some main attributes that BGP uses in route selection process.

  • Weight
  • Local preference
  • Multi-exit Discriminator or MED
  • Origin
  • AS_Path
  • Next Hop
  • Community

Weight
Higher weights are preferred. Weight attributes basically a cisco proprietary technology, the default value is 32768 for locally originating network and default value of the weight is 0 for all other network.
Local Preference
Highest value is preferred than lower local preference number.
Default local preference is 100.
MED
Lower value is preferred over a higher metric value. Default value is 0.
-----------------------------------------------------------------------
BGP Link Bandwidth (dmzlink-bw command)
Bgp link bandwidth feature is used to advertise the bandwidth of an AS exit link as an extended community.
This feature is configured for links between directly connected ebgp neighbors.
The link bandwidth extended community attribute is propagated to iBGP peers when extended community exchange is enabled.
This feature is used with multipath features to configure load balancing over links with unequal bandwidth.
-----------------------------------------------------------------------
bgp deterministic-med command ensures the comparison of the MED variable when choosing routes advertised by different peers in the same autonomous system.
bgp always-compare-med command ensures the comparison of the MED for paths from neighbors in different autonomous systems.
The bgp always-compare-med command is useful when multiple service providers or enterprises agree on a uniform policy for setting MED. Thus, for network X, if Internet Service Provider A (ISP A) sets the MED to 10, and ISP B sets the MED to 20, both ISPs agree that ISP A has the better performing path to X.
-----------------------------------------------------------------------
BGP Backdoor

BGP Backdoor option is assigned to the network that is ADVERTISED to you, therefore, you should reference the network that is advertised to you and NOT the network that your local router is advertising.
# network 150.1.1.0 mask 255.255.255.0  <--local advertising="" font="" is="" router="">
# network 150.1.2.0 mask 255.255.255.0 backdoor <--neighbor advertised="" br="" router="" to="" you="">
-----------------------------------------------------------------------
BGP Conditional Advertisement 

To implement conditional advertisement of selected prefixs, the following must be used:
- Advertise-map
- Non-exist-map
- Exist-map
# neighbor 10.1.13.3 advertise-map ADV non-exist-map NOT_THERE
-----------------------------------------------------------------------
BGP well known Communities 
-Internet - If assigned to a network/s, that network/s should be advertised.


-Local-as - If assigned to a network/s, that network/s should ONLY be advertised within that AS. Even though it may look like it is doing the same thing as the "No-export" community, they are different, and the difference is that the "local-as" works within a confederation, whereas, the "No-export" does NOT, and the policy will leak into the other sub-ASes within the confederation.
 

-No-advertise - If assigned to a network/s, that network/s should NOT be advertised to ANY BGP neighbor.
 

-No-export - If assigned to a network/s, that network/s should NOT be advertised to an EBGP neighbor.
----------------------------------------------------------------------- 
BGP bestpath med missing-as-worst 
Paths received with no MED are assigned a MED of 0, unless you have enabled bgp bestpath med missing-as-worst .
If you have enabled bgp bestpath med missing-as-worst, the paths are assigned a MED of 4,294,967,294.

----------------------------------------------------------------------- 
BGP always-compare-med 
It is used to change this behavior by enforcing MED comparison between all paths, regardless of the AS from which the paths are received.
bgp bestpath as-path ignore is also needed as part of the solution.

Note: bgp bestpath as-path ignore command is a hidden one.

----------------------------------------------------------------------- 
BGP as-path access-list 
To filter prefixes using "as-path access-list" should use with "filter-list" router command.

----------------------------------------------------------------------- 
BGP Regular Expressions 

+------------------------------------------------------+
| CHAR | USAGE                                         |
+------------------------------------------------------|
|  ^   | Start of string                               |
|------|-----------------------------------------------|
|  $   | End of string                                 |
|------|-----------------------------------------------|
|  []  | Range of characters                           |
|------|-----------------------------------------------|
|  -   | Used to specify range ( i.e. [0-9] )          |
|------|-----------------------------------------------|
|  ( ) | Logical grouping                              |
|------|-----------------------------------------------|
|  .   | Any single character                          |
|------|-----------------------------------------------|
|  *   | Zero or more instances                        |
|------|-----------------------------------------------|
|  +   | One or more instance                          |
|------|-----------------------------------------------|
|  ?   | Zero or one instance                          |
|------|-----------------------------------------------|
|  _   | Comma, open or close brace, open or close     |
|      | parentheses, start or end of string, or space |
+------------------------------------------------------+

+-------------+---------------------------+
| Expression  | Meaning                   |
|-------------+---------------------------|
| .*          | Anything                  |
|-------------+---------------------------|
| ^$          | Locally originated routes |
|-------------+---------------------------|
| ^100_       | Learned from AS 100       |
|-------------+---------------------------|
| _100$       | Originated in AS 100      |
|-------------+---------------------------|
| _100_       | Any instance of AS 100    |
|-------------+---------------------------|
| ^[0-9]+$    | Directly connected ASes   |
+-------------+---------------------------+
Ref link : http://blog.ine.com/2008/01/06/understanding-bgp-regular-expressions/ 

E.g Configure R2 such that it allows AS-Path prepend from AS 100 ONLY if they have 
prepended ther own AS number and NOT anoter AS number. 
Configure R1 in AS 100 to ONLY allow prefixes from its existing and future directly 
connected ASes, these ASes should be allowed to prepend. 
 
# ip as-path access-list 1 permit ^([0-9]+)(_\1)*$ 
----------------------------------------------------------------------- 
BGP REGEX DETERMINISTIC  

"bgp regex deterministic" disabled recursive algorithm when processing regular expressions.
Configure R2 such that it allows AS-Path prepend from AS 100 ONLY if they have prepended ther own AS number and NOT anoter AS number. Configure R1 in AS 100 to ONLY allow prefixes from its existing and future directly connected ASes, these ASes should be allowed to prepend. # ip as-path access-list 1 permit ^([0-9]+)(_\1)*$
----------------------------------------------------------------------- 
BGP CONFEDERATION

"BGP confederation identifier" command is used to configure a single AS number to identify a group of smaller ASes (Sub-Ases) as a single confederation. This command MUST be configured on all the routers within the confederation.

"BGP confederation peers" command is used to identify the DIRECTLY CONNECTED EBGP sub-confederation peers.



Saturday, July 09, 2011

My Note (OSPF)

OSPF
Stub area:
* filters Type 5 LSAs
* default route is inserted into routing table on all routers in Stubby area
* E1/E2 routes are removed from routing table on all routers in Stubby area
* there can only be one exit point out of this area
* no external routes cannot be learned via Stubby area and then inserted into all OSPF areas (because LSA Type 5 is filtered in Stubby area)
Totally Stubby area:
* filters Type 3, 4, 5 LSAs
* default route is inserted into routing table on all routers in Totally Stubby area
* E1/E2 routes are removed from routing table on all routers in Totally Stubby area
* IA routes are removed from routing table on all routers in Totally Stubby area
* there can only be one exit point out of this area
* no external routes cannot be learned via Totally Stubby area and then inserted into all OSPF areas (because LSA Type 5 is filtered in Stubby area)
Not So Stubby area:
* filters Type 5 LSAs but permits Type 7 LSAs to pass through NSSA and once they reach backbone area they are converted back into Type 5 LSAs
* E1/E2 routes are removed from routing table on all routers in NSSA
* external routes can be learned via NSSA and then inserted into all OSPF areas
* default route is not inserted into routing table unless put the “area number nssa default-information-originate” command in router mode
Not So Stubby Totally Stubby area:
* filters Type 3,4, 5 LSAs but permits Type 7 LSAs to pass through Not So Stubby Totally Stubby area and once they reach backbone area they are converted back into Type 5 LSAs
* default route is inserted into routing table on all routers in Not So Stubby Totally Stubby area
* E1/E2 routes are removed from routing table on all routers in Not So Stubby Totally Stubby area
* IA routes are removed from routing table on all routers in Not So Stubby Totally Stubby area
* external routes can be learned via Not So Stubby Totally Stubby area and then inserted into all OSPF areas
the difference between Stubby area and NSSA is that NSSA can redistribute some external networks into OSPF while Stubby area cannot (they both filter Type 5 LSAs)the difference between Totally Stubby area and Not so Stubby Totally Stubby area is that Not so Stubby Totally Stubby area can redistribute some external networks into OSPF while Totally Stubby area cannot (they both filter Type 3, 4, 5 LSAs)


Filter
Inserted
E.g Command
Stub Area
LSA 5
Default route
area 1 stub




Totally Stub
LSA 3,4,5
Default route
area 1 stub no-summary




Not So Stubby (NSSA)
LSA 5
LSA 7
area 1 nssa




Totally Not So Stubby
LSA 3,4,5
LSA 7
area 1 nssa no-summary


Defalt route

 


-----------------------------------------------------------------------
OSPF E1 and E2 external route
R2(external)------R1(ABR/ASBR)------R4
E2 is the default route type for routes learned via redistribution. The key with E2 routes is that the cost of these routes reflects only the cost of the path from the ASBR to the final destination. It will not reflect the correct “Cost” or path.
R4#sh ip route ospf
O E2 5.1.1.1 [110/20] via 172.34.34.3, 00:33:21, Ethernet06.0.0.0/32 is subnetted, 1 subnets
Now if we want the cost of the routes to reflect the entire path, not just the path between the ASBR and the destination network. The routes must be redistributed into OSPF as E1 routes on the ASBR, as shown here.
R1(config)#router ospf 1
R1(config-router)#redistribute rip subnets metric-type 1
Now on R4, the routes appear as E1 routes and have a larger metric, since the entire path cost is now reflected in the routing table.
O E1 5.1.1.1 [110/94] via 172.34.34.3, 00:33:21, Ethernet06.0.0.0/32 is subnetted, 1 subnets
Personal Note: If it is E1 and E2 then it does not matter what the metrics are. It does not matter whether the metric for the E1 route is better or worse than the E2 metric. OSPF compares the route type E1 or E2 and makes a choice. OSPF only compares metric when both advertisements are of the same route type.
-----------------------------------------------------------------------
 
Which OSPF LSA type does an ASBR use to originate a default route into an area? (Exhibit)

Explanation:
Type 5 external link LSAs are used to advertise external routes originated from an ASBR. They are flooded through the whole OSPF domain.

(Note: The dashed arrows show the directions of LSAs in this example)
Below is a summary of OSPF Link-state advertisements (LSAs)
Router link LSA (Type 1) Each router generates a Type 1 LSA that lists its neighbors and the cost to each. LSA Type 1 is only flooded inside the routers area, does not cross ABR.
Network link LSA (Type 2) is sent out by the designated router (DR) and lists all the routers on the segment it is adjacent to. Types 2 are ?ooded within its area only; does not cross ABR.
Type 1 & type 2 are the basis of SPF path selection.
Summary link LSA (Type 3) ABRs generate this LSA to send between areas (so type 3 is called inter-area link). It lists the networks inside other areas but still belonging to the autonomous system and aggregates routes.
Summary links are injected by the ABR from the backbone into other areas and from other areas into the backbone.
Summary LSA (Type 4) Generated by the ABR to describe routes to ASBRs. In the above example, the only ASBR belongs to area 0 so the two ABRs send LSA Type 4 to area 1 & area 2 (not vice versa).
This is an indication of the existence of the ASBR in area 0. Note: Type 4 LSAs contain the router ID of the ASBR.
External Link LSA (LSA 5) Generated by ASBR to describe routes redistributed into the area (which means networks from other autonomous systems). These routes appear as E1 or E2 in the routing table.
E2 (default) uses a static cost throughout the OSPF domain as it only takes the cost into account that is reported at redistribution. E1 uses a cumulative cost of the cost reported into the
OSPF domain at redistribution plus the local cost to the ASBR. Type 5 LSAs flood throughout the entire autonomous system but notice that Stubby Area and Totally Stubby Area do not accept Type 5.
Multicast LSA (Type 6) are specialized LSAs that are used in multicast OSPF applications.
NSSA External LSA (Type 7) Generated by an ASBR inside a NSSA to describe routes redistributed into the NSSA. LSA 7 is translated into LSA 5 as it leaves the NSSA.
These routes appear as N1 or N2 in the ip routing table inside the NSSA. Much like LSA 5, N2 is a static cost while N1 is a cumulative cost that includes the cost upto the ASBR
Reference: http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a0080094e9e.shtml#appa1
-----------------------------------------------------------------------
OSPF Flooding Reduction VS Demand Circuit
* The "OSPF Flooding Reduction" and the "demand circuit" work by reducing unnecessary refreshing and flooding of already known and unchanged information with a difference:
* In OSPF demand circuit, hellos and the flooding of the LSAs are suppressed, whereas, in flood reduction, only the flooding of the LSAs are suppressed and NOT the hellos.
-----------------------------------------------------------------------
OSPF LSA Throttling

LSA could not be propagated in milliseconds, so the OSPF network could not achieve millisecond convergence. The OSPF LSA Throttling feature is enabled by default and allows faster OSPF convergence (in milliseconds). This feature can be customized.
example:
Router(config-router)# timers throttle lsa all 100(start-interval) 10000 (hold-interval) 45000 (max-interval)

OSPF pacing flood

In rare situations, you might need to change Open Shortest Path First (OSPF) packet-pacing default timers to mitigate CPU or buffer utilization issues associated with flooding very large numbers of link-state advertisements (LSAs). The OSPF Update Packet-Pacing Configurable Timers feature allows you to configure the rate at which OSPF LSA flood pacing, retransmission pacing, and group pacing updates occur.example:
router ospf 1
timers pacing flood 70
timers pacing retransmission 80
Note: The default settings for OSPF packet pacing timers are suitable for the majority of OSPF deployments. You should change the default timers only as a last resort.
-----------------------------------------------------------------------
Configure R2 so it provides the following output (name 'R1' instead of 1.1.1.1):
R2 Configuration:

!

ip host R1 1.1.1.1

ip ospf name-lookup
-----------------------------------------------------------------------
Remove discard route

When OSPF summarizes prefixes (area range or summary-address) it installs a discard route in the routing table (pointing to NULL0). This is a loop prevention mechanism that prevents a router from sending the traffic to a network/subnet with a shorter match if no more specific route exists in the routing table.

Command is "no discard-route internal/external"

-----------------------------------------------------------------------
Virtual Link using GRE Tunnel

Create GRE Tunnel and advertise Tunnel Interface IP Address in AREA 0.
# int tunnel 12
# ip add 200.1.1.1 255.255.255.0
# tunnel source 1.1.1.1  <--physical address="" interface="" ip="" span="">
# tunnel destination 1.1.1.2  <-- span="">direct connected link to neighbor
# router ospf 1
# network 200.1.1.1 0.0.0.0 area 0

-----------------------------------------------------------------------
Filtering OSPF

To filter OSPF route can be used as these methods under router commmand
- distribute-list .. in/out
- area x filter-list ..
- distance 255 (source ip <--advertise ..="" ip="" router="" span="">
- area x range .. not-advertise
- summary-address .. not-advertise
* "distribute-list out" can be used on ASBR when it needs to filter external route to all area.

- to filter ospf lsa flooding, configure under interface "ip ospf database-filter all out"
- to filter ospf lsa flooding to its neighbor, configure under router "neighbor xx database-filter all out"


-----------------------------------------------------------------------
OSPF Broadcast/Non-Broadcast
OSPF NON_BROADCAST/BROADCAST network type, the next hop ip address is the ip address of the router that originated the route and NOT the router that advertised it.
This problem can be resolved by configuring the "Frame-relay map" commands (OR)
change OSPF network type to "point-to-multipoint"
-----------------------------------------------------------------------
OSPF Point-to-Point
OSPF Point-to-Point network type, the next hop ip address is no longer the router that originated the route, it's the router that advertised the route.
-----------------------------------------------------------------------
OSPF Sham Link
Sham link is an OSPF intra-area link configured between the two PE routers. Sham link is included in the SLA calculation, just like any link in OSPF.
1. Create a loopback interface and assign an IP address with a prefix-length of 32.
2. Enable VRF forwarding on the loopback interface.
3. Advertise the /32 ip address of the loopback interface in BGP; under address-family ipv4 vrf …
4. Configure Sham link under OSPF; under router vrf
# router ospf 2 vrf CA
# area 0 sham-link 34.1.1.3(local) 34.1.1.4(remote) cost 1
5. If required, manipulate the OSPF cost on CE that the routers will take the provider as their primary and backup link will be use ONLy if the primary link is down.
*personal note: Manipulating OSPF cost will NOT change the routing table, b/c INTRA-area routes are always preferred over INTER-area routes.

-----------------------------------------------------------------------
OSPF Domain-ID
When a link between two LSRs goes down, the two LSRs that share the link will tear down. When "MPLS LDP Session Protection" global config command is configured, targeted LDP session is built between the routers. The targeted LDP session remains up as long as a redundant link exists between two LSRs.

Under normal OSPF design rules, the process-id of an OSPF router does not need to match any other peer's process-id. However, with MPLS, the router use the OSPF process as a portion of the domain-id. Router that do not share the same domain-id are considered type 5 or external to OSPF. If the domain-ids match, the routers are considered type 3 LSA.
-change process-id to match on both sides
OR
-configure a domain-id that matches on both routers
R3
# router ospf 3 vrf CA
# Domain-id 0.0.0.1
R4
# router ospf 4 vrf CA
# Domain-id 0.0.0.1
-----------------------------------------------------------------------
OSPF Summarization 
OSPF summarization can be configured on two types of routers: ABR / ASBR
Internal OSPF route can only be summarized on ABR.
"area xx range ..." command must be used for internal ospf summarization.

External (redistribute) routes can be summarized on the router that originates the external routes.
"summary-address ..." command can be used for external route summarization.
-----------------------------------------------------------------------
OSPF  Route Filtering (Ref link: http://cisqueros.blogspot.sg/2013/05/ospf-route-filtering.html)

First be sure which type of LSA you need to filter by making sure in which part of database the route is:

#show ip ospf database [router | network | summary | internal | external]

There are 5 ways to perform OSPF Route Filtering:

1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database
!!!distribute-list OUT works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and 7!!!
2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database.
filter-list can be applied: IN - into the area, OUT - out of the area
3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database)
Can be used with both, "area X range" (ABR) and "summary-address" (ASBR) commands
4. DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE
(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10="" acl="" an="" br="" is="">5. DATABASE-FILTER - If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):
(config-subif)#ip ospf database-filter all out <- br="" interface="" per="">(config-router)#neighbor x.x.x.x database-filter all out <- br="" neighbor="" per="">
Be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]

The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list.
!!!DISTRIBUTE-LIST only affects the local router!!! Meaning - the Update will be distributed to the other routers, the subnets will only be filtered out the local IP ROUTING TABLE
The advantage is that it's rather easy to implement, and it can filter any type of LSA:
(config-router)#distribute-list prefix MY_PREFIX_LIST in <--- amp="" asbr="" br="" filter="" lsa5="" lsa7="" on="" only="" out="" to="" work="" would="">
The big CON is that even though the Route is not added to the Routing Table - it will stay in the database,
and it will be further propagated to the other OSPF Neighbors. The route will therefore appear in the Routing Table,but it will not be reachable, as one of the routers along the path does not have it in it's Routing Table.

*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP

Filter using Distribute List

The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. The advantage is that it's rather easy to implement, and it can filter any type of LSA:

Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST in <--- amp="" filter="" lsa5="" lsa7="" on="" only="" osbr="" out="" span="" to="" work="" would="">

The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to the other OSPF Neighbors.
The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the path does not have it in it's Routing Table.

*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:

(config-router)#ip local policy route-map ROUTE_MAP

OSPF filter-list - LSA-3 FILTERING

This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Lets say that we want to filter the network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else

(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24
(config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32

Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:

(config-router)#area 2 filter-list prefix JEDANES in

This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or out-from the AREA 2

OSPF "not-advertise" LSA1 & LSA2 FILTERING

If you need to filter LSAs 1 and 2, you can use the "not-advertise" command, but also ONLY ON ABR!

(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise

Tune the ADVERTISED DISTANCE to Filter the Prefix

Another way to filter the OSPF networks is manually setting the distance to 255, which is UNREACHABLE. It's not the most elegant way, but you should know that it's also an option.

Cisqueros_R4(config-router)#distance 255 3.3.3.3 255.255.255.0 10 <--- 10="" access-list="" an="" br="" filter="" is="" prefixes="" the="" to="" want="" we="" with="">

Filter EXTERNAL OSPF Routes: LSA5 & LSA7

The first way to filter there routes was already mentioned above:

Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST OUT

The second way is reserved ONLY for the External Routes, and it's the "not-advertised" applied to the "summary-address" command

(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <--- applied="" asbr="" be="" br="" must="" on="">
Filter OSPF per Interface

If you wish to prevent LSAs to be sent via particular Interface:

(config-if)#ip ospf database-filter all out

*ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface

Filter OSPF per NEIGHBOR

Even though OSPF doesn't require that we manually configure the Neighbors, we do need to use the "neighbor" command in order to configure the OSPF database filtering:

(config-router)#neighbor 5.5.5.5 database-filter all out

*Network MUST be configured as POINT-TO-POINT (on the Interface Configuration)

-----------------------------------------------------------------------