×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Type-5 LSA filtering

Unanswered Question
Jul 16th, 2010
User Badges:

Hi,


Attached is the topology.


I am getting Type-5 AS External Link States into my network (area 1) and I tried distribute-list out <interface>, but it's not allowing me with <interface> and without interface command it's not resolved. I can see those routes in ASA. I tried distribute-in and out both on internal router (R3) but no help.


I want few routes of Type-5 LSA's to stop to coming on R3 as well as FW. After applying distribut-list in, those routes are not visible in sh ip route.

But in sh ip ospf database, i can see those routes.


Pls. suggest how this can be acheive.


Thanks,

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Mohamed Sobair Fri, 07/16/2010 - 04:33
User Badges:
  • Gold, 750 points or more

Hi,


On R3 apply the following:



router ospf x

area 1 filter-list prefx-list type5 in



ip prefix-list type5 deny x.x.x.x/x

ip prefix-list type5 permit 0.0.0.0/0 le 32



With the above command LSAs are also filtered from entering AREA 1.



HTH

Mohamed

winpwnkmr Fri, 07/16/2010 - 04:45
User Badges:

Hi Mohamed,


I tried below, but it's not working. I can still see the routes coming in OSPF database in R3 and in OSPF routes on ASA. However it's not visible on sh ip route on R3.


Any other suggestion pls.


Thanks,

Pawan

Mohamed Sobair Fri, 07/16/2010 - 04:56
User Badges:
  • Gold, 750 points or more

Hi,


You will see it on the database because its filtered from Area 0 while it traverse to area 1. so its still in Area 0 while its denied to enter Area 1.


if you want to completely deny it from Area 0 router 3 the ABR, then you would need to apply this command as follows:


router ospf x

area 0 filter-list prefix-list in


with the above you shouldnt see these prefixes on the OSPF database. Please confirm by issuing the bellow command:


-- show ip ospf database external --




HTH

Mohamed

winpwnkmr Fri, 07/16/2010 - 05:35
User Badges:

I can still see those routes. Below is my config:


router ospf 3
area 0 filter-list prefix type5 in
 
ip prefix-list type5 deny 81.95.160.47/32 le 32
ip prefix-list type5 deny 93.157.223.14/32 le 32

ip prefix-list type5 deny 94.76.209.0/24 le 32


-- show ip ospf database external --


  Routing Bit Set on this LSA
  LS age: 1903
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 81.95.160.47 (External Network Number )
  Advertising Router: 192.168.220.20
  LS Seq Number: 80001B8A
  Checksum: 0x9C84
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

  Routing Bit Set on this LSA
  LS age: 1956
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 93.157.223.14 (External Network Number )
  Advertising Router: 192.168.220.20
  LS Seq Number: 80001B8A
  Checksum: 0xA810
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

  Routing Bit Set on this LSA
  LS age: 1611
  Options: (No TOS-capability, DC)
  LS Type: AS External Link
  Link State ID: 94.76.209.0 (External Network Number )
  Advertising Router: 192.168.220.18
  LS Seq Number: 800002C4
  Checksum: 0xA759
  Length: 36
  Network Mask: /24
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 25
        Forward Address: 0.0.0.0
        External Route Tag: 0



Pls. suggest.


Thanks.

winpwnkmr Fri, 07/16/2010 - 07:24
User Badges:

Hi,


So do you mean to say below will work?


router ospf 3
area 1 filter-list prefix type5 in
 
ip prefix-list type5 deny 81.95.160.47/32
ip prefix-list type5 deny 93.157.223.14/32

ip prefix-list type5 deny 94.76.209.0/24


Actually I did tried that and it's also not working.


Thanks.

winpwnkmr Fri, 07/16/2010 - 07:43
User Badges:

Hi NT,


I tried that too, below is the config, but still routes are coming to ASA as well as OSPF database.


router ospf 3
area 1 filter-list prefix type5 in

distribute-list 1 in

access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.63.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 deny   any


ip prefix-list type5 seq 5 deny 94.76.209.0/24 le 32
ip prefix-list type5 seq 10 permit 217.8.250.72/29 le 32
ip prefix-list type5 seq 15 deny 123.136.103.70/32


Thanks.

Nagaraja Thanthry Fri, 07/16/2010 - 07:55
User Badges:
  • Cisco Employee,

Hello,


When you are using distribute-list in, you should be able to specify the

interface. Can you please check that and specify the interface?


Regards,


NT

winpwnkmr Fri, 07/16/2010 - 08:12
User Badges:

Hi NT,


I tried interface too. Same peoblem persist. Still getting the routes on ASA and R3 OSPF database.


Thank.

Giuseppe Larosa Fri, 07/16/2010 - 09:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Pawan,


in OSPF LSA type 5 cannot be filtered but they are spread to all areas that are not stub.


A possible solution to this problem could be that of making the area between R3 and the FW a stub area and to have R3 to inject an OSPF default route inside that area.

If this is not acceptable as the FW should use a different default route your only option is to run two OSPF processes on R3 and to redistribute with a filter from one process to the other . this will give you a point where you can control what routes are inejcted into the second OSPF process.


Another solution that can work when the forwarding address field in the external LSA data structure is set (different then 0.0.0.0 meaning local router) is to use an area filter-list to filter those IP addresses.

Being the Forwarding address unknown in the other OSPF area the external LSA referrring to those addresses as FA will be not installed in the routing table.


I think this is what was suggested by Nagaraja.


Hope to help

Giuseppe

Mohamed Sobair Sat, 07/17/2010 - 00:09
User Badges:
  • Gold, 750 points or more

HI Kumar,


I apologize for this mistake, I got confused a while, as noted by Gui , Type 5 LSA cant be filterd unless Stub area is used. the command I have refered to earlier should filter type 3 LSA.


I think your only options is to have Stub Area (Area 1) Or, deny those routes from being installed on the routing table but the would appear on the OSPF database.


Thanks again and sorry!!!



Mohamed

Actions

This Discussion