Type-5 LSA filtering

winpwnkmr · ‎07-16-2010

Hi,

Attached is the topology.

I am getting Type-5 AS External Link States into my network (area 1) and I tried distribute-list out <interface>, but it's not allowing me with <interface> and without interface command it's not resolved. I can see those routes in ASA. I tried distribute-in and out both on internal router (R3) but no help.

I want few routes of Type-5 LSA's to stop to coming on R3 as well as FW. After applying distribut-list in, those routes are not visible in sh ip route.

But in sh ip ospf database, i can see those routes.

Pls. suggest how this can be acheive.

Thanks,

Mohamed Sobair · ‎07-16-2010

Hi,

On R3 apply the following:

router ospf x

area 1 filter-list prefx-list type5 in

ip prefix-list type5 deny x.x.x.x/x

ip prefix-list type5 permit 0.0.0.0/0 le 32

With the above command LSAs are also filtered from entering AREA 1.

HTH

Mohamed

winpwnkmr · ‎07-16-2010

Hi Mohamed,

I tried below, but it's not working. I can still see the routes coming in OSPF database in R3 and in OSPF routes on ASA. However it's not visible on sh ip route on R3.

Any other suggestion pls.

Thanks,

Pawan

Mohamed Sobair · ‎07-16-2010

Hi,

You will see it on the database because its filtered from Area 0 while it traverse to area 1. so its still in Area 0 while its denied to enter Area 1.

if you want to completely deny it from Area 0 router 3 the ABR, then you would need to apply this command as follows:

router ospf x

area 0 filter-list prefix-list in

with the above you shouldnt see these prefixes on the OSPF database. Please confirm by issuing the bellow command:

-- show ip ospf database external --

HTH

Mohamed

winpwnkmr · ‎07-16-2010

I can still see those routes. Below is my config:

router ospf 3
area 0 filter-list prefix type5 in

ip prefix-list type5 deny 81.95.160.47/32 le 32
ip prefix-list type5 deny 93.157.223.14/32 le 32

ip prefix-list type5 deny 94.76.209.0/24 le 32

-- show ip ospf database external --

Routing Bit Set on this LSA
LS age: 1903
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 81.95.160.47 (External Network Number )
Advertising Router: 192.168.220.20
LS Seq Number: 80001B8A
Checksum: 0x9C84
Length: 36
Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0
Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

Routing Bit Set on this LSA
LS age: 1956
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 93.157.223.14 (External Network Number )
Advertising Router: 192.168.220.20
LS Seq Number: 80001B8A
Checksum: 0xA810
Length: 36
Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0
Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 20
        Forward Address: 0.0.0.0
        External Route Tag: 0

Routing Bit Set on this LSA
LS age: 1611
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 94.76.209.0 (External Network Number )
Advertising Router: 192.168.220.18
LS Seq Number: 800002C4
Checksum: 0xA759
Length: 36
Network Mask: /24
        Metric Type: 2 (Larger than any link state path)
        TOS: 0
        Metric: 25
        Forward Address: 0.0.0.0
        External Route Tag: 0

Pls. suggest.

Thanks.

Nagaraja Thanthry · ‎07-16-2010

Hello,

It seems like the prefix-list blocks only type 3 LSAs.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftabrt3f.html

So, your earlier outcome was correct in that you do get those through area 0 in the OSPF database but you will not send it to area 1. You will not install those routes as well.

Hope this helps.

Regards,

NT

winpwnkmr · ‎07-16-2010

Hi,

So do you mean to say below will work?

router ospf 3
area 1 filter-list prefix type5 in

ip prefix-list type5 deny 81.95.160.47/32
ip prefix-list type5 deny 93.157.223.14/32

ip prefix-list type5 deny 94.76.209.0/24

Actually I did tried that and it's also not working.

Thanks.

Nagaraja Thanthry · ‎07-16-2010

Hello,

In that case I would suggest you using distribute-list in the incoming

direction on R3 (interface towards the other router). That should filter the

routes from getting into R3's routing table. Then it will not be distributed

to the ASA as well.

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html

Hope this helps.

Regards,

NT

winpwnkmr · ‎07-16-2010

Hi NT,

I tried that too, below is the config, but still routes are coming to ASA as well as OSPF database.

router ospf 3
area 1 filter-list prefix type5 in

distribute-list 1 in

access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.63.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 deny any

ip prefix-list type5 seq 5 deny 94.76.209.0/24 le 32
ip prefix-list type5 seq 10 permit 217.8.250.72/29 le 32
ip prefix-list type5 seq 15 deny 123.136.103.70/32

Thanks.

Nagaraja Thanthry · ‎07-16-2010

Hello,

When you are using distribute-list in, you should be able to specify the

interface. Can you please check that and specify the interface?

Regards,

NT

winpwnkmr · ‎07-16-2010

Hi NT,

I tried interface too. Same peoblem persist. Still getting the routes on ASA and R3 OSPF database.

Thank.

Giuseppe Larosa · ‎07-16-2010

Hello Pawan,

in OSPF LSA type 5 cannot be filtered but they are spread to all areas that are not stub.

A possible solution to this problem could be that of making the area between R3 and the FW a stub area and to have R3 to inject an OSPF default route inside that area.

If this is not acceptable as the FW should use a different default route your only option is to run two OSPF processes on R3 and to redistribute with a filter from one process to the other . this will give you a point where you can control what routes are inejcted into the second OSPF process.

Another solution that can work when the forwarding address field in the external LSA data structure is set (different then 0.0.0.0 meaning local router) is to use an area filter-list to filter those IP addresses.

Being the Forwarding address unknown in the other OSPF area the external LSA referrring to those addresses as FA will be not installed in the routing table.

I think this is what was suggested by Nagaraja.

Hope to help

Giuseppe

Mohamed Sobair · ‎07-17-2010

HI Kumar,

I apologize for this mistake, I got confused a while, as noted by Gui , Type 5 LSA cant be filterd unless Stub area is used. the command I have refered to earlier should filter type 3 LSA.

I think your only options is to have Stub Area (Area 1) Or, deny those routes from being installed on the routing table but the would appear on the OSPF database.

Thanks again and sorry!!!

Mohamed