OSPF ABR Type 3 LSA Filtering on Cisco IOS

Lessons Discussion
50

Im glad it helped.

In your case R4 is ABR, not the ASBR.

  • ABR = router that is interconnecting OSPF area 0 with any other OSPF area then 0.
  • ASBR = router that is performing Redistribution into OSPF.

This is important to understand. ABR is producing LSA Type 3 (Inter Area routes) and ASBR is producing LSA Type 5 (External routes).

Because 4.4.4.4/32 is loopback on R4 in area 0 (it is Intra area route for area 0) and R4 is ABR, then R4 is going to push 4.4.4.4/32 as LSA Type 3 (Inter area route) to area 3.
You can block this LSA Type 3 using filter list. Same approach you used before.

! on R4:
ip prefix-list BLOCK-R4_LOOPBACK seq 4 deny 4.4.4.4/32
router ospf 1
 area 3 filter-list prefix BLOCK-R4_LOOPBACK in

This basically tells R4 to not flood LSA Type 3 for 4.4.4.4/32 into area 3.

OSPF is a link state protocol, this makes filtration somehow limited, becase all routers in certain area needs to have same LSDB, othervise they wont become fully adjancent.

Within OSPF you can filter only on ABRs and ASBRs.

On ABRs you filter using Filter-list and it has following specifications:

  • Filters routes between areas (LSA Type 3 generated by ABR into another area).
  • Works only on ABR routers (ABR routers generate LSA Type 3).
  • Can reference only prefix-list.
  • in = inside referenced area
  • out = outside referenced area

There are other tricks how to filter, specifically using “area range”, but ABR needs to know LSA 1 and LSA 2 from area where filtered route is residing (needs to have interface in that area) othervise not-advertise is not possible.
For your example it would look like this.

! on R4:
router ospf 1
 area 0 range 4.4.4.4 255.255.252.255 not-advertise

R4 as ABR is now not advertising 4.4.4.4/32 to other areas.

As other appoach to filtration we can use Distribute-list:

  • in = apply distribute-list with “in” direction = allow incoming LSA into LSDB and flood to peers, however prevent LSA from becoming a routes in routers own local routing table, this can blackhole traffic. Applying distribute-list “in” is very uncommon.
  • out = only used on ASBRs to prevent redistribution of certain routes into External LSAs (do not CREATE external LSA). We should think if we want to redistribute these routes in the first place. This is the case where you pointed to route-map.
  • No interface allowed.
  • Can use standard or extended ACL. Standard = match on prefix. Extended = match on prefix and adv-rtr-ip (advertising router interface ip) of LSA (NOT the Router ID).

On ASBR we can also use “summary-address” and “not-advertise” filtering.

This is just an overview, the important thing is to uderstand how LSAs propagate routes, so you can filter them later.
I suggest you to go over various lessons on OSPF filtering, You can find them right here.

1 Like