OSPF LSA Type 5 Filtering on Cisco IOS

ReneMolenaar · December 29, 2016, 6:49pm

This topic is to discuss the following lesson:

drbk563 · October 6, 2015, 3:58am

Hello,

I know the using the distribute-list filters the route from getting to the RIB. But it still creates an LSA type 5. Regarding the other two methods does it stop the creation of the type 5 LSA and this filtering has to be done on the ASBR correct?

Thank you

boutreau.sebastien · April 4, 2016, 1:06pm

Hello,

Just to be sure : It’s outbound distribute-list which have to be apply on the ASBR ospf configuration yes ?

Thank you

ReneMolenaar · April 4, 2016, 1:32pm

Hi Sebastien,

That’s right. I see a left a typo in the article, it says “inbound” while the distribute-list itself is outbound. Just fixed this.

Rene

pradeepsinghnegi · July 16, 2016, 5:52pm

Hi,
Please help me with below query:

what is the difference between “distribute list out” and “distribute list in” during redistruibution ?

lagapidis · July 18, 2016, 10:51am

Hello Pradeep!

In order to filter type 5 LSAs we must use the “out” keyword when implementing a distribute-list. The “out” keyword indicates that we are filtering LSA type 5, and thus we are filtering routes that are redistributed from external sources. Whereas the “in” keyword is used when we want to remove a route from from the routing table.

I hope this was helpful!

Laz

olsonshawn · October 12, 2016, 11:14pm

I am wondering why we need to use a distribute list that points to an access-list, rather than just using an access-list. Isn’t this the same thing, with one less step?

Shawn

lagapidis · October 29, 2016, 9:13am

Hello Shawn

Access lists are often used to indicate specific addresses, ports, sources and destinations. Access lists on their own are just a definition. They don’t actually DO anything. If you create an access list, no functionality of a device is changed.

Once an access list is defined, you can then apply it in different ways. You can:

- create an access group on an interface
- include it in a policy map
- use it to define NAT rules
- refer to it in a distribution list

At first glance, it would make more sense to just have one command to implement this solution rather than two, however, because of the complexity of the Cisco IOS, two steps are necessary.

Think of the first step as the definition of the condition that is being matched, and the second step as the application of that condition.

I hope this has been helpful!

Laz

elliott_w_farmer · November 6, 2016, 10:10pm

Distribute-list Filtering example does not work with IOS 15.

I have tried a different format of the access-list and cleared ospf processes. still no joy.

router ospf 1
 distribute-list 1 out

access-list 1 deny   172.16.0.1
access-list 1 permit any

Does anyone have any advice on this?

ReneMolenaar · November 22, 2016, 2:39pm

Hi Elliot,

Just in case I checked it but it’s working fine for me.

I added my configurations to the lesson (at the bottom) in case you want to double check.

Rene

aniketgandhi58 · January 28, 2017, 9:09am

HI Rene ,

Does GNS3 support for type - 5 LSA filtering ? I did this for 3 time as it is still its not working for me so can you make sure whether GNS3 support for Type-5 LSA filtering or not ?

I am sure that i am not wrong in confutation as i have checked my config 3 times

lagapidis · February 3, 2017, 9:07am

Hello Aniket

As far as I know, GNS3 has no limitations on Type-5 filtering. It should function correctly. Take a look at this Cisco support thread to see if you have any issues similar to this:

https://learningnetwork.cisco.com/thread/91165

I hope this has been helpful!

Laz

TOLUTEJ · March 13, 2019, 11:07pm

Can’t we configure the routemap this way?

R1(config)#ip access-list standard R1_L1
R1(config-std-nacl)#deny host 172.16.1.1
R1(config-std-nacl)#permit any

R1(config)#route-map CONNECTED_TO_OSPF permit 10
R1(config-route-map)#match ip address R1_L1


R1(config)#router ospf 1
R1(config-router)#redistribute connected subnets route-map CONNECTED_TO_OSPF

lagapidis · March 14, 2019, 2:47pm

Hello Billing

If we applied this route map as you have it here, the following would happen:

You have an access list that denies host 172.16.1.1 and permits everything else. This means that this access list, within a route map will match EVERYTHING except for that specific IP.

When you add it to the route map, with a permit statement, then every time a packet with an IP address other than 172.16.1.1, it will be permitted. Because of the implicit deny at the end of the route map, everything else, which is essentially 172.16.1.1 alone, will be denied.

So a match (which takes place with everything except 172.16.1.1) in your case will permit redistribution. A lack of matching (which will only occur with 172.16.1.1) will result in a denial of redistribution.

So yes, your solution would work. It may be considered a little bit counterintuitive, but if the thought process works for you then so be it!

I hope this has been helpful!

Laz

znhancune · May 21, 2020, 10:17am

Hi dear team.

I am really liking your lessons but I would like to suggest you to always include the full sintaxe regarding the configuration of certain topic, for example in the ospf route summarization you did not talk about the configuration options.

I have some questions regarding OSPF LSA Filtering.

What to say regarding LSA Type 7 Filtering?
a) Do we still use Distribute-list, Route-map and not-advertise trick to filter this LSAs?

b) Since the ABR converts Type 7 LSA to Type 5 to propagate it to other areas, on the ABR Router if I am receiving this Type 7 LSA how can I filter them to avoid having some routes entering the backbone area? Do I use Type 5 LSA filtering procedures ou Type 3 LSA filtering procedures on the ABR Router. I am asking because according to your LSA Type lesson ABR converts Type 7 LSA and propagate it as Type 5 to other areas.

lagapidis · May 22, 2020, 8:10am

Hello Zacarias

As you mention in your post, this really isn’t filtering, because type 7 LSA’s don’t traverse an ABR, but they are converted to type 5 LSAs. Conversely, Type 3 and Type 5 LSAs can be literally filtered because, in the absence of filtering, they simply traverse the ABR unchanged.

You can find out more details about filtering type 7 LSAs from the following Cisco documentation:

Also, thanks for your feedback, every suggestion that you make helps us to make Networklessons better!

I hope this has been helpful!

Laz

mrtrialshot · June 28, 2020, 1:02am

Understood it now. Thanks!

joseph · July 17, 2020, 4:18pm

Hi Guys, great lesson,

Just to quote “the distribute-list is actually filtering the network while the route-map and summary-address prevent the router from advertising something.”

Since they are all applied at the ‘router OSPF 1’ process, how exactly is the distribute-list actually filtering the network yet the route-map and summary-address are preventing the router from advertising something?

lagapidis · July 20, 2020, 5:48am

Hello Joseph

As Rene stated, the devil is indeed in the details. Even though all three are applied on the OSPF process, and they can be configured to have the same result as far as routing goes, the logic behind the way each works is different.

For the distribute list will filter routes from being added to the routing table but it will not remove the LSA for that subnet. So the subnet is still being advertised, however, it is simply not put into the routing table, and that’s the definition of filtering.

The route-map and summary-address methods actually prevent the route from being advertised, so the LSA for that subnet is not advertised at all. Thus, it doesn’t end up in the routing table either.

The result is the same, the mechanism is different.

I hope this has been helpful!

Laz

joseph · July 22, 2020, 10:33am

Excellent man. Thanks for your help.