OSPF LSA Type 5 Filtering on Cisco IOS


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(Victor R) #2

Hello,

I know the using the distribute-list filters the route from getting to the RIB. But it still creates an LSA type 5. Regarding the other two methods does it stop the creation of the type 5 LSA and this filtering has to be done on the ASBR correct?

 

Thank you


(Sebastien B) #3

Hello,

Just to be sure : It’s outbound distribute-list which have to be apply on the ASBR ospf configuration yes ?

Thank you


(Rene Molenaar) #4

Hi Sebastien,

That’s right. I see a left a typo in the article, it says “inbound” while the distribute-list itself is outbound. Just fixed this.

Rene


(Pradeep N) #5

Hi,
Please help me with below query:

what is the difference between “distribute list out” and “distribute list in” during redistruibution ?


(Lazaros Agapides) #6

Hello Pradeep!

In order to filter type 5 LSAs we must use the “out” keyword when implementing a distribute-list. The “out” keyword indicates that we are filtering LSA type 5, and thus we are filtering routes that are redistributed from external sources. Whereas the “in” keyword is used when we want to remove a route from from the routing table.

I hope this was helpful!

Laz


(Shawn O) #7

I am wondering why we need to use a distribute list that points to an access-list, rather than just using an access-list. Isn’t this the same thing, with one less step?

Shawn


(Lazaros Agapides) #8

Hello Shawn

Access lists are often used to indicate specific addresses, ports, sources and destinations. Access lists on their own are just a definition. They don’t actually DO anything. If you create an access list, no functionality of a device is changed.

Once an access list is defined, you can then apply it in different ways. You can:

- create an access group on an interface
- include it in a policy map
- use it to define NAT rules
- refer to it in a distribution list

At first glance, it would make more sense to just have one command to implement this solution rather than two, however, because of the complexity of the Cisco IOS, two steps are necessary.

Think of the first step as the definition of the condition that is being matched, and the second step as the application of that condition.

I hope this has been helpful!

Laz


(Elliott F) #9

Distribute-list Filtering example does not work with IOS 15.

I have tried a different format of the access-list and cleared ospf processes. still no joy.

router ospf 1
 distribute-list 1 out

access-list 1 deny   172.16.0.1
access-list 1 permit any

Does anyone have any advice on this?


(Rene Molenaar) #10

Hi Elliot,

Just in case I checked it but it’s working fine for me.

I added my configurations to the lesson (at the bottom) in case you want to double check.

Rene


(aniket G) #11

HI Rene ,

Does GNS3 support for type - 5 LSA filtering ? I did this for 3 time as it is still its not working for me so can you make sure whether GNS3 support for Type-5 LSA filtering or not ?

I am sure that i am not wrong in confutation as i have checked my config 3 times


(Lazaros Agapides) #12

Hello Aniket

As far as I know, GNS3 has no limitations on Type-5 filtering. It should function correctly. Take a look at this Cisco support thread to see if you have any issues similar to this:

I hope this has been helpful!

Laz


(Billing a) #13

Can’t we configure the routemap this way?

R1(config)#ip access-list standard R1_L1
R1(config-std-nacl)#deny host 172.16.1.1
R1(config-std-nacl)#permit any

R1(config)#route-map CONNECTED_TO_OSPF permit 10
R1(config-route-map)#match ip address R1_L1


R1(config)#router ospf 1
R1(config-router)#redistribute connected subnets route-map CONNECTED_TO_OSPF

(Lazaros Agapides) #14

Hello Billing

If we applied this route map as you have it here, the following would happen:

You have an access list that denies host 172.16.1.1 and permits everything else. This means that this access list, within a route map will match EVERYTHING except for that specific IP.

When you add it to the route map, with a permit statement, then every time a packet with an IP address other than 172.16.1.1, it will be permitted. Because of the implicit deny at the end of the route map, everything else, which is essentially 172.16.1.1 alone, will be denied.

So a match (which takes place with everything except 172.16.1.1) in your case will permit redistribution. A lack of matching (which will only occur with 172.16.1.1) will result in a denial of redistribution.

So yes, your solution would work. It may be considered a little bit counterintuitive, but if the thought process works for you then so be it!

I hope this has been helpful!

Laz