OSPF LSA Type 5 Filtering on Cisco IOS

Hi,
Please help me with below query:

what is the difference between “distribute list out” and “distribute list in” during redistruibution ?

Hello Pradeep!

In order to filter type 5 LSAs we must use the “out” keyword when implementing a distribute-list. The “out” keyword indicates that we are filtering LSA type 5, and thus we are filtering routes that are redistributed from external sources. Whereas the “in” keyword is used when we want to remove a route from from the routing table.

I hope this was helpful!

Laz

1 Like

I am wondering why we need to use a distribute list that points to an access-list, rather than just using an access-list. Isn’t this the same thing, with one less step?

Shawn

Hello Shawn

Access lists are often used to indicate specific addresses, ports, sources and destinations. Access lists on their own are just a definition. They don’t actually DO anything. If you create an access list, no functionality of a device is changed.

Once an access list is defined, you can then apply it in different ways. You can:

- create an access group on an interface
- include it in a policy map
- use it to define NAT rules
- refer to it in a distribution list

At first glance, it would make more sense to just have one command to implement this solution rather than two, however, because of the complexity of the Cisco IOS, two steps are necessary.

Think of the first step as the definition of the condition that is being matched, and the second step as the application of that condition.

I hope this has been helpful!

Laz

Distribute-list Filtering example does not work with IOS 15.

I have tried a different format of the access-list and cleared ospf processes. still no joy.

router ospf 1
 distribute-list 1 out

access-list 1 deny   172.16.0.1
access-list 1 permit any

Does anyone have any advice on this?

Hi Elliot,

Just in case I checked it but it’s working fine for me.

I added my configurations to the lesson (at the bottom) in case you want to double check.

Rene

HI Rene ,

Does GNS3 support for type - 5 LSA filtering ? I did this for 3 time as it is still its not working for me so can you make sure whether GNS3 support for Type-5 LSA filtering or not ?

I am sure that i am not wrong in confutation as i have checked my config 3 times

Hello Aniket

As far as I know, GNS3 has no limitations on Type-5 filtering. It should function correctly. Take a look at this Cisco support thread to see if you have any issues similar to this:

https://learningnetwork.cisco.com/thread/91165

I hope this has been helpful!

Laz

Can’t we configure the routemap this way?

R1(config)#ip access-list standard R1_L1
R1(config-std-nacl)#deny host 172.16.1.1
R1(config-std-nacl)#permit any

R1(config)#route-map CONNECTED_TO_OSPF permit 10
R1(config-route-map)#match ip address R1_L1


R1(config)#router ospf 1
R1(config-router)#redistribute connected subnets route-map CONNECTED_TO_OSPF

Hello Billing

If we applied this route map as you have it here, the following would happen:

You have an access list that denies host 172.16.1.1 and permits everything else. This means that this access list, within a route map will match EVERYTHING except for that specific IP.

When you add it to the route map, with a permit statement, then every time a packet with an IP address other than 172.16.1.1, it will be permitted. Because of the implicit deny at the end of the route map, everything else, which is essentially 172.16.1.1 alone, will be denied.

So a match (which takes place with everything except 172.16.1.1) in your case will permit redistribution. A lack of matching (which will only occur with 172.16.1.1) will result in a denial of redistribution.

So yes, your solution would work. It may be considered a little bit counterintuitive, but if the thought process works for you then so be it!

I hope this has been helpful!

Laz

1 Like

Hi dear team.

I am really liking your lessons but I would like to suggest you to always include the full sintaxe regarding the configuration of certain topic, for example in the ospf route summarization you did not talk about the configuration options.

I have some questions regarding OSPF LSA Filtering.

  1. What to say regarding LSA Type 7 Filtering?
    a) Do we still use Distribute-list, Route-map and not-advertise trick to filter this LSAs?

b) Since the ABR converts Type 7 LSA to Type 5 to propagate it to other areas, on the ABR Router if I am receiving this Type 7 LSA how can I filter them to avoid having some routes entering the backbone area? Do I use Type 5 LSA filtering procedures ou Type 3 LSA filtering procedures on the ABR Router. I am asking because according to your LSA Type lesson ABR converts Type 7 LSA and propagate it as Type 5 to other areas.

Hello Zacarias

As you mention in your post, this really isn’t filtering, because type 7 LSA’s don’t traverse an ABR, but they are converted to type 5 LSAs. Conversely, Type 3 and Type 5 LSAs can be literally filtered because, in the absence of filtering, they simply traverse the ABR unchanged.

You can find out more details about filtering type 7 LSAs from the following Cisco documentation:

Also, thanks for your feedback, every suggestion that you make helps us to make Networklessons better!

I hope this has been helpful!

Laz

Understood it now. Thanks!

1 Like

Hi Guys, great lesson,

Just to quote “the distribute-list is actually filtering the network while the route-map and summary-address prevent the router from advertising something.”

Since they are all applied at the ‘router OSPF 1’ process, how exactly is the distribute-list actually filtering the network yet the route-map and summary-address are preventing the router from advertising something?

Hello Joseph

As Rene stated, the devil is indeed in the details. Even though all three are applied on the OSPF process, and they can be configured to have the same result as far as routing goes, the logic behind the way each works is different.

For the distribute list will filter routes from being added to the routing table but it will not remove the LSA for that subnet. So the subnet is still being advertised, however, it is simply not put into the routing table, and that’s the definition of filtering.

The route-map and summary-address methods actually prevent the route from being advertised, so the LSA for that subnet is not advertised at all. Thus, it doesn’t end up in the routing table either.

The result is the same, the mechanism is different.

I hope this has been helpful!

Laz

Excellent man. Thanks for your help.

Hii …

Please clarify me on which scenarios in network we should need to filter LSA3 & LSA5.
if we filter LSA5 using filter list. then how this external route will propagate to Another Area?

distribute list will filter routes from being added to the routing table but it will not remove the LSA for that subnet.
The route-map and summary-address methods actually prevent the route from being advertised, so the LSA for that subnet is not advertised at all.

it will be very helpful if you explained above 2 statements with example in real scenarios

Hello Chandrasekhar

To start off, take a look at this post that should answer at least part of your question:

Remember that LSAs can only be filtered between areas, so both LSA3 and LSA5 filtering is applied at the ABR. The purpose of filtering these LSAs is specifically to reduce the amount of unnecessary routing information to be distributed into OSPF areas that don’t need it. The following post describes these scenarios:


Take a look at this info, and if you have any further questions, please feel free to respond and ask!

I hope this has been helpful!

Laz

Hi Rene,

Thanks for the lesson…

Could you please explain me, why we are permitting entry in acl while denying in route-map.

Is it like if have to deny any route with route-map, then we have permit it in acl and put a deny statement in route-map? I am confused here… Please explain…

R1(config)#ip access-list standard R1_L1
R1(config-std-nacl)#permit host 172.16.1.1

R1(config)#route-map CONNECTED_TO_OSPF deny 10
R1(config-route-map)#match ip address R1_L1

Hello Pushpender

This is indeed one of the confusing things associated with using ACLs and route maps. When an ACL is used as part of a route map, its role is to match particular traffic, and not to act upon that traffic. Whenever there is a permit statement in an ACL, it is considered a match. It is the role of the route map that takes action based on what is matched.

So a route map will use an ACL only to match traffic. So a match statement that references an ACL with a permit statement simply says that “this traffic matches our criteria”. The action that will be taken, however, must be configured at the route map.

So the permit statement in the ACL matches the traffic, and the deny statement in the route map takes action upon that matched traffic.

I hope this has been helpful!

Laz