OSPF LSA Type 5 Filtering on Cisco IOS

Hii …

Please clarify me on which scenarios in network we should need to filter LSA3 & LSA5.
if we filter LSA5 using filter list. then how this external route will propagate to Another Area?

distribute list will filter routes from being added to the routing table but it will not remove the LSA for that subnet.
The route-map and summary-address methods actually prevent the route from being advertised, so the LSA for that subnet is not advertised at all.

it will be very helpful if you explained above 2 statements with example in real scenarios

Hello Chandrasekhar

To start off, take a look at this post that should answer at least part of your question:

Remember that LSAs can only be filtered between areas, so both LSA3 and LSA5 filtering is applied at the ABR. The purpose of filtering these LSAs is specifically to reduce the amount of unnecessary routing information to be distributed into OSPF areas that don’t need it. The following post describes these scenarios:

Take a look at this info, and if you have any further questions, please feel free to respond and ask!

I hope this has been helpful!

Laz

1 Like

Hi Rene,

Thanks for the lesson…

Could you please explain me, why we are permitting entry in acl while denying in route-map.

Is it like if have to deny any route with route-map, then we have permit it in acl and put a deny statement in route-map? I am confused here… Please explain…

R1(config)#ip access-list standard R1_L1
R1(config-std-nacl)#permit host 172.16.1.1

R1(config)#route-map CONNECTED_TO_OSPF deny 10
R1(config-route-map)#match ip address R1_L1

Hello Pushpender

This is indeed one of the confusing things associated with using ACLs and route maps. When an ACL is used as part of a route map, its role is to match particular traffic, and not to act upon that traffic. Whenever there is a permit statement in an ACL, it is considered a match. It is the role of the route map that takes action based on what is matched.

So a route map will use an ACL only to match traffic. So a match statement that references an ACL with a permit statement simply says that “this traffic matches our criteria”. The action that will be taken, however, must be configured at the route map.

So the permit statement in the ACL matches the traffic, and the deny statement in the route map takes action upon that matched traffic.

I hope this has been helpful!

Laz

2 Likes

IN the lesson it states the following:

Be careful what filtering technique you use if you learn this for a CCIE R&S lab. The devil is in the details…the distribute-list is actually filtering the network while the route-map and summary-address prevent the router from advertising something.

Couldn’t the route-map be used to filter the network as well? Or were you referring to the examples used in the lesson.

Hello Paul

Yes, a route map could be used to filter the network as well, however, the comment was meant for the specific example in the lesson. The point is that as far as R2 and R3 go, the results of both the route map and the distribute-list solutions are the same. However, from the point of view of R1, there is a difference:

The distribute-list solution allows these redistributed routes in the OSPF database but filters the advertisements towards R2. The route map solution denies these routes from ever entering the OSPF database in the first place.

I hope this has been helpful!

Laz

Thanks Laz. I’m not sur i understood correctly. In the example from the lesson, it means R2 and R3 receive T5 LSA for 172.16.0.1 and add it in the LSDB but do not add it in the routing table? Doesn’t seem logic to me so i guess i’m missing something

Thanks for your help,

Hello David

With the distribute-list, R1 contains the 172.16.0.1/32 network in its LSDB, BUT, it is not advertised to R2, and thus it is not further advertised to R3. So no type 5 LSA is ever sent that contains this network.

The route-map on the other hand, denies the 172.16.0.1/32 network from being redistributed into OSPF. Therefore, the network never appears in the LSDB of R1 at all!

Does that make sense?

I hope this has been helpful!

Laz

All clear thanks a lot !

1 Like

Hello,

for the second method, (route-map), when verifying, why does it only show 2 subnets? Shouldn’t 172.16.0.1 /32 be included when showing the #show ip route ospf command?

thanks,
Greg

Hello Gregory

You’re absolutely right. I will let Rene know to make the correction to the lesson.

Thanks again!

Laz

Hi,
Great lesson, however I could never get this to work in my lab. Here is my topology:
Screenshot from 2024-02-04 18-39-00
When I try to block the loopbacks on R13(1.1.13.1-2) in R10(ABR) they still show up in R14 and R15.
Config on R10:

 area 2 range 10.10.10.0 255.255.255.192
 network 10.10.10.60 0.0.0.3 area 2
 network 10.10.10.64 0.0.0.3 area 2
 network 10.10.10.68 0.0.0.3 area 0
 distribute-list R13 out
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list standard R13
 deny   1.1.13.0 0.0.0.255
 permit any

Not sure if I’m doing something wrong or of this is a software bug in GNS3.

Thanks

Hello Artur

At first glance, your configuration looks correct. You should be filtering out the loopback addresses on your R13 router, and those should not be redistributed into Area 0. I suggest you experiment by changing your access list to deny only a single host to see if a single IP address is filtered, or to deny everything to see if the distribute list is actually catching any OSPF updates at all. You can also add the “log” keyword to the ACL and check to see if it is getting any hits.

Try these out and let us know how you get along. I’d be interested to hear if you’ve resolved this.

I hope this has been helpful!

Laz