07-16-2010 04:07 AM - edited 03-04-2019 09:05 AM
Hi,
Attached is the topology.
I am getting Type-5 AS External Link States into my network (area 1) and I tried distribute-list out <interface>, but it's not allowing me with <interface> and without interface command it's not resolved. I can see those routes in ASA. I tried distribute-in and out both on internal router (R3) but no help.
I want few routes of Type-5 LSA's to stop to coming on R3 as well as FW. After applying distribut-list in, those routes are not visible in sh ip route.
But in sh ip ospf database, i can see those routes.
Pls. suggest how this can be acheive.
Thanks,
07-16-2010 04:33 AM
Hi,
On R3 apply the following:
router ospf x
area 1 filter-list prefx-list type5 in
ip prefix-list type5 deny x.x.x.x/x
ip prefix-list type5 permit 0.0.0.0/0 le 32
With the above command LSAs are also filtered from entering AREA 1.
HTH
Mohamed
07-16-2010 04:45 AM
Hi Mohamed,
I tried below, but it's not working. I can still see the routes coming in OSPF database in R3 and in OSPF routes on ASA. However it's not visible on sh ip route on R3.
Any other suggestion pls.
Thanks,
Pawan
07-16-2010 04:56 AM
Hi,
You will see it on the database because its filtered from Area 0 while it traverse to area 1. so its still in Area 0 while its denied to enter Area 1.
if you want to completely deny it from Area 0 router 3 the ABR, then you would need to apply this command as follows:
router ospf x
area 0 filter-list prefix-list in
with the above you shouldnt see these prefixes on the OSPF database. Please confirm by issuing the bellow command:
-- show ip ospf database external --
HTH
Mohamed
07-16-2010 05:35 AM
I can still see those routes. Below is my config:
router ospf 3
area 0 filter-list prefix type5 in
ip prefix-list type5 deny 81.95.160.47/32 le 32
ip prefix-list type5 deny 93.157.223.14/32 le 32
ip prefix-list type5 deny 94.76.209.0/24 le 32
-- show ip ospf database external --
Routing Bit Set on this LSA
LS age: 1903
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 81.95.160.47 (External Network Number )
Advertising Router: 192.168.220.20
LS Seq Number: 80001B8A
Checksum: 0x9C84
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0
Routing Bit Set on this LSA
LS age: 1956
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 93.157.223.14 (External Network Number )
Advertising Router: 192.168.220.20
LS Seq Number: 80001B8A
Checksum: 0xA810
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0
Routing Bit Set on this LSA
LS age: 1611
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 94.76.209.0 (External Network Number )
Advertising Router: 192.168.220.18
LS Seq Number: 800002C4
Checksum: 0xA759
Length: 36
Network Mask: /24
Metric Type: 2 (Larger than any link state path)
TOS: 0
Metric: 25
Forward Address: 0.0.0.0
External Route Tag: 0
Pls. suggest.
Thanks.
07-16-2010 07:16 AM
Hello,
It seems like the prefix-list blocks only type 3 LSAs.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftabrt3f.html
So, your earlier outcome was correct in that you do get those through area 0 in the OSPF database but you will not send it to area 1. You will not install those routes as well.
Hope this helps.
Regards,
NT
07-16-2010 07:24 AM
Hi,
So do you mean to say below will work?
router ospf 3
area 1 filter-list prefix type5 in
ip prefix-list type5 deny 81.95.160.47/32
ip prefix-list type5 deny 93.157.223.14/32
ip prefix-list type5 deny 94.76.209.0/24
Actually I did tried that and it's also not working.
Thanks.
07-16-2010 07:35 AM
Hello,
In that case I would suggest you using distribute-list in the incoming
direction on R3 (interface towards the other router). That should filter the
routes from getting into R3's routing table. Then it will not be distributed
to the ASA as well.
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html
Hope this helps.
Regards,
NT
07-16-2010 07:43 AM
Hi NT,
I tried that too, below is the config, but still routes are coming to ASA as well as OSPF database.
router ospf 3
area 1 filter-list prefix type5 in
distribute-list 1 in
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 172.16.0.0 0.0.63.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 deny any
ip prefix-list type5 seq 5 deny 94.76.209.0/24 le 32
ip prefix-list type5 seq 10 permit 217.8.250.72/29 le 32
ip prefix-list type5 seq 15 deny 123.136.103.70/32
Thanks.
07-16-2010 07:55 AM
Hello,
When you are using distribute-list in, you should be able to specify the
interface. Can you please check that and specify the interface?
Regards,
NT
07-16-2010 08:12 AM
Hi NT,
I tried interface too. Same peoblem persist. Still getting the routes on ASA and R3 OSPF database.
Thank.
07-16-2010 09:00 AM
Hello Pawan,
in OSPF LSA type 5 cannot be filtered but they are spread to all areas that are not stub.
A possible solution to this problem could be that of making the area between R3 and the FW a stub area and to have R3 to inject an OSPF default route inside that area.
If this is not acceptable as the FW should use a different default route your only option is to run two OSPF processes on R3 and to redistribute with a filter from one process to the other . this will give you a point where you can control what routes are inejcted into the second OSPF process.
Another solution that can work when the forwarding address field in the external LSA data structure is set (different then 0.0.0.0 meaning local router) is to use an area filter-list to filter those IP addresses.
Being the Forwarding address unknown in the other OSPF area the external LSA referrring to those addresses as FA will be not installed in the routing table.
I think this is what was suggested by Nagaraja.
Hope to help
Giuseppe
07-17-2010 12:09 AM
HI Kumar,
I apologize for this mistake, I got confused a while, as noted by Gui , Type 5 LSA cant be filterd unless Stub area is used. the command I have refered to earlier should filter type 3 LSA.
I think your only options is to have Stub Area (Area 1) Or, deny those routes from being installed on the routing table but the would appear on the OSPF database.
Thanks again and sorry!!!
Mohamed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide