FILTERING TYPE 5 LSA IN OSPF

Methods to block Type 5 LSA:

    On ASBR, block the prefix using distribute-list.
    On ASBR, block the prefix while redistribution into OSPF.
    On ASBR, block the prefix while summarization.
    On any ABR block the Forward Address the if Type 5 LSA is having a non zero Forward Address.

 This method will not block LSA 5 to flow but will block any traffic for External prefixes.
  
 On NSSA ABR, block Forward Address from being advertised in OSPF internal network. LSA 5 will not be generated if Forward Address is blocked.



Consider the diagram below:


Method 1:

Below is the configuration on ASBR R4:
—————–
R4#sh run | s access-list 1
ip access-list 1 deny 9.9.0.5
ip access-list 1 permit any
—————–

You can also use a prefix-list instead of access-list.

—————
ip prefix-list BLOCK_Type_5 seq 5 deny 9.9.0.5/32
ip prefix-list BLOCK_Type_5 seq 10 permit 0.0.0.0/0 le 32
—————–

Router ospf 1
distribute-list 1 out rip

or

distribute-list prefix BLOCK_Type_5 out rip 
——————

After applying the above config, LSA 5 will be blocked on the ASBR.



Method 2:

Below is the configuration on ASBR R4:
——————
R4#
router ospf 1
redistribute rip subnets route-map RIP_to_OSPF
route-map RIP_to_OSPF permit 10
match ip address 1


R4#sh run | s access-list 1
ip access-list 1 deny 9.9.0.5
ip access-list 1 permit any
—————–

After applying above config, LSA 5 will be blocked on the ASBR.



Method 3:

We can block prefix 9.9.0.5/32 on ASBR R4 by no advertising it in OSPF domain using “summary-address” command with option “not-advertise”

——————-

R4#
Router ospf 1
summary-address 9.9.0.0 255.255.255.0 not-advertise
——————–

We will not see External prefix/LSA 5 for 9.9.0.5 on R1, R2 and R3 after applying above config. Below is output from R1:

R1#sh ip route 9.9.0.5
% Subnet not in table



Method 4:

Below is the configuration on ABR R3:
——————
R3#
Show run | s ip access-list 1
ip access-list 1 deny 9.9.45.0
ip access-list 1 permit any

router ospf 1
distribute-list 1 in
——————–

This method will not block LSA 5 to flow in Area 0, but any traffic from Area 0(example: from R1 and R2) for External prefix 9.9.0.5/32 will be blocked on the ABR R3.

———————
R1#sh ip route 9.9.0.5
Routing entry for 9.9.0.5/32
  Known via “ospf 1”, distance 110, metric 20, type extern 2, forward metric 4
  Last update from 9.9.12.2 on FastEthernet0/0, 01:04:12 ago
  Routing Descriptor Blocks:
  * 9.9.12.2, from 9.9.0.4, 01:04:12 ago, via FastEthernet0/0
      Route metric is 20, traffic share count is 1
——————–

R1#ping 9.9.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.0.5, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)


Method 5:

In NSSA, Forward Address is non zero by default (ASBR’s Internal Loopback). OSPF process will check for this address if accessible via Routing Table before installing the External prefix into the Routing Table. If the Forward Address is not accessible, the corresponding external prefix is not installed into the Routing Table.

As per above concept, the Forward address for External prefix 9.9.0.5/32 is ASBR’s OSPF internal Loopback address 9.9.0.4
——————

R3#sh ip ospf database nssa-external 9.9.0.5 | i Forward Address
        Forward Address: 9.9.0.4
———————
If we block Forward Address 9.9.0.4 on ABR R3, R3 will stop generating the LSA5 for 9.9.0.5/32.

———————
R3#
access-list 1 deny 9.9.0.4
access-list 1 permit any
—————
router ospf 1
area 1 nssa
distribute-list 1 in
—————


R4#
Router ospf 1
area 1 nssa

R3#sh ip ospf database nssa-external 9.9.0.5
            OSPF Router with ID (9.9.0.3) (Process ID 1)
                Type-7 AS External Link States (Area 1)
  LS age: 1223
  Options: (No TOS-capability, Type 7/5 translation, DC, Upward)
  LS Type: AS External Link
  Link State ID: 9.9.0.5 (External Network Number )
  Advertising Router: 9.9.0.4
  LS Seq Number: 80000002
  Checksum: 0x93BE
  Length: 36
  Network Mask: /32
        Metric Type: 2 (Larger than any link state path)
        MTID: 0
        Metric: 20
        Forward Address: 9.9.0.4
        External Route Tag: 0

———————

R3#sh ip ospf database external 9.9.0.5
            OSPF Router with ID (9.9.0.3) (Process ID 1)
———————
R2#sh ip ospf database external 9.9.0.5
            OSPF Router with ID (9.9.0.2) (Process ID 1)


Hope you have enjoyed reading this Post. Please share your feedback if you liked this post. You can also write to us on networkurge@gmail.com.