Ever needed to filter LSA5 selectively? Tired of removing external prefixes from OSPF domain on ASBR only? You’ve come to the right page! Today I would like to describe an approach that allows filtering LSA5 on ABRs as well. If you’re thinking it’s another article on stub areas in OSPF, you are only partially wrong – it’s about areas but not exactly stub ones.
I’m going to use the following setup for illustration:
OSPF areas are normal areas in this topology. The router roles are listed:
- R2 and R3 – ABRs;
- R1 – internal router;
- R4 – ASBR that imports prefixes from R5 via eBGP.
The task is to make sure that 5.5.5.5/32 on R5 is reachable from every router in OSPF domain except those in area 1. R2 is allowed to reach 5.5.5.5/32 anyway because it’s part of area 0. The initial configuration is rather simple so I would list just R4 as an addressing example:
R4(config)#int lo 0
R4(config-if)#ip address 4.4.4.4 255.255.255.255
R4(config)#int f0/0
R4(config-if)#ip address 192.168.34.4 255.255.255.0
R4(config-if)#no sh
R4(config)#int f0/1
R4(config-if)#ip address 192.168.45.4 255.255.255.0
R4(config-if)#no sh
R4(config)#router ospf 1
R4(config-router)#network 192.168.34.0 0.0.0.255 area 2
R4(config-router)#network 4.4.4.4 0.0.0.0 area 2
R4(config-router)#redistribute bgp 4 subnets
R4(config)#router bgp 4
R4(config-router)#bgp router-id 4.4.4.4
R4(config-router)#no bgp default ipv4-unicast
R4(config-router)#neighbor 192.168.45.5 remote 5
R4(config-router)#address-family ipv4
R4(config-router-af)#neighbor 192.168.45.5 activate
R4(config-router-af)#redistribute ospf 1The most obvious solution to filter out 5.5.5.5/32 would be to convert area 1 to a stub area. However, such an approach has a serious drawback: changing an OSPF area to stub is a disruptive process for quite a valid reason:
The OSPF protocol ensures that all routers belonging to an area agree on whether the area has been configured as a stub. This guarantees that no confusion will arise in the flooding of AS-external-LSAs.
OSPF RFC2328, page 38
What if it’s necessary to remove 5.5.5.5/32 from OSPF domain without downtime? One more solution would be to prevent OSPF routes from reaching RIB; however, it requires configuring every router in the area which is obviously very laborous and thus error-prone.
Frankly speaking, there is no way to correctly filter LSA5 between areas or within on any router except ASBR, that’s just the way OSPF works. However, one might “spoil” the LSA5 on purpose so it becomes unusable and does not make it into RIB. Take a close look at LSA5 layout, what can be influenced by a network operator?
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LS age | Options | 5 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Link State ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Advertising Router | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LS sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LS checksum | length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Network Mask | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |E| 0 | metric | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Forwarding address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | External Route Tag | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
If you notice Forwarding address (FA) as a candidate, you’re on the right track:
If the forwarding address is non-zero, look up the forwarding address in the routing table. The matching routing table entry must specify an intra-area or inter-area path; if no such path exists, do nothing with the LSA and consider the next in the list.
OSPF RFC2328, page 174
So far FA is set to zero though:
R1#show ip ospf database external 5.5.5.5
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 139
Options: (No TOS-capability, DC, Upward)
LS Type: AS External Link
Link State ID: 5.5.5.5 (External Network Number )
Advertising Router: 4.4.4.4
LS Seq Number: 80000001
Checksum: 0x2466
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 1
Forward Address: 0.0.0.0
External Route Tag: 5In Cisco IOS there are a few prerequisites for non-zero FA:
- OSPF is enabled on the ASBR’s next hop interface AND
- ASBR’s next hop interface is non-passive under OSPF AND
- ASBR’s next hop interface is not point-to-point AND
- ASBR’s next hop interface is not point-to-multipoint AND
- ASBR’s next hop interface address falls under the network range specified in the router ospf command.
So far none of those conditions are met. Let’s enable OSPF on R4 f0/1 as a next-hop interface. By default, the type of OSPF links is broadcast in Cisco IOS (neither P2P nor P2M).
R4(config)#int f0/1
R4(config-if)#ip ospf 1 area 2R1#show ip ospf database external 5.5.5.5
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 35
Options: (No TOS-capability, DC, Upward)
LS Type: AS External Link
Link State ID: 5.5.5.5 (External Network Number )
Advertising Router: 4.4.4.4
LS Seq Number: 80000002
Checksum: 0xE30A
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 1
Forward Address: 192.168.45.5
External Route Tag: 5According to the RFC, FA has to be reachable via OSPF route. It should be enough to filter the corresponding inter-area prefix on R2 (ABR) to make 5.5.5.5/32 unusable for the whole area:
R2(config)#ip prefix-list NO_FA deny 192.168.45.0/24
R2(config)#ip prefix-list NO_FA permit 0.0.0.0/0 le 32
R2(config)#router ospf 1
R2(config-router)#area 1 filter-list prefix NO_FA inR1#show ip route 5.5.5.5 255.255.255.255
% Network not in table
R1#show ip ospf database external 5.5.5.5
OSPF Router with ID (1.1.1.1) (Process ID 1)
Type-5 AS External Link States
LS age: 336
Options: (No TOS-capability, DC, Upward)
LS Type: AS External Link
Link State ID: 5.5.5.5 (External Network Number )
Advertising Router: 4.4.4.4
LS Seq Number: 80000002
Checksum: 0xE30A
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 1
Forward Address: 192.168.45.5
External Route Tag: 5
R1#
R1#show ip cef 5.5.5.5 det
0.0.0.0/0, epoch 0, flags default route handler, default route
no routeObviously, the connectivity for other routers, including R2, is not impacted:
R2#show ip route 5.5.5.5 255.255.255.255
Routing entry for 5.5.5.5/32
Known via "ospf 1", distance 110, metric 1
Tag 5, type extern 2, forward metric 3
Last update from 192.168.23.3 on FastEthernet0/1, 00:07:51 ago
Routing Descriptor Blocks:
* 192.168.23.3, from 4.4.4.4, 00:07:51 ago, via FastEthernet0/1
Route metric is 1, traffic share count is 1
Route tag 5
R2#show ip cef 5.5.5.5 det
5.5.5.5/32, epoch 0
nexthop 192.168.23.3 FastEthernet0/1The ultimate task is accomplished: R1 has stopped communicating with 5.5.5.5/32 while other routers have the necessary reachability. Such an approach with LSA5 FA filtering might be helpful if only some prefixes from certain ASBRs have to be removed from an area, e.g. a specific branch or an external entity. Stub areas would be useless in such a case since they prevent every LSA5 from crossing corresponding ABRs. If enabling OSPF on an interface towards R5 is not possible due to security restrictions, for instance, area 2 could be converted to NSSA and start using 4.4.4.4/32 address as a FA for 5.5.5.5/32.
Kudos for review: Anastasiia Kuraleva
Networking and IT 