[c-nsp] OSPF LSA Type 3 / 5 question ...

Randy randy_94108 at yahoo.com
Fri Feb 3 19:56:50 EST 2017 

Bryan,
<snip>..
is there a clever way for the ABR to detect that the
Type 5 LSA is within the range it's already summarizing (Type 3) and
suppress its upstream announcement?<snip>

The above would break-the-back of OSPF as we know it.


What you are trying to do cannot be accomplished.
While you can use distribute-list out on ASBR to prevent an external-prefix from entering the LSDB, once it is there, you cannot prevent it from propagating to all other areas.


In this case I don't see any reason to run OSPF between your ABR and downstream. A static route on ABR and the IA summary would work.

./Randy







----- Original Message -----
From: Bryan Holloway <bryan at shout.net>
To: Fabio Mendes <fabio.mendes at bsd.com.br>
Cc: Cisco Network Service Providers <cisco-nsp at puck.nether.net>
Sent: Thursday, February 2, 2017 6:53 PM
Subject: Re: [c-nsp] OSPF LSA Type 3 / 5 question ...

It does make sense ... unfortunately the ABR is running IOS-XR and I 
have been unable to find a way to filter outbound LSAs (unless you want 
to filter everything.)


On 2/2/17 8:45 PM, Fabio Mendes wrote:
> If the ABR outer is receiving the /24 from a downstream router on a
> different area  and that ABR is also generating a /8 IA to the backbone,
> you can just filter out the /24 to other areas via a distribute list.
>
> That way you still have the more specific  /24 on the ABR but the other
> routers on area 0 and other areas only see the /8 coming from that ABR.
>
> The /24 will be naturally hidden behind the /8.
>
> I hope it made sense.
>
>
>
> On Feb 2, 2017 9:33 PM, "Bryan Holloway" <bryan at shout.net
> <mailto:bryan at shout.net>> wrote:
>
>     Fabio,
>
>     Thank you for the response! Yes -- that's exactly what I'm trying to
>     do. However, the problem is this:
>
>     If I use the "summary-address" command, it not only masks it on the
>     rest of the backbone, it masks it on the ABR too. Consequently I
>     have to add a static route to the downstream router for *MailScanner
>     warning: numerical links are often malicious:* 10.100.0.0/24
>     <http://10.100.0.0/24>.
>
>     If I have to add statics on the ABR for every downstream
>     redistributed static, it's almost not worth even running OSPF
>     between the two.
>
>     What I'm looking for is a way for the static to appear on the ABR,
>     but not beyond it. (I.e., mask it everywhere except the ABR.)
>
>     Hope that makes sense ... thanks!
>
>                             - bryan
>
>
>     On 2/2/17 8:20 PM, Fabio Mendes wrote:
>
>         the full command to summarize external LSA is summary-address,
>         it wasn't
>         very clear on my last email
>
>         On Thu, Feb 2, 2017 at 9:16 PM, Fabio Mendes
>         <fabio.mendes at bsd.com.br <mailto:fabio.mendes at bsd.com.br>
>         <mailto:fabio.mendes at bsd.com.br
>         <mailto:fabio.mendes at bsd.com.br>>> wrote:
>
>             If I understood correctly you are generating an IA LSA via
>         the area
>             range command on the ABR and are also receiving a E1/2 LSA
>         for a /24
>             that is part of the IA range and want to mask it behind that
>         same IA
>             LSA.
>
>             One simple way to do it is use the summary command under the
>         ospf
>             process, announcing a *MailScanner warning: numerical links are
>             often malicious:* *MailScanner warning: numerical links are
>         often malicious:* 10.0.0.0/8 <http://10.0.0.0/8> <*MailScanner
>         warning: numerical links are often malicious:* http://10.0.0.0/8
>         <http://10.0.0.0/8>> to the backbone area.
>
>             Now the backbone has an IA for *MailScanner warning:
>         numerical links
>             are often malicious:* *MailScanner warning: numerical links
>         are often malicious:* 10.0.0.0/8 <http://10.0.0.0/8>
>         <*MailScanner warning: numerical links are often malicious:*
>        http://10.0.0.0/8 <http://10.0.0.0/8>> and a E1/2 for
>             the same prefix.
>
>             In that case the IA will be preferred.
>
>             Since the 10.100 subnet is behind the same ABR that's
>         generating the

>             *MailScanner warning: numerical links are often malicious:*
>             *MailScanner warning: numerical links are often malicious:*
>         10.0.0.0/8 <http://10.0.0.0/8> <*MailScanner warning: numerical
>         links are often malicious:* http://10.0.0.0/8
>         <http://10.0.0.0/8>> IA into the backbone, you will not
>             have any connectivity problems by doing that.
>
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list