In this lesson we’ll take a closer look at the OSPF NSSA “P-bit”. When we redistribute something into an OSPF NSSA area then these prefixes are flooded within the NSSA area as LSA type 7. Once these LSAs make it to an ABR, they are translated into LSA type 5 and advertised to other areas.
The P-bit (P stands for propagate) can be found in the options field of an LSA type 7 and it tells the ABR if the LSA type 7 should be translated into a LSA type 5 or not. Only LSAs with the P-bit will be translated and automatically this bit will be set for all prefixes that are redistributed.
Let’s take a look at this P-bit in action. First I’ll show you where you can find it and afterwards we’ll look at some examples how you prevent the translation from LSA type 7 to 5. I’ll use the following topology:
R1 is in area 0, R2 and R3 are our ABR (Area Border Routers) and R4 is within the NSSA area. It has a loopback interface that will be redistributed into OSPF.
Here is the OSPF configuration of all 4 routers:
R1#show running-config | section ospf
router ospf 1
network 192.168.12.0 0.0.0.255 area 0
network 192.168.13.0 0.0.0.255 area 0R2#show running-config | section ospf
router ospf 1
area 1 nssa
network 192.168.12.0 0.0.0.255 area 0
network 192.168.234.0 0.0.0.255 area 1R3#show running-config | section ospf
router ospf 1
area 1 nssa
network 192.168.13.0 0.0.0.255 area 0
network 192.168.234.0 0.0.0.255 area 1R4#show running-config | section ospf
router ospf 1
area 1 nssa
redistribute connected subnets
network 192.168.234.0 0.0.0.255 area 1The OSPF configuration on all routers is pretty straight forward. I used redistribute connected subnets on R4 to redistribute the loopback interface into OSPF. Let’s start by looking at the LSDB on R4:
R4#show ip ospf database nssa-external
OSPF Router with ID (4.4.4.4) (Process ID 1)
Type-7 AS External Link States (Area 1)
LS age: 895
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 4.4.4.4 (External Network Number )
Advertising Router: 4.4.4.4
LS Seq Number: 80000001
Checksum: 0x78A5
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 192.168.234.4
External Route Tag: 0Cisco IOS doesn’t show the P-bit as “P-bit” but you can see the OSPF options on top. The “Type 7/5 translation” part means that the P-bit has been set in this OSPF packet. Whenever this LSA reaches an ABR, it will be translated into a LSA type 5. Here’s what this LSA looks like in wireshark:
Here you can see the NP bit. This bit position has two roles:
- N-bit: this one is used in hello packets for OSPF NSSA routers. When the N-bit is not supported, the routers won’t become neighbors.
- P-bit: this one is only used in the NSSA external LSA header.
Since the N and P bit are never used at the same time, this bit position can be used for both roles.
Let’s take a look at this LSA on R2 and R3 (our ABRs):
R2#show ip ospf database nssa-external
OSPF Router with ID (192.168.234.2) (Process ID 1)
Type-7 AS External Link States (Area 1)
LS age: 1233
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 4.4.4.4 (External Network Number )
Advertising Router: 4.4.4.4
LS Seq Number: 80000001
Checksum: 0x78A5
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 192.168.234.4
External Route Tag: 0R3#show ip ospf database nssa-external
OSPF Router with ID (192.168.234.3) (Process ID 1)
Type-7 AS External Link States (Area 1)
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 1237
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 4.4.4.4 (External Network Number )
Advertising Router: 4.4.4.4
LS Seq Number: 80000001
Checksum: 0x78A5
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 192.168.234.4
External Route Tag: 0Both routers have the LSA in their LSDB. Let’s check R1:
R1#show ip ospf database external
OSPF Router with ID (192.168.13.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 1346
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 4.4.4.4 (External Network Number )
Advertising Router: 192.168.234.3
LS Seq Number: 80000001
Checksum: 0xFAE5
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 192.168.234.4
External Route Tag: 0R1 has a LSA type 5 for this network and you can see that R3 (192.168.234.3) has translated this LSA. The forward address to reach this network is R4 (192.168.234.4). OSPF separates the advertising router and the address to reach this particular network (forward address). When R1 wants to reach this network it can use both paths since the cost is equal:
R1#show ip route ospf | begin 4.4.4.4
O E2 4.4.4.4 [110/20] via 192.168.13.3, 00:38:49, FastEthernet0/1
[110/20] via 192.168.12.2, 00:38:49, FastEthernet0/0So why did R3 do the translation of LSA type 7 into 5? We have two ABRs after all. Since OSPF uses a forward address, there is no need for both R2 and R3 to translate our LSA type 7 into a LSA type 5. Only one router has to do it.
OSPF uses a translator election to decide which router will do the translation, this is based on the router ID. Since R3 has a higher router ID, it does the translation. Of course we can change this, let’s give R2 a higher router ID:
R2(config)#router ospf 1
R2(config-router)#router-id 222.222.222.222It’s new router ID will be higher than R3’s. Don’t forget to reset OSPF:
R2#clear ip ospf process
Reset ALL OSPF processes? [no]: yesWhen you check the LSDB again you will see that R2 is now the advertising router:
R1#show ip ospf database external | include Advertising
Advertising Router: 222.222.222.222The forward address doesn’t change:
R1#show ip ospf database external | include Forward
Forward Address: 192.168.234.4That’s how the OSPF P-bit works. What about filtering? Are we able to play with the P-bit to prevent the translation from LSA type 7 to 5?
Filtering LSA Type 7 / 5
On Cisco IOS there is no way to manually change the P-bit. This would have been nice as it allows us to decided which LSA type 7 prefixes should be translated into LSA type 5 or not. There are a couple of “tricks” that we can use however, let me show them…
The nssa-only keyword is available since IOS version 15.0(1)M. Using the area X nssa nssa-only command now does allow you to set the P-bit to zero for all LSAs.
OSPF NSSA ASBR and ABR
When an OSPF NSSA router is both ASBR and ABR then it can flood LSA type 7 or LSA type 5 directly in another area. For this reason, the P-bit will be disabled on type 7 LSAs. Other ABRs that receive type 7 LSAs with the P-bit disabled will never translated these into LSA type 5.
Let’s give this a try. I’ll create an additional loopback interface on R2 and will redistribute it into OSPF:
R2(config)#interface loopback 0
R2(config-if)#ip address 2.2.2.2 255.255.255.255R2(config)#router ospf 1
R2(config-router)#redistribute connected subnetsTake a look at the LSDB on R2:
R2#show ip ospf database nssa-external 2.2.2.2
OSPF Router with ID (222.222.222.222) (Process ID 1)
Type-7 AS External Link States (Area 1)
LS age: 19
Options: (No TOS-capability, No Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 2.2.2.2 (External Network Number )
Advertising Router: 222.222.222.222
LS Seq Number: 80000001
Checksum: 0x51C9
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0You can see this type 7 LSA says “No Type 7/5 translation”. This means that the P-bit is not set. Here’s what it looks like in wireshark:
Above you can see the P-bit is disabled. Below you can see that R1 learns about this network directly from R2 as LSA type 5:
R1#show ip ospf database external 2.2.2.2
OSPF Router with ID (192.168.13.1) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 211
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 2.2.2.2 (External Network Number )
Advertising Router: 222.222.222.222
LS Seq Number: 80000001
Checksum: 0x6DAF
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0And it’s installed in the routing table:
O E2 2.2.2.2 [110/20] via 192.168.12.2, 00:03:58, FastEthernet0/0So far so good, now you know that when an NSSA ASBR is also an ABR, the P-bit will be disabled.
There are some other tricks however to prevent LSA type 7 to being translated to type 5…
OSPF not-advertise
We can configure our ABRs to summarize a prefix and then use the not-advertise parameter. When we do this for our NSSA external prefix, they won’t translate it into LSA type 5. Here’s an example:
R2 & R3#
(config)#router ospf 1
(config-router)#summary-address 4.4.4.4 255.255.255.255 not-advertiseI’ll create a summary for our 4.4.4.4/32 external NSSA prefix. This prevents LSA type 5 from being generated. You can see R1 doesn’t have anything in its routing table anymore:
R1#show ip route 4.4.4.4
% Network not in tableOSPF Forward Address Filtering
This trick is a bit sneaky…when we filter the forward address on our ABRs, they won’t be able to translate our LSA type 7 into 5. To demonstrate this I will have to add another router behind R4:
Here’s the OSPF configuration of R5:
R5#show running-config | section ospf
router ospf 1
area 1 nssa
redistribute connected subnets
network 192.168.45.0 0.0.0.255 area 1Once again I use redistribute connected subnets to redistribute the loopback interface into OSPF. Let’s take a look at the forward address on R2 and R3:
R2#show ip ospf database nssa-external 5.5.5.5
OSPF Router with ID (222.222.222.222) (Process ID 1)
Type-7 AS External Link States (Area 1)
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 128
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 5.5.5.5 (External Network Number )
Advertising Router: 5.5.5.5
LS Seq Number: 80000001
Checksum: 0x973B
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 192.168.45.5
External Route Tag: 0R3#show ip ospf database nssa-external 5.5.5.5
OSPF Router with ID (192.168.234.3) (Process ID 1)
Type-7 AS External Link States (Area 1)
LS age: 138
Options: (No TOS-capability, Type 7/5 translation, DC)
LS Type: AS External Link
Link State ID: 5.5.5.5 (External Network Number )
Advertising Router: 5.5.5.5
LS Seq Number: 80000001
Checksum: 0x973B
Length: 36
Network Mask: /32
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 192.168.45.5
External Route Tag: 0To reach 5.5.5.5/32 we have to use forward address 192.168.45.5. R1 will use both R2 and R3 to reach this network:
R1#show ip route 5.5.5.5
Routing entry for 5.5.5.5/32
Known via "ospf 1", distance 110, metric 20, type extern 2, forward metric 3
Last update from 192.168.13.3 on FastEthernet0/1, 00:00:22 ago
Routing Descriptor Blocks:
192.168.13.3, from 222.222.222.222, 00:00:22 ago, via FastEthernet0/1
Route metric is 20, traffic share count is 1
* 192.168.12.2, from 222.222.222.222, 00:00:22 ago, via FastEthernet0/0
Route metric is 20, traffic share count is 1What we’ll do next is filter the forward address on R2 and R3:
R2 & R3#
(config)#ip access-list standard FA
(config-std-nacl)#deny 192.168.45.0 0.0.0.255
(config-std-nacl)#permit any
(config)#router ospf 1
(config-router)#distribute-list FA inNow they no longer can install 192.168.45.0/24 in their routing table:
R2#show ip route 192.168.45.0
% Network not in tableR3#show ip route 192.168.45.0
% Network not in tableAnd R1 will never be able to learn it:
R1#show ip route 5.5.5.5
% Network not in tableThat’s all we have, you have seen the OSPF P-bit in action and some methods to filter our type 7 LSAs.
Unit 1: Introduction to OSPF
- Introduction to OSPF
- Basic OSPF Configuration
- OSPF Multi Area Configuration
- OSPF Reference Bandwidth
- OSPF Plain Text Authentication
- OSPF MD5 Authentication
- OSPF SHA-HMAC Authentication
- OSPF TTL Security Check
- OSPF Default Route
Unit 2: OSPF Neighbor Adjacency
- OSPF LSA Types
- OSPF LSAs and LSDB Flooding
- OSPF Hello and Dead Interval
- OSPF Router ID
- OSPF Packets and Neighbor Discovery
- OSPF DR/BDR Election
- OSPF Passive Interface
- Troubleshooting OSPF Neighbor Adjacency
Unit 3: OSPF Network Types
- OSPF Non-Broadcast Network Type
- OSPF Broadcast Network Type
- OSPF Point-to-Multipoint Network Type
- OSPF Point-to-Multipoint Non-Broadcast Network Type
- OSPF Point-to-Point Network Type
- OSPF Next Hop with Network Types
Unit 4: OSPF Stub Areas
- Introduction to OSPF Stub Areas
- How to configure OSPF Stub Area
- How to configure OSPF Totally Stub
- How to configure OSPF NSSA (Not So Stubby) Area
- How to configure OSPF Totally NSSA (Not So Stubby) Area
- OSPF NSSA P-bit explained
Unit 5: Advanced OSPF Topics
- OSPF Summarization
- OSPF Distribute-List Filtering
- OSPF LSA Type 3 Filtering
- OSPF LSA Type 5 Filtering
- OSPF Virtual Link
- OSPF Virtual Link Authentication
- OSPF Path Selection Explained
- How to read the OSPF Database
- OSPFv3 for IPv4
- Troubleshooting OSPF Route Advertisement
- OSPF SPF Scheduling and Throttling
- OSPF LSA Throttling
- OSPF Incremental SPF
- OSPF Prefix Suppression
- OSPF Stub Router
- OSPF Graceful Shutdown
- OSPF Graceful Restart
- OSPF Loop-Free Alternate (LFA) Fast Reroute (FRR)
- OSPF Remote Loop-Free Alternate (LFA) Fast Reroute (FRR)