You want to isolate a group of firewalls from the burden of processing External LSAs, but one of the devices in the group is an ASBR.
Make the area an NSSA instead of just a stub area:
FIREWALL-A-> set vrouter "trust-vr" FIREWALL-A(trust-vr)-> set protocol ospf FIREWALL-A(trust-vr/ospf)-> set area 3 nssa FIREWALL-A(trust-vr/ospf)-> exit FIREWALL-A(trust-vr)-> exit
An NSSA is similar to a stub area (see Recipe 16.5). As in a stub area, ABRs do not flood External LSAs into NSSAs. The problem occurs when one area is desired to be a stub, but has an ASBR, which originates external routes on its own. This is often the case on firewalls, which are gateways for WAN, VPN, or extranet networks. Still, it may be beneficial to isolate those security devices from the extra processing burden of thousands of External LSAs, originating somewhere else in the network.
An NSSA is the solution. In an NSSA, External LSAs are not allowed from outside the area, but a new LSA type, NSSA External LSAs, can be originated from within the area. An ABR translates these NSSA External LSAs into External LSAs, but also can suppress them. Instead of multiple External LSAs, an ABR originates one single NSSA External LSA with a default network
0.0.0.0/0 into the NSSA. As with regular stub areas, the backbone area can never be an NSSA. All devices in the area need to be configured as belonging to the NSSA, and this is enforced through the
N bit (see ...