OSPF ABR Type 3 LSA Filtering on Cisco IOS

Lesson Contents

OSPF uses LSA type 3 for inter-area prefixes. If you want, you can filter these between OSPF areas. Since you can only filter between areas, you’ll have to configure this on the ABR. Filtering is possible inbound or outbound an area using the area filter-list command.

In this lesson, I will demonstrate how to use this command to filter LSA type 3 between different areas. This is the topology that I will be using:

R1, R2, and R3 are located in their corresponding area number and have a loopback 0 interface. The prefix on this loopback will be advertised in OSPF. In the middle, you can see R4, the ABR for areas 1,2 and 3. We’ll create some filters on R4 to demonstrate the area filter-list command. Let me show you the OSPF configuration first:

OSPF Area Configuration

I will show you all the network commands I used so you can replicate this. R1,R2 and R3 will be in their own area and R4 is the ABR:

R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 1
R1(config-router)#network 192.168.14.0 0.0.0.255 area 1

R2(config)#router ospf 1
R2(config-router)#network 2.2.2.2 0.0.0.0 area 2
R2(config-router)#network 192.168.24.0 0.0.0.255 area 2

R3(config)#router ospf 1
R3(config-router)#network 3.3.3.3 0.0.0.0 area 3
R3(config-router)#network 192.168.34.0 0.0.0.255 area 3

R4(config)#router ospf 1
R4(config-router)#network 4.4.4.4 0.0.0.0 area 0
R4(config-router)#network 192.168.14.0 0.0.0.255 area 1
R4(config-router)#network 192.168.24.0 0.0.0.255 area 2
R4(config-router)#network 192.168.34.0 0.0.0.255 area 3

Before we continue, it’s best to verify that we have working OSPF neighbor adjacencies:

R4#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR         00:00:33    192.168.14.1    FastEthernet0/0
2.2.2.2           1   FULL/BDR         00:00:39    192.168.24.2    FastEthernet0/1
3.3.3.3           1   FULL/BDR         00:00:39    192.168.34.3    FastEthernet1/0

The ABR has three working OSPF neighbor adjacencies. Now it’s time to create some filters. We’ll start with inbound filtering.

Inbound Area LSA Type 3 filtering

I will start by filtering some prefixes that are headed toward area 3. The inbound filter will filter prefixes from all areas sent to 1 area. First, we’ll take a look at the routing table of R3 in area 3:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:03:50, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/3] via 192.168.34.4, 00:03:50, FastEthernet0/0
O IA 192.168.14.0/24 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0
O IA 192.168.24.0/24 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0

All prefixes that R3 has learned are inter-area prefixes (LSA Type 3). Let’s filter 2.2.2.2 /32 from entering area 3. First, we’ll create a prefix-list:

R4(config)#ip prefix-list INTO-AREA3 deny 2.2.2.2/32
R4(config)#ip prefix-list INTO-AREA3 permit 0.0.0.0/0 le 32

This prefix-list will deny 2.2.2.2 /32 and allow all other prefixes. Now we have to apply it to the area:

R4(config)#router ospf 1
R4(config-router)#area 3 filter-list prefix INTO-AREA3 in

If you want, you can verify that the area filter is active with the show ip ospf command:

R4#show ip ospf 1 | begin Area 3
    Area 3
	Number of interfaces in this area is 1
	Area has no authentication
	SPF algorithm last executed 00:01:50.060 ago
	SPF algorithm executed 3 times
	Area ranges are
	Area-filter INTO-AREA3 in
	Number of LSA 5. Checksum Sum 0x03C737
	Number of opaque link LSA 0. Checksum Sum 0x000000
	Number of DCbitless LSA 0
	Number of indication LSA 0
	Number of DoNotAge LSA 0
	Flood list length 0

Now take a look at the routing table of R3 again:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:07:19, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/3] via 192.168.34.4, 00:07:19, FastEthernet0/0
O IA 192.168.14.0/24 [110/2] via 192.168.34.4, 00:07:19, FastEthernet0/0
O IA 192.168.24.0/24 [110/2] via 192.168.34.4, 00:07:19, FastEthernet0/0

Prefix 2.2.2.2 /32 is gone from the routing table as it has been filtered by the ABR (R4). The nice thing about inbound filtering is that it doesn’t matter from which area the prefix came. Everything that goes into area 3 will hit the prefix-list and will be filtered. I can demonstrate this to you by filtering something else, for example, the two prefixes 192.168.14.0 /24 (area 1) and 192.168.24.0 /24 (area 2). Let’s change our prefix-list:

R4(config)#ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24
R4(config)#ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24

Now take a look again at the routing table of R3:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:01:22, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/3] via 192.168.34.4, 00:01:22, FastEthernet0/0

The 192.168.14.0 /24 and 192.168.24.0 /24 prefixes are now gone from the routing table. It doesn’t matter which area they come from…

Configurations

Want to take a look for yourself? Here you will find the final configuration of each device.

hostname R1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.14.1 255.255.255.0
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 1
 network 192.168.14.0 0.0.0.255 area 1
!
end

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.24.2 255.255.255.0
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 2
 network 192.168.24.0 0.0.0.255 area 2
!
end

hostname R3
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!         
interface FastEthernet0/0
 ip address 192.168.34.3 255.255.255.0
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 3
 network 192.168.34.0 0.0.0.255 area 3
!
end

hostname R4
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.14.4 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.24.4 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.34.4 255.255.255.0
!
router ospf 1
 area 3 filter-list prefix INTO-AREA3 in
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.14.0 0.0.0.255 area 1
 network 192.168.24.0 0.0.0.255 area 2
 network 192.168.34.0 0.0.0.255 area 3
!
ip prefix-list INTO-AREA3 seq 5 deny 2.2.2.2/32
ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24
ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24
ip prefix-list INTO-AREA3 seq 10 permit 0.0.0.0/0 le 32
!
end

Now you know how inbound filtering works, let’s take a look at outbound filtering.

Outbound Area LSA Type 3 filtering

The outbound filter lets us filter a prefix from 1 area to all other areas. Let’s see if we can filter 3.3.3.3 /32 so that R1 and R2 won’t have it in their routing table anymore. First, we’ll verify if they have learned about this prefix:

Forum Replies

system says:

Thank you Rene.
system says:

thank you Rene.
system says:

Hi Rene,
Is the prefix-list is included in the Routing manipulation or possible security such as access-list?
Is this material for CCNP or CCNA?

Thanks
Ael Irsal
ReneMolenaar says:

Hi Ael,

Prefix-lists are CCNP material, you won’t find them in the CCNA exam(s).

Rene
system says:

Hi Rene,

It would be very useful if you can include with simulation labs using packet tracer .
btw, thanks for your demonstration…

thanks
ruby

63 more replies! Ask a question or join the discussion by visiting our Community Forum

OSPF Area Configuration

Inbound Area LSA Type 3 filtering

Outbound Area LSA Type 3 filtering

We're Sorry, Full Content Access is for Members Only...

Forum Replies