OSPF Distribute-List Filtering

OSPF supports a number of methods to filter routes but it is more restrictive compared to distance vector routing protocols like RIP or EIGRP.

As a link-state routing protocol OSPF uses LSAs to build its LSDB (Link State Database). Routers will run the SPF algorithm to find the shortest path to each destination, the topology in the LSDB has to be the same on all routers or SPF will fail.

However OSPF routers only know what the topology looks like within the area. They don’t know what the topology looks like for other areas. For inter-area routes OSPF only knows the prefix and the ABR (Area Border Router) to reach it.

You could say that OSPF acts like a distance vector routing protocol for inter-area routes. It only knows the metric (distance) and the ABR to get there (vector).

Unlike RIP or EIGRP, OSPF doesn’t advertise routes but LSAs so if we want to filter something we’ll have to filter the advertisement of LSAs.

Since the LSDB within the area has to be the same we can’t filter LSAs within the area, we can however filter routes from entering the routing table. Filtering LSAs between areas on an ABR or ASBR is no problem.

In this lesson I’ll show you how we can filter routes from entering the routing table within the area. In other lessons I will explain how to filter type 3 LSAs and type 5 LSAs.

Here’s the topology I will use:

OSPF Three Routers Single Area

Nothing fancy, we have three routers running OSPF in the same area. R1 has a loopback interface that is advertised in OSPF, we’ll see if we can filter this network.

Configuration

Here’s the OSPF configuration:

R1#show running-config | section ospf
router ospf 1
 network 1.1.1.0 0.0.0.255 area 0
 network 192.168.12.0 0.0.0.255 area 0
R2#show running-config | section ospf
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
R3#show running-config | section ospf
router ospf 1
 network 192.168.23.0 0.0.0.255 area 0

Let’s verify if R2 and R3 have learned 1.1.1.1 /32:

R2#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 192.168.12.1, 00:00:27, FastEthernet0/0
R3#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/3] via 192.168.23.2, 00:00:28, FastEthernet0/0
O     192.168.12.0/24 [110/2] via 192.168.23.2, 00:00:28, FastEthernet0/0

Let’s see if we can get rid of this network on R3:

R3(config)#router ospf 1
R3(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates
  route-map    Filter prefixes based on the route-map

We can use a distribute-list for this, to keep it simple I’ll combine it with an access-list;

R3(config-router)#distribute-list R1_L0 in

When we want to remove something from the routing table we have to apply it inbound. The outbound distribute-list is used for LSA type 5 filtering.

Let’s create that access-list:

R3(config)#ip access-list standard R1_L0
R3(config-std-nacl)#deny host 1.1.1.1    
R3(config-std-nacl)#permit any

It will now be gone from the routing table:

R3#show ip route 1.1.1.1
% Network not in table

As you can see it’s gone…it’s still in the LSDB though:

R3#show ip ospf database router 192.168.12.1

            OSPF Router with ID (192.168.23.3) (Process ID 1)

		Router Link States (Area 0)

  LS age: 664
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 192.168.12.1
  Advertising Router: 192.168.12.1
  LS Seq Number: 80000003
  Checksum: 0xF14F
  Length: 48
  Number of Links: 2

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 1.1.1.1
     (Link Data) Network Mask: 255.255.255.255
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 192.168.12.2
     (Link Data) Router Interface address: 192.168.12.1
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

You have to be very careful if you use this command. If you are not careful you can end up in a scenario where you blackhole some traffic. For example, let’s see what happens when I filter this network on R2 instead of R3.[teaser] Let’s remove the distribute-list on R3:

R3(config)#router ospf 1
R3(config-router)#no distribute-list R1_L0 in

Now I will add it to R2:

R2(config)#ip access-list standard R1_L0
R2(config-std-nacl)#deny host 1.1.1.1
R2(config-std-nacl)#permit any

R2(config)#router ospf 1
R2(config-router)#distribute-list R1_L0 in

R2 now no longer has it in its routing table:

R2#show ip route 1.1.1.1
% Network not in table

However the LSA is still flooded to R3:

R3#show ip route ospf 

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/3] via 192.168.23.2, 00:02:45, FastEthernet0/0
O     192.168.12.0/24 [110/2] via 192.168.23.2, 00:02:45, FastEthernet0/0

Once R3 tries to reach this network we will have a problem:

R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

R3 will forward these packets to R2 which drops it.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
ip cef
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.12.1 255.255.255.0
!
router ospf 1
 network 1.1.1.0 0.0.0.255 area 0
 network 192.168.12.0 0.0.0.255 area 0
!
end

R2

hostname R2
!
ip cef
!
interface FastEthernet0/0
 ip address 192.168.12.2 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.23.2 255.255.255.0
!
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
 distribute-list R1_L0 in
!
ip access-list standard R1_L0
 deny   1.1.1.1
 permit any
!
end

R3

hostname R3
!
ip cef
!
interface FastEthernet0/0
 ip address 192.168.23.3 255.255.255.0
!
router ospf 1
 network 192.168.23.0 0.0.0.255 area 0
!
ip access-list standard R1_L0
 deny   1.1.1.1
 permit any
!
end


That’s all there is to it, you have now seen how you can filter routes within your OSPF area. Make sure you also check my other two lessons on OSPF filtering:

If you have any questions, feel free to leave a comment![/MM_Access_Decision]

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

506 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Thanks! I do have some plans for next year…so I’m afraid you’ll have to find another study book for the moment :slight_smile:

  2. Rajendra,
    This has to do with how link state protocols work. In order for a link protocol to be able to run the Dijkstra algorithm, they must all have identical databases to run the algorithm against. If filtering were allowed within an area, then by definition, some routers would have a different database than others, and when those routers ran the shortest path tree calculations, they would arrive at different results.

    Notice that both the ASBR and ABR, by definition, are at the area boundary. They are allowed to do filtering or summarization only on route

    ... Continue reading in our forum

  3. Never mind I figured this out. Basically to block the route for 4.4.4.1, I should make an exact match in my prefix-list.

    So basically I changed

    ip prefix-list into_area3 seq 7 deny 4.4.4.1/24

    TO

    ip prefix-list into_area3 seq 7 deny 4.4.4.1/32

    And it works.

  4. Hello Helen.

    I am assuming that you and the ISP are operating completely separate OSPF domains. That is, their OSPF routing is completely autonomous from yours. This means that your area 0 has nothing to do with their area 0. They are two completely separate systems.

    If this is the case, then the way one OSPF domain communicates with another OSPF domain is via a router that has two separate OSPF processes running. One interface is using process number 1 for example, this may be your internal OSPF domain, and the outside interface is using process 2, which i

    ... Continue reading in our forum

  5. Im glad it helped.

    In your case R4 is ABR, not the ASBR.

    • ABR = router that is interconnecting OSPF area 0 with any other OSPF area then 0.
    • ASBR = router that is performing Redistribution into OSPF.

    This is important to understand. ABR is producing LSA Type 3 (Inter Area routes) and ASBR is producing LSA Type 5 (External routes).

    ... Continue reading in our forum

45 more replies! Ask a question or join the discussion by visiting our Community Forum