OSPF Distribute-List Filtering

OSPF supports a number of methods to filter routes but it is more restrictive compared to distance vector routing protocols like RIP or EIGRP.

As a link-state routing protocol OSPF uses LSAs to build its LSDB (Link State Database). Routers will run the SPF algorithm to find the shortest path to each destination, the topology in the LSDB has to be the same on all routers or SPF will fail.

However OSPF routers only know what the topology looks like within the area. They don’t know what the topology looks like for other areas. For inter-area routes OSPF only knows the prefix and the ABR (Area Border Router) to reach it.

You could say that OSPF acts like a distance vector routing protocol for inter-area routes. It only knows the metric (distance) and the ABR to get there (vector).

Unlike RIP or EIGRP, OSPF doesn’t advertise routes but LSAs so if we want to filter something we’ll have to filter the advertisement of LSAs.

Since the LSDB within the area has to be the same we can’t filter LSAs within the area, we can however filter routes from entering the routing table. Filtering LSAs between areas on an ABR or ASBR is no problem.

In this lesson I’ll show you how we can filter routes from entering the routing table within the area. In other lessons I will explain how to filter type 3 LSAs and type 5 LSAs.

Here’s the topology I will use:

OSPF Three Routers Single Area

Nothing fancy, we have three routers running OSPF in the same area. R1 has a loopback interface that is advertised in OSPF, we’ll see if we can filter this network.

Configuration

Here’s the OSPF configuration:

R1#show running-config | section ospf
router ospf 1
 network 1.1.1.0 0.0.0.255 area 0
 network 192.168.12.0 0.0.0.255 area 0
R2#show running-config | section ospf
router ospf 1
 network 192.168.12.0 0.0.0.255 area 0
 network 192.168.23.0 0.0.0.255 area 0
R3#show running-config | section ospf
router ospf 1
 network 192.168.23.0 0.0.0.255 area 0

Let’s verify if R2 and R3 have learned 1.1.1.1 /32:

R2#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/2] via 192.168.12.1, 00:00:27, FastEthernet0/0
R3#show ip route ospf

      1.0.0.0/32 is subnetted, 1 subnets
O        1.1.1.1 [110/3] via 192.168.23.2, 00:00:28, FastEthernet0/0
O     192.168.12.0/24 [110/2] via 192.168.23.2, 00:00:28, FastEthernet0/0

Let’s see if we can get rid of this network on R3:

R3(config)#router ospf 1
R3(config-router)#distribute-list ?
  <1-199>      IP access list number
  <1300-2699>  IP expanded access list number
  WORD         Access-list name
  gateway      Filtering incoming updates based on gateway
  prefix       Filter prefixes in routing updates
  route-map    Filter prefixes based on the route-map

We can use a distribute-list for this, to keep it simple I’ll combine it with an access-list;

R3(config-router)#distribute-list R1_L0 in

When we want to remove something from the routing table we have to apply it inbound. The outbound distribute-list is used for LSA type 5 filtering.

Let’s create that access-list:

R3(config)#ip access-list standard R1_L0
R3(config-std-nacl)#deny host 1.1.1.1    
R3(config-std-nacl)#permit any

It will now be gone from the routing table:

R3#show ip route 1.1.1.1
% Network not in table

As you can see it’s gone…it’s still in the LSDB though:

R3#show ip ospf database router 192.168.12.1

            OSPF Router with ID (192.168.23.3) (Process ID 1)

		Router Link States (Area 0)

  LS age: 664
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 192.168.12.1
  Advertising Router: 192.168.12.1
  LS Seq Number: 80000003
  Checksum: 0xF14F
  Length: 48
  Number of Links: 2

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 1.1.1.1
     (Link Data) Network Mask: 255.255.255.255
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 192.168.12.2
     (Link Data) Router Interface address: 192.168.12.1
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

You have to be very careful if you use this command. If you are not careful you can end up in a scenario where you blackhole some traffic. For example, let’s see what happens when I filter this network on R2 instead of R3.

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now!

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 801 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
522 Sign Ups in the last 30 days
satisfaction-guaranteed

  • 100% Satisfaction Guaranteed!
  • You may cancel your monthly membership at any time.
  • No Questions Asked!

Tags:


Forum Replies

  1. Good Day Rene,

    I was practice labs and i come across below redistribute and i failed to understood the metric 1544 2000 255 1 1500

    R2(config)#router ospf 1
    R2(config-router)#redistribute eigrp 100 metric-type 1 subnets
    
    R2(config)#router eigrp 100
    R2(config-router)#redistribute ospf 1 metric 1544 2000 255 1 1500
    

    Kindly assist to elaborate on this.

  2. Hi Dani,

    Each routing protocol uses different metrics which are incompatible. When you redistribute something into EIGRP, you need to enter the K values manually.

    Rene

  3. Hi Rene,

    Really enjoying the OSPF lessons! Just one query, the first output is what you had in the lesson and am just wondering why you chose the network statement for the loopback 0 as 1.1.1.0 0.0.0.255 area 0, instead of 1.1.1.1 0.0.0.0 area 0, as in the second output?

    R1#show running-config | section ospf
    router ospf 1
     <strong>network 1.1.1.0 0.0.0.255 area 0</strong>
     network 192.168.12.0 0.0.0.255 area 0
     
    R1#show running-config | section ospf
    router ospf 1
     network 1.1.1.1 0.0.0.0 area 0
     network 192.168.12.0 0.0.0.255 area 0
     network 192.168.12.0 0.0.0.
    ... Continue reading in our forum

  4. Hi Shannon,

    It doesn’t matter much which of the two you pick, both will work. The network command basically checks the IP addresses that you have on your interfaces and if it falls within the range of your network command, it will activate OSPF on it.

    If you use 1.1.1.0 0.0.0.255 as the network command then any interfaces that have IP address 1.1.1.X on it will run OSPF. If I have a loopback with IP address 1.1.1.1/32 then this will do the job. The problem is that a loopback with 1.1.1.2/32 will also be automatically advertised in OSPF since it matches the netw

    ... Continue reading in our forum

45 more replies! Ask a question or join the discussion by visiting our Community Forum