OSPF ABR Type 3 LSA Filtering on Cisco IOS

OSPF uses LSA type 3 for inter-area prefixes and if you want, you can filter these between OSPF areas. Since you can only filter between areas you’ll have to configure this on the ABR. Filtering is possible inbound or outbound an area by using the area filter-list command.

In this tutorial I will demonstrate how you can use this command to filter LSA type 3 between different areas. This is the topology that I will be using:

OThe 192.168.12.0 /24 and 192.168.24.0 /24 prefixes are now gone froSPF 4 routers 3 areas

R1,R2 and R3 are located in their corresponding area number and have a loopback 0 interface each. The prefix on this loopback will be advertised in OSPF. In the middle you can see which is the ABR for area 1,2 and 3. We’ll create some filter on R4 to demonstrate the area filter-list command. Let me show you the OSPF configuration first:

OSPF Area Configuration

I will show you all the network commands that I used so you can replicate this if you want. R1,R2 and R3 will be in their own area and R4 is the ABR:

R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 1
R1(config-router)#network 192.168.14.0 0.0.0.255 area 1
R2(config)#router ospf 1
R2(config-router)#network 2.2.2.2 0.0.0.0 area 2
R2(config-router)#network 192.168.24.0 0.0.0.255 area 2
R3(config)#router ospf 1
R3(config-router)#network 3.3.3.3 0.0.0.0 area 3
R3(config-router)#network 192.168.34.0 0.0.0.255 area 3
R4(config)#router ospf 1
R4(config-router)#network 4.4.4.4 0.0.0.0 area 0
R4(config-router)#network 192.168.14.0 0.0.0.255 area 1
R4(config-router)#network 192.168.24.0 0.0.0.255 area 2
R4(config-router)#network 192.168.34.0 0.0.0.255 area 3

Before we continue it’s best to verify that we have working OSPF neighbor adjacencies:

R4#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR         00:00:33    192.168.14.1    FastEthernet0/0
2.2.2.2           1   FULL/BDR         00:00:39    192.168.24.2    FastEthernet0/1
3.3.3.3           1   FULL/BDR         00:00:39    192.168.34.3    FastEthernet1/0

The ABR has 3 working OSPF neighbor adjacencies. Now it’s time to create some filters. We’ll start with inbound filtering.

Inbound Area LSA Type 3 filtering

I will start by filtering some prefixes that are headed towards area 3. The inbound filter will filter prefixes from all areas that are sent to 1 area. First we’ll take a look at the routing table of R3 in area 3:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:03:50, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/3] via 192.168.34.4, 00:03:50, FastEthernet0/0
O IA 192.168.14.0/24 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0
O IA 192.168.24.0/24 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0

All prefixes that R3 has learned are inter-area prefixes (LSA Type 3). Let’s filter 2.2.2.2 /32 from entering area 3. First we’ll create a prefix-list:

R4(config)#ip prefix-list INTO-AREA3 deny 2.2.2.2/32
R4(config)#ip prefix-list INTO-AREA3 permit 0.0.0.0/0 le 32

This prefix-list will deny 2.2.2.2 /32 and allow all other prefixes. Now we have to apply it to the area:

R4(config)#router ospf 1
R4(config-router)#area 3 filter-list prefix INTO-AREA3 in

If you want you can verify that the area filter is active with the show ip ospf command:

R4#show ip ospf 1 | begin Area 3
    Area 3
	Number of interfaces in this area is 1
	Area has no authentication
	SPF algorithm last executed 00:01:50.060 ago
	SPF algorithm executed 3 times
	Area ranges are
	Area-filter INTO-AREA3 in
	Number of LSA 5. Checksum Sum 0x03C737
	Number of opaque link LSA 0. Checksum Sum 0x000000
	Number of DCbitless LSA 0
	Number of indication LSA 0
	Number of DoNotAge LSA 0
	Flood list length 0

Now take a look at the routing table of R3 again:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:07:19, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/3] via 192.168.34.4, 00:07:19, FastEthernet0/0
O IA 192.168.14.0/24 [110/2] via 192.168.34.4, 00:07:19, FastEthernet0/0
O IA 192.168.24.0/24 [110/2] via 192.168.34.4, 00:07:19, FastEthernet0/0

Prefix 2.2.2.2 /32 is gone from the routing table as it has been filtered by the ABR (R4). The nice thing about inbound filtering is that it doesn’t matter from which area the prefix came, everything that goes into area 3 will hit the prefix-list and will be filtered. I can demonstrate this to you by filtering something else, for example the two prefixes 192.168.14.0 /24 (area 1) and 192.168.24.0 /24 (area 2). Let’s change our prefix-list:

R4(config)#ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24
R4(config)#ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24

Now take a look again at the routing table of R3:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:01:22, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/3] via 192.168.34.4, 00:01:22, FastEthernet0/0

The 192.168.14.0 /24 and 192.168.24.0 /24 prefixes are now gone from the routing table. It doesn’t matter from which area they come from…

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

R1

hostname R1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.14.1 255.255.255.0
!
router ospf 1
 network 1.1.1.1 0.0.0.0 area 1
 network 192.168.14.0 0.0.0.255 area 1
!
end

R2

hostname R2
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.24.2 255.255.255.0
!
router ospf 1
 network 2.2.2.2 0.0.0.0 area 2
 network 192.168.24.0 0.0.0.255 area 2
!
end

R3

hostname R3
!
interface Loopback0
 ip address 3.3.3.3 255.255.255.255
!         
interface FastEthernet0/0
 ip address 192.168.34.3 255.255.255.0
!
router ospf 1
 network 3.3.3.3 0.0.0.0 area 3
 network 192.168.34.0 0.0.0.255 area 3
!
end

R4

hostname R4
!
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.14.4 255.255.255.0
!
interface FastEthernet0/1
 ip address 192.168.24.4 255.255.255.0
!
interface FastEthernet1/0
 ip address 192.168.34.4 255.255.255.0
!
router ospf 1
 area 3 filter-list prefix INTO-AREA3 in
 network 4.4.4.4 0.0.0.0 area 0
 network 192.168.14.0 0.0.0.255 area 1
 network 192.168.24.0 0.0.0.255 area 2
 network 192.168.34.0 0.0.0.255 area 3
!
end


Now you know how inbound filtering works, let’s take a look at outbound filtering.

Outbound Area LSA Type 3 filtering

The outbound filter lets us filter a prefix from 1 area to all other areas. Let’s see if we can filter 3.3.3.3 /32 so that R1 and R2 won’t have it in their routing table anymore. First we’ll verify if they have learned about this prefix:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

501 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Thanks! I do have some plans for next year…so I’m afraid you’ll have to find another study book for the moment :slight_smile:

  2. Rajendra,
    This has to do with how link state protocols work. In order for a link protocol to be able to run the Dijkstra algorithm, they must all have identical databases to run the algorithm against. If filtering were allowed within an area, then by definition, some routers would have a different database than others, and when those routers ran the shortest path tree calculations, they would arrive at different results.

    Notice that both the ASBR and ABR, by definition, are at the area boundary. They are allowed to do filtering or summarization only on route

    ... Continue reading in our forum

  3. Never mind I figured this out. Basically to block the route for 4.4.4.1, I should make an exact match in my prefix-list.

    So basically I changed

    ip prefix-list into_area3 seq 7 deny 4.4.4.1/24

    TO

    ip prefix-list into_area3 seq 7 deny 4.4.4.1/32

    And it works.

  4. Hello Helen.

    I am assuming that you and the ISP are operating completely separate OSPF domains. That is, their OSPF routing is completely autonomous from yours. This means that your area 0 has nothing to do with their area 0. They are two completely separate systems.

    If this is the case, then the way one OSPF domain communicates with another OSPF domain is via a router that has two separate OSPF processes running. One interface is using process number 1 for example, this may be your internal OSPF domain, and the outside interface is using process 2, which i

    ... Continue reading in our forum

  5. Im glad it helped.

    In your case R4 is ABR, not the ASBR.

    • ABR = router that is interconnecting OSPF area 0 with any other OSPF area then 0.
    • ASBR = router that is performing Redistribution into OSPF.

    This is important to understand. ABR is producing LSA Type 3 (Inter Area routes) and ASBR is producing LSA Type 5 (External routes).

    ... Continue reading in our forum

45 more replies! Ask a question or join the discussion by visiting our Community Forum