In this guide, you will learn OSPF route filtering using distribute lists. The guide focuses on preventing OSPF internal routes from getting installed in the routing table regardless of the type of the routes (intra-area or inter-area). Besides, you will learn how to block redistributed routes from getting installed in the OSPF LS database.

OSPF supports LSA filtering between areas but OSPF nodes within the same area cannot filter LSAs between them. For example, imagine routers A  and B in area 4, router A cannot be configured to prevent the area’s router LSAs from getting sent to router B.

This way we cannot rely on LSA filtering to block OSPF routes from being installed in the routing table. Here comes OSPF route filtering with distribute lists, which does not affect how OSPF works but influences Cisco IOS’s routing process to prevent specific OSPF routes from entering the routing table.

In the rest of this tutorial, we use the network topology in Figure 1.

 

Figure 1 – The network diagram of the routing domain used in this guide

The network consists of four routers. Two routers are in EIGRP 12 autonomous system, and three routers are included in the OSPF routing domain. Here are the links to download the initial configurations of the routers.

Router R1 Router R2 Router R3 Router R4

Keep in mind that router R2 is redistributing EIGRP 12 routes into OSPF, as shown in the show ip route ospf command output below.

R4# show ip route ospf


omitted output

      10.0.0.0/8 is variably subnetted, 18 subnets, 2 masks
O E2     10.0.0.0/24 [110/20] via 10.0.24.2, 00:07:12, GigabitEthernet0/2
O E2     10.0.1.0/24 [110/20] via 10.0.24.2, 00:07:12, GigabitEthernet0/2
O E2     10.0.2.0/24 [110/20] via 10.0.24.2, 00:07:12, GigabitEthernet0/2
O E2     10.0.3.0/24 [110/20] via 10.0.24.2, 00:01:15, GigabitEthernet0/2
O E2     10.0.12.0/24 [110/20] via 10.0.24.2, 00:20:15, GigabitEthernet0/2
O IA     10.0.33.0/24 [110/2] via 10.0.34.3, 00:00:03, GigabitEthernet0/3
O        10.0.123.0/24 [110/2] via 10.0.34.3, 00:19:33, GigabitEthernet0/3
                       [110/2] via 10.0.24.2, 00:20:15, GigabitEthernet0/2

Suppress OSPF Intra-Area and Inter-Area Routes from Entering the Routing Table

The distribute-list std_acl_number in command when it is applied to an OSPF process allows controlling what OSPF intra-area/inter-area routes to install or not in the routing table, where std_acl_number is the identifier of a standard access control list (ACL) between 1 and 99 or between 1300 and 2699.

Moreover, you can use a named standard ACL instead of a numbered standard ACL.

In this example, we configure router R2 to not install internal routes 10.0.23.0/24 (intra-area route) and 10.0.33.0/24 (inter-area route) in the routing table.

R2(config)# access-list 1 deny 10.0.23.0 0.0.0.255
R2(config)# access-list 1 deny 10.0.33.0 0.0.0.255
R2(config)# access-list 1 permit any
R2(config)# 
R2(config)# router ospf 1
R2(config-router)# distribute-list 1 in

The show ip route ospf command output states that routes 10.0.23.0/24 and 10.0.33.0/24 no longer exist in R2’s routing table.

R2# show ip route ospf


omitted output

      10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks
O        10.0.20.0/24 [110/2] via 10.0.24.4, 00:00:05, GigabitEthernet0/4
O        10.0.21.0/24 [110/2] via 10.0.24.4, 00:00:05, GigabitEthernet0/4
O        10.0.22.0/24 [110/2] via 10.0.24.4, 00:00:05, GigabitEthernet0/4
O        10.0.34.0/24 [110/2] via 10.0.123.3, 00:00:05, GigabitEthernet0/3
                      [110/2] via 10.0.24.4, 00:00:05, GigabitEthernet0/4

The distribute-list command does not affect the LS database. In fact, subnets 10.0.23.0/24 and 10.0.33.0/24 still have LS entries in router R2’s OSPF database, as you can see in the show ip ospf database command outputs.

R2# show ip ospf database router



omitted output

  LS age: 559
  Options: (No TOS-capability, DC)
  LS Type: Router Links
  Link State ID: 4.4.4.4
  Advertising Router: 4.4.4.4
  LS Seq Number: 80000009
  Checksum: 0xAAE2
  Length: 96
  Number of Links: 6

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 10.0.20.0
     (Link Data) Network Mask: 255.255.255.0
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 10.0.21.0
     (Link Data) Network Mask: 255.255.255.0
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 10.0.22.0
     (Link Data) Network Mask: 255.255.255.0
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Stub Network
     (Link ID) Network/subnet number: 10.0.23.0
     (Link Data) Network Mask: 255.255.255.0
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.0.34.4
     (Link Data) Router Interface address: 10.0.34.4
      Number of MTID metrics: 0
       TOS 0 Metrics: 1
          
    Link connected to: a Transit Network
     (Link ID) Designated Router address: 10.0.24.2
     (Link Data) Router Interface address: 10.0.24.4
      Number of MTID metrics: 0
       TOS 0 Metrics: 1

 

R2# show ip ospf database summary

            OSPF Router with ID (2.2.2.2) (Process ID 1)

                Summary Net Link States (Area 0)

  LS age: 1412
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 10.0.33.0 (summary Network Number)
  Advertising Router: 3.3.3.3
  LS Seq Number: 80000006
  Checksum: 0x40BF
  Length: 28
  Network Mask: /24
        MTID: 0         Metric: 1 

Remove Redistributed Routes into OSPF from the OSPF Database and Routing Table

Cisco IOS supports removing Type 5 LSAs from the OSPF database. The distribute-list acl out allows removing one or many redistributed routes into OSPF from the OSPF database, where acl is the identifier of a standard access control list (ACL) between 1 and 99 or between 1300 and 2699.

Moreover, you can use a named standard ACL instead of a numbered standard ACL. In this example, we configure R2, the only ASBR in the network, to remove routing information about external subnet 10.0.0.0/24 from the OSPF database.

R2(config)# access-list 2 deny 10.0.0.0 0.0.0.255
R2(config)# access-list 2 permit any
R2(config)# 
R2(config)# router ospf 1
R2(config-router)# distribute-list 2 out

The show ip ospf database command output indicates that R2 removed the Type 5 LSA for subnet 10.0.0.0/24 from the OSPF database.

R2# show ip ospf database



omitted output


                Type-5 AS External Link States
          
Link ID         ADV Router      Age         Seq#       Checksum Tag
10.0.1.0        2.2.2.2         1108        0x80000001 0x001E6F 0
10.0.2.0        2.2.2.2         1108        0x80000001 0x001379 0
10.0.3.0        2.2.2.2         1108        0x80000001 0x000883 0
10.0.12.0       2.2.2.2         1110        0x80000001 0x00A4DD 0

Since the subnet 10.0.0.0/24’s routing data has been deleted from R2’s OSPF database, the route to that subnet will get removed from the OSPF databases of routers R3 and R4 since R2 is the only ASBR advertising the subnet in question.

Finally, note that the distribute-list out command works on ASBRs only.

Related Lessons to OSPF Route Filtering

Conclusion

I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.

Mohamed Ouamer
Mohamed Ouamer is a computer science teacher and a self-published author. He taught networking technologies and programming for more than fifteen years. While he loves to share knowledge and write, Mohamed's best passions include spending time with his family, visiting his parents, and learning new things.