In this guide, you will learn OSPF route filtering using distribute lists. The guide focuses on preventing OSPF internal routes from getting installed in the routing table regardless of the type of the routes (intra-area or inter-area). Besides, you will learn how to block redistributed routes from getting installed in the OSPF LS database.
OSPF supports LSA filtering between areas but OSPF nodes within the same area cannot filter LSAs between them. For example, imagine routers A and B in area 4, router A cannot be configured to prevent the area’s router LSAs from getting sent to router B.
This way we cannot rely on LSA filtering to block OSPF routes from being installed in the routing table. Here comes OSPF route filtering with distribute lists, which does not affect how OSPF works but influences Cisco IOS’s routing process to prevent specific OSPF routes from entering the routing table.
In the rest of this tutorial, we use the network topology in Figure 1.
Figure 1 – The network diagram of the routing domain used in this guide
The network consists of four routers. Two routers are in EIGRP 12 autonomous system, and three routers are included in the OSPF routing domain. Here are the links to download the initial configurations of the routers.
Router R1 | Router R2 | Router R3 | Router R4 |
Keep in mind that router R2 is redistributing EIGRP 12 routes into OSPF, as shown in the show ip route ospf command output below.
R4# show ip route ospf omitted output 10.0.0.0/8 is variably subnetted, 18 subnets, 2 masks O E2 10.0.0.0/24 [110/20] via 10.0.24.2, 00:07:12, GigabitEthernet0/2 O E2 10.0.1.0/24 [110/20] via 10.0.24.2, 00:07:12, GigabitEthernet0/2 O E2 10.0.2.0/24 [110/20] via 10.0.24.2, 00:07:12, GigabitEthernet0/2 O E2 10.0.3.0/24 [110/20] via 10.0.24.2, 00:01:15, GigabitEthernet0/2 O E2 10.0.12.0/24 [110/20] via 10.0.24.2, 00:20:15, GigabitEthernet0/2 O IA 10.0.33.0/24 [110/2] via 10.0.34.3, 00:00:03, GigabitEthernet0/3 O 10.0.123.0/24 [110/2] via 10.0.34.3, 00:19:33, GigabitEthernet0/3 [110/2] via 10.0.24.2, 00:20:15, GigabitEthernet0/2
Suppress OSPF Intra-Area and Inter-Area Routes from Entering the Routing Table
The distribute-list std_acl_number in command when it is applied to an OSPF process allows controlling what OSPF intra-area/inter-area routes to install or not in the routing table, where std_acl_number is the identifier of a standard access control list (ACL) between 1 and 99 or between 1300 and 2699.
Moreover, you can use a named standard ACL instead of a numbered standard ACL.
In this example, we configure router R2 to not install internal routes 10.0.23.0/24 (intra-area route) and 10.0.33.0/24 (inter-area route) in the routing table.
R2(config)# access-list 1 deny 10.0.23.0 0.0.0.255 R2(config)# access-list 1 deny 10.0.33.0 0.0.0.255 R2(config)# access-list 1 permit any R2(config)# R2(config)# router ospf 1 R2(config-router)# distribute-list 1 in
The show ip route ospf command output states that routes 10.0.23.0/24 and 10.0.33.0/24 no longer exist in R2’s routing table.
R2# show ip route ospf omitted output 10.0.0.0/8 is variably subnetted, 14 subnets, 2 masks O 10.0.20.0/24 [110/2] via 10.0.24.4, 00:00:05, GigabitEthernet0/4 O 10.0.21.0/24 [110/2] via 10.0.24.4, 00:00:05, GigabitEthernet0/4 O 10.0.22.0/24 [110/2] via 10.0.24.4, 00:00:05, GigabitEthernet0/4 O 10.0.34.0/24 [110/2] via 10.0.123.3, 00:00:05, GigabitEthernet0/3 [110/2] via 10.0.24.4, 00:00:05, GigabitEthernet0/4
The distribute-list command does not affect the LS database. In fact, subnets 10.0.23.0/24 and 10.0.33.0/24 still have LS entries in router R2’s OSPF database, as you can see in the show ip ospf database command outputs.
R2# show ip ospf database router omitted output LS age: 559 Options: (No TOS-capability, DC) LS Type: Router Links Link State ID: 4.4.4.4 Advertising Router: 4.4.4.4 LS Seq Number: 80000009 Checksum: 0xAAE2 Length: 96 Number of Links: 6 Link connected to: a Stub Network (Link ID) Network/subnet number: 10.0.20.0 (Link Data) Network Mask: 255.255.255.0 Number of MTID metrics: 0 TOS 0 Metrics: 1 Link connected to: a Stub Network (Link ID) Network/subnet number: 10.0.21.0 (Link Data) Network Mask: 255.255.255.0 Number of MTID metrics: 0 TOS 0 Metrics: 1 Link connected to: a Stub Network (Link ID) Network/subnet number: 10.0.22.0 (Link Data) Network Mask: 255.255.255.0 Number of MTID metrics: 0 TOS 0 Metrics: 1 Link connected to: a Stub Network (Link ID) Network/subnet number: 10.0.23.0 (Link Data) Network Mask: 255.255.255.0 Number of MTID metrics: 0 TOS 0 Metrics: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 10.0.34.4 (Link Data) Router Interface address: 10.0.34.4 Number of MTID metrics: 0 TOS 0 Metrics: 1 Link connected to: a Transit Network (Link ID) Designated Router address: 10.0.24.2 (Link Data) Router Interface address: 10.0.24.4 Number of MTID metrics: 0 TOS 0 Metrics: 1
R2# show ip ospf database summary OSPF Router with ID (2.2.2.2) (Process ID 1) Summary Net Link States (Area 0) LS age: 1412 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: 10.0.33.0 (summary Network Number) Advertising Router: 3.3.3.3 LS Seq Number: 80000006 Checksum: 0x40BF Length: 28 Network Mask: /24 MTID: 0 Metric: 1
Remove Redistributed Routes into OSPF from the OSPF Database and Routing Table
Cisco IOS supports removing Type 5 LSAs from the OSPF database. The distribute-list acl out allows removing one or many redistributed routes into OSPF from the OSPF database, where acl is the identifier of a standard access control list (ACL) between 1 and 99 or between 1300 and 2699.
Moreover, you can use a named standard ACL instead of a numbered standard ACL. In this example, we configure R2, the only ASBR in the network, to remove routing information about external subnet 10.0.0.0/24 from the OSPF database.
R2(config)# access-list 2 deny 10.0.0.0 0.0.0.255 R2(config)# access-list 2 permit any R2(config)# R2(config)# router ospf 1 R2(config-router)# distribute-list 2 out
The show ip ospf database command output indicates that R2 removed the Type 5 LSA for subnet 10.0.0.0/24 from the OSPF database.
R2# show ip ospf database omitted output Type-5 AS External Link States Link ID ADV Router Age Seq# Checksum Tag 10.0.1.0 2.2.2.2 1108 0x80000001 0x001E6F 0 10.0.2.0 2.2.2.2 1108 0x80000001 0x001379 0 10.0.3.0 2.2.2.2 1108 0x80000001 0x000883 0 10.0.12.0 2.2.2.2 1110 0x80000001 0x00A4DD 0
Since the subnet 10.0.0.0/24’s routing data has been deleted from R2’s OSPF database, the route to that subnet will get removed from the OSPF databases of routers R3 and R4 since R2 is the only ASBR advertising the subnet in question.
Finally, note that the distribute-list out command works on ASBRs only.
Related Lessons to OSPF Route Filtering
- OSPF
- OSPF Router ID
- OSPF Null Authentication
- OSPF Plain Text Authentication
- OSPF Default Route
- Basic OSPF Configuration Lab for CCNA
- OSPF Configuration
- OSPF Passive Interface
- OSPF Virtual Link
- OSPF Stub Area
- OSPF LSA Types
- OSPF Graceful Restart
- OSPF Totally Stubby Area
- OSPF Reference Bandwidth
- OSPF Cost
- OSPF DR/BDR Election
- OSPF Hello and Dead Interval
- OSPF Metric
- OSPF MD5 Authentication
- OSPF HMAC-SHA Cryptographic Authentication
- OSPF Multi-Area
- OSPF TTL Security Check
- OSPF Graceful Shutdown
- Route Redistribution between OSPF and RIP
- OSPF Network Types
- OSPF Totally NSSA Area
- OSPF NSSA Area
- OSPF Summarization
- OSPF Route Filtering
- OSPF Type 5 LSA Filtering
- OSPF ABR Type 3 LSA Filtering
- OSPF Prefix Suppression
- OSPF Path Selection
- OSPF LSA Throttling
- OSPF SPF Throttling
- OSPF Incremental SPF
- OSPF Non-Broadcast Network Type
- OSPF Point-to-Point Network Type
- OSPF Broadcast Network Type
- OSPF Point-to-Multipoint Network Type
- OSPF vs RIP
- OSPF LSA Group Pacing
- OSPF LSA Flood Pacing
- OSPF LSA Retransmission Pacing
- Troubleshooting OSPF Neighbor Adjacency
- Troubleshooting OSPF Route Installation
- Troubleshooting OSPF Route Advertisement
- OSPF Stub Router
Conclusion
I hope this blog post helps you learn something.
Now I’d like to turn it over to you:
What did you like about this tutorial?
Or maybe you have an excellent idea that you think I need to add.
Either way, let me know by leaving a comment below right now.