OSPF Route Filtering

Share this page:

First be sure which type of LSA you need to filter by making sure in which part of database the route is:

#show ip ospf database [router | network | summary | internal | external]

There are 5 ways to perform OSPF Route Filtering:

1. DISTRIBUTE LIST - Filters all LSAs from the Routing Table, but they stay in the OSPF Database
!!!distribute-list OUT works on both, routing table and OSPF database, but ONLY on ASBR for LSA5 and 7!!!
2. FILTER LIST - Filters only LSA3, so - only on ABR, but filters from OSPF Database.
filter-list can be applied: IN - into the area, OUT - out of the area
3. NOT-ADVERTISE - ONLY filter LSA Types 1 and 2, apply on ABR (filters both, routing table and OSPF Database)
Can be used with both, “area X range” (ABR) and “summary-address” (ASBR) commands
4. DISTANCE - Set the AD of the advertised routes to 255, so that they are UNREACHABLE
(config-router)#distance 255 3.3.3.3 0.0.0.0 10 <- 10 is an ACL
5. DATABASE-FILTER - If you want to prevent ANY LSAs from being advertised (can be applied per neighbor or on INT):
(config-subif)#ip ospf database-filter all out <- PER INTERFACE
(config-router)#neighbor x.x.x.x database-filter all out <- PER NEIGHBOR

Be sure which type of LSA you need to filter by making sure in which part of database the route is:
#show ip ospf database [router | network | summary | internal | external]

The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list.
!!!DISTRIBUTE-LIST only affects the local router!!! Meaning - the Update will be distributed to the other routers, the subnets will only be filtered out the local IP ROUTING TABLE
The advantage is that it’s rather easy to implement, and it can filter any type of LSA:
(config-router)#distribute-list prefix MY_PREFIX_LIST in <— OUT would only work on ASBR TO FILTER LSA5 & LSA7

The big CON is that even though the Route is not added to the Routing Table - it will stay in the database,
and it will be further propagated to the other OSPF Neighbors. The route will therefore appear in the Routing Table,but it will not be reachable, as one of the routers along the path does not have it in it’s Routing Table.

*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:
(config-router)#ip local policy route-map ROUTE_MAP

Filter using Distribute List

The easiest way to filter the OSPF routes from being added to the Routing Table is the distribute-list. The advantage is that it’s rather easy to implement, and it can filter any type of LSA:

Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST in <— OUT would only work on OSBR TO FILTER LSA5 & LSA7

The big CON is that even though the Route is not added to the Routing Table - it will stay in the database, and it will be further propagated to the other OSPF Neighbors.
The route will therefore appear in the Routing Table, but it will not be reachable, as one of the routers along the path does not have it in it’s Routing Table.

*If you need to reach the route without passing through the router that cannot reach it - define the route-map with the next hop pointing towards an alternative path, and apply it in the Global Configuration mode:

(config-router)#ip local policy route-map ROUTE_MAP

OSPF filter-list - LSA-3 FILTERING

This ONLY works for LSA-3 (Summary), and therefore needs to be configured on the ABR only. Lets say that we want to filter the network 172.25.185.0/24 from the Area 2. Then on the ABR we define the prefix list that DENIES that network, and ALLOWS everything else

(config)#ip prefix-list JEDANES seq 10 deny 172.25.185.0/24
(config)#ip prefix-list JEDANES seq 20 permit 0.0.0.0/0 le 32

Then apply the prefix-list as a filter-list within a OSPF configuration process for Area 2:

**(config-router)#area 2 filter-list prefix JEDANES in **

This will prevent the network from being redistributed into Area 2. Note that IN/OUT means that the network is being advertised into or out-from the AREA 2

OSPF “not-advertise” LSA1 & LSA2 FILTERING

If you need to filter LSAs 1 and 2, you can use the “not-advertise” command, but also ONLY ON ABR!

(config-router)#area 1 range 172.25.182.0 255.255.255.0 not-advertise

Tune the ADVERTISED DISTANCE to Filter the Prefix

Another way to filter the OSPF networks is manually setting the distance to 255, which is UNREACHABLE. It’s not the most elegant way, but you should know that it’s also an option.

Cisqueros_R4(config-router)#distance 255 3.3.3.3 255.255.255.0 10 <— 10 IS AN ACCESS-LIST WITH THE PREFIXES WE WANT TO FILTER

Filter EXTERNAL OSPF Routes: LSA5 & LSA7

The first way to filter there routes was already mentioned above:
Cisqueros_R2(config-router)#distribute-list prefix MY_PREFIX_LIST OUT

The second way is reserved ONLY for the External Routes, and it’s the “not-advertised” applied to the “summary-address” command

(config-router)#summary-address 172.29.189.0 255.255.255.0 not-advertise <— MUST BE APPLIED ON ASBR

Filter OSPF per Interface

If you wish to prevent LSAs to be sent via particular Interface:

(config-if)#ip ospf database-filter all out

*ALL and OUT are the only options, which means you cannot apply a specific filter on the OSPF interface

Filter OSPF per NEIGHBOR

Even though OSPF doesn’t require that we manually configure the Neighbors, we do need to use the “neighbor” command in order to configure the OSPF database filtering:

(config-router)#neighbor 5.5.5.5 database-filter all out

*Network MUST be configured as POINT-TO-POINT (on the Interface Configuration)

• ← Previous
Next →