OSPF ABR Type 3 LSA Filtering on Cisco IOS – Network Professional Member Site

OSPF uses LSA type 3 for inter-area prefixes. If you want, you can filter these between OSPF areas. Since you can only filter between areas, you’ll have to configure this on the ABR. Filtering is possible inbound or outbound an area using the area filter-list command.

In this lesson, I will demonstrate how to use this command to filter LSA type 3 between different areas. This is the topology that I will be using:

OThe 192.168.12.0 /24 and 192.168.24.0 /24 prefixes are now gone froSPF 4 routers 3 areas

R1, R2, and R3 are located in their corresponding area number and have a loopback 0 interface. The prefix on this loopback will be advertised in OSPF. In the middle, you can see R4, the ABR for areas 1,2 and 3. We’ll create some filters on R4 to demonstrate the area filter-list command. Let me show you the OSPF configuration first:

OSPF Area Configuration

I will show you all the network commands I used so you can replicate this. R1,R2 and R3 will be in their own area and R4 is the ABR:

R1(config)#router ospf 1
R1(config-router)#network 1.1.1.1 0.0.0.0 area 1
R1(config-router)#network 192.168.14.0 0.0.0.255 area 1

R2(config)#router ospf 1
R2(config-router)#network 2.2.2.2 0.0.0.0 area 2
R2(config-router)#network 192.168.24.0 0.0.0.255 area 2

R3(config)#router ospf 1
R3(config-router)#network 3.3.3.3 0.0.0.0 area 3
R3(config-router)#network 192.168.34.0 0.0.0.255 area 3

R4(config)#router ospf 1
R4(config-router)#network 4.4.4.4 0.0.0.0 area 0
R4(config-router)#network 192.168.14.0 0.0.0.255 area 1
R4(config-router)#network 192.168.24.0 0.0.0.255 area 2
R4(config-router)#network 192.168.34.0 0.0.0.255 area 3

Before we continue, it’s best to verify that we have working OSPF neighbor adjacencies:

R4#show ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           1   FULL/BDR         00:00:33    192.168.14.1    FastEthernet0/0
2.2.2.2           1   FULL/BDR         00:00:39    192.168.24.2    FastEthernet0/1
3.3.3.3           1   FULL/BDR         00:00:39    192.168.34.3    FastEthernet1/0

The ABR has three working OSPF neighbor adjacencies. Now it’s time to create some filters. We’ll start with inbound filtering.

Inbound Area LSA Type 3 filtering

I will start by filtering some prefixes that are headed toward area 3. The inbound filter will filter prefixes from all areas sent to 1 area. First, we’ll take a look at the routing table of R3 in area 3:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:03:50, FastEthernet0/0
     2.0.0.0/32 is subnetted, 1 subnets
O IA    2.2.2.2 [110/3] via 192.168.34.4, 00:03:50, FastEthernet0/0
O IA 192.168.14.0/24 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0
O IA 192.168.24.0/24 [110/2] via 192.168.34.4, 00:03:50, FastEthernet0/0

All prefixes that R3 has learned are inter-area prefixes (LSA Type 3). Let’s filter 2.2.2.2 /32 from entering area 3. First, we’ll create a prefix-list:

R4(config)#ip prefix-list INTO-AREA3 deny 2.2.2.2/32
R4(config)#ip prefix-list INTO-AREA3 permit 0.0.0.0/0 le 32

This prefix-list will deny 2.2.2.2 /32 and allow all other prefixes. Now we have to apply it to the area:

R4(config)#router ospf 1
R4(config-router)#area 3 filter-list prefix INTO-AREA3 in

If you want, you can verify that the area filter is active with the show ip ospf command:

R4#show ip ospf 1 | begin Area 3
    Area 3
	Number of interfaces in this area is 1
	Area has no authentication
	SPF algorithm last executed 00:01:50.060 ago
	SPF algorithm executed 3 times
	Area ranges are
	Area-filter INTO-AREA3 in
	Number of LSA 5. Checksum Sum 0x03C737
	Number of opaque link LSA 0. Checksum Sum 0x000000
	Number of DCbitless LSA 0
	Number of indication LSA 0
	Number of DoNotAge LSA 0
	Flood list length 0

Now take a look at the routing table of R3 again:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:07:19, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/3] via 192.168.34.4, 00:07:19, FastEthernet0/0
O IA 192.168.14.0/24 [110/2] via 192.168.34.4, 00:07:19, FastEthernet0/0
O IA 192.168.24.0/24 [110/2] via 192.168.34.4, 00:07:19, FastEthernet0/0

Prefix 2.2.2.2 /32 is gone from the routing table as it has been filtered by the ABR (R4). The nice thing about inbound filtering is that it doesn’t matter from which area the prefix came. Everything that goes into area 3 will hit the prefix-list and will be filtered. I can demonstrate this to you by filtering something else, for example, the two prefixes 192.168.14.0 /24 (area 1) and 192.168.24.0 /24 (area 2). Let’s change our prefix-list:

R4(config)#ip prefix-list INTO-AREA3 seq 6 deny 192.168.14.0/24
R4(config)#ip prefix-list INTO-AREA3 seq 7 deny 192.168.24.0/24

Now take a look again at the routing table of R3:

R3#show ip route ospf 
     1.0.0.0/32 is subnetted, 1 subnets
O IA    1.1.1.1 [110/3] via 192.168.34.4, 00:01:22, FastEthernet0/0
     4.0.0.0/32 is subnetted, 1 subnets
O IA    4.4.4.4 [110/3] via 192.168.34.4, 00:01:22, FastEthernet0/0

The 192.168.14.0 /24 and 192.168.24.0 /24 prefixes are now gone from the routing table. It doesn’t matter which area they come from…

Configurations
R1
R2
R3
R4

Want to take a look for yourself? Here you will find the final configuration of each device.
Now you know how inbound filtering works, let’s take a look at outbound filtering.

Outbound Area LSA Type 3 filtering

The outbound filter lets us filter a prefix from 1 area to all other areas. Let’s see if we can filter 3.3.3.3 /32 so that R1 and R2 won’t have it in their routing table anymore. First, we’ll verify if they have learned about this prefix:

R1#show ip route 3.3.3.3          
Routing entry for 3.3.3.3/32
  Known via "ospf 1", distance 110, metric 3, type inter area
  Last update from 192.168.14.4 on FastEthernet0/0, 00:03:07 ago
  Routing Descriptor Blocks:
  * 192.168.14.4, from 4.4.4.4, 00:03:07 ago, via FastEthernet0/0
      Route metric is 3, traffic share count is 1

R2#show ip route 3.3.3.3
Routing entry for 3.3.3.3/32
  Known via "ospf 1", distance 110, metric 3, type inter area
  Last update from 192.168.24.4 on FastEthernet0/0, 00:03:23 ago
  Routing Descriptor Blocks:
  * 192.168.24.4, from 4.4.4.4, 00:03:23 ago, via FastEthernet0/0
      Route metric is 3, traffic share count is 1

R1 and R2 both know about the loopback interface of R3. Let’s create a prefix-list that matches 3.3.3.3 /32:

R4(config)#ip prefix-list OUT-AREA3 deny 3.3.3.3/32
R4(config)#ip prefix-list OUT-AREA3 permit 0.0.0.0/0 le 32

We’ll deny 3.3.3.3 /32 and permit all other prefixes. Now activate it for area 3:

R4(config)#router ospf 1
R4(config-router)#area 3 filter-list prefix OUT-AREA3 out

This will ensure that all other areas won’t learn about 3.3.3.3 /32 once it leaves area 3. R1 and R2 won’t know about this network anymore…

R1#show ip route 3.3.3.3
% Network not in table

R2#show ip route 3.3.3.3
% Network not in table

So basically, this is how the area filter-list works:

The inbound area filter-list will filter prefixes from all areas sent to 1 area.
The outbound area filter-list will filter prefixes from 1 area sent to all other areas.

Configurations
R1
R2
R3
R4

OSPF Area Configuration

Inbound Area LSA Type 3 filtering

Outbound Area LSA Type 3 filtering

Unit 1: Introduction to OSPF

Unit 2: OSPF Neighbor Adjacency

Unit 3: OSPF Network Types

Unit 4: OSPF Stub Areas

Unit 5: Advanced OSPF Topics