No Distribute list out w/OSPF- Can you filter out w/access-group?

Unanswered Question
Aug 15th, 2007


OSPF only allows inbound distribute-lists, not outbound. I was wondering if you can apply an access-group outbound to an interface belonging to an OSPF network.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 08/15/2007 - 09:50


An outbound access-group would not work. And the reason does not really have anything to do with OSPF. An outbound access-group will only filter traffic that is transit through the router and will not filter any traffic that is generated by the router itself (which includes all routing updates).

And be aware that an inbound distribute list can prevent the route form being inserted into the routing table. But the LSA describing the route is still in the link state data base and will still be advertised to other OSPF neighbors. So you could have the symptom that OSPF will advertise to neighbors a route that is not in its own routing table.



cfabius Wed, 08/15/2007 - 10:42


Thanks for the update. Sounds like a catch 22. A router builds its routing table based on routing updates from its neighbors within

a given protocol(like OSPF) & redistribution

from other routing protocols(like BGP, EIGRP).

So these routing updates will get advertised by OSPF no matter what. On the other hand, if an inbound packet from a known IP address attempts to traverse the router, this is the type of traffic you speak of that can be filtered on an access-group.

Please advise,



Richard Burts Wed, 08/15/2007 - 10:51


I am not sure where the catch 22 comes into play. Filtering data packets that transit the router (using access-group out) is one thing and filtering routing updates is a quite separate issue.

One way of looking at this is to realize that OSPF as a link state protocol requires that all routers within the area have exactly the same content in the link state data base (this is so that they will all draw exactly the same topology map of the area and be able to accurately avoid loops). Maintaining consistency in the link state data base is the main reason that OSPF does not support filtering routing updates. Note that non-link state routing protocols do not have this restriction. For EIGRP, or RIP, or BGP you do have the ability to filter routing updates inbound and outbound. But not for OSPF.



cspeidel Fri, 08/17/2007 - 11:36

If you want to filter your outbound LSA's you can do a "ip ospf database-filter all out" or "neighbor x.x.x.x database-filter all out" Adjacencies are still established but the other router wouldn't receive your LSA's. Sometimes this is used to reduce LSA flooding--used in very few situations with caveats.

A little more detail here:


This Discussion