cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
5
Replies

No Distribute list out w/OSPF- Can you filter out w/access-group?

cfabius
Level 1
Level 1

Greetings,

OSPF only allows inbound distribute-lists, not outbound. I was wondering if you can apply an access-group outbound to an interface belonging to an OSPF network.

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Charles

An outbound access-group would not work. And the reason does not really have anything to do with OSPF. An outbound access-group will only filter traffic that is transit through the router and will not filter any traffic that is generated by the router itself (which includes all routing updates).

And be aware that an inbound distribute list can prevent the route form being inserted into the routing table. But the LSA describing the route is still in the link state data base and will still be advertised to other OSPF neighbors. So you could have the symptom that OSPF will advertise to neighbors a route that is not in its own routing table.

HTH

Rick

HTH

Rick

Rick,

Thanks for the update. Sounds like a catch 22. A router builds its routing table based on routing updates from its neighbors within

a given protocol(like OSPF) & redistribution

from other routing protocols(like BGP, EIGRP).

So these routing updates will get advertised by OSPF no matter what. On the other hand, if an inbound packet from a known IP address attempts to traverse the router, this is the type of traffic you speak of that can be filtered on an access-group.

Please advise,

Regards,

Charles

Charles

I am not sure where the catch 22 comes into play. Filtering data packets that transit the router (using access-group out) is one thing and filtering routing updates is a quite separate issue.

One way of looking at this is to realize that OSPF as a link state protocol requires that all routers within the area have exactly the same content in the link state data base (this is so that they will all draw exactly the same topology map of the area and be able to accurately avoid loops). Maintaining consistency in the link state data base is the main reason that OSPF does not support filtering routing updates. Note that non-link state routing protocols do not have this restriction. For EIGRP, or RIP, or BGP you do have the ability to filter routing updates inbound and outbound. But not for OSPF.

HTH

Rick

HTH

Rick

Thanks. Appreciate the help.

cspeidel
Level 1
Level 1

If you want to filter your outbound LSA's you can do a "ip ospf database-filter all out" or "neighbor x.x.x.x database-filter all out" Adjacencies are still established but the other router wouldn't receive your LSA's. Sometimes this is used to reduce LSA flooding--used in very few situations with caveats.

A little more detail here:

http://fengnet.com/book/Cisco.IOS.Cookbook.2nd/I_0596527225_CHP_8_SECT_3.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: