i have 3 routers: R1 and R2 in OSPF area 0, and R2 and R3 form a OSPF area 10(R2 is ABR), R3 advertised 4 routes to R2: 18.104.22.168/32, 22.214.171.124/32, 126.96.36.199/32 and 188.8.131.52/32. I want to filter the traffic comging from area 10, only allow route 184.108.40.206/32, so on the R2, I configured:
area 10 filter-list prefix test in
ip prefix test permit 220.127.116.11/32
but when I look at my routing table on R2, nothing changed, I still can see other routes like 18.104.22.168/32 in the routing table, can someone tell me where is the problem?
When you apply a filter it prevents LSA from being installed into the routing table. It does not stop the OSPF proces from populating it's link-state database.
The routes are flooded to R2 before you applied the filter. You need to clear the OSPF proces in order to re-learn those routes.
Router#clear ip ospf 1
The routing table should not contain routes other than 22.214.171.124/32. Beware that R2 can learn those routes from other OSPF neighbors. See your OSPF database for more information.
Router#show ip ospf database
* Please rate posts.
First you cannot filter the R3 routes by this filter-list command under ospf process. Because this command is used to filter LSA type 3 and R3 is using LSA type 1 for these routes.
The way you applied the fiter-list under Area 10 in IN direction, This will not effect in any Area. You cannot filter 4.4.x.x routes comming from R3 to R2. You can filter these routes for R1 only If you apply the same filter-list in OUT direction. In this way you can block all LSA-3 except that you allowed (126.96.36.199/32) on R1.
You need to clear the OSPF process after changing to refresh the database.
as Mohamed has pointed out you have applied the command in the wrong direction
You can use:
area 10 filter-list prefix test out
area 0 filter-list prefix test in
because these filters applies on the ABR on the act of creating LSA type3 that represent area 10 internal IP subnets to be sent in other areas.
So or you use the out direction and the source area-id or you use the in direction and the destination area-id.
The prefix list is applied to prefixes advertised to the specified area from other areas.
The prefix list is applied to prefixes advertised out of the specified area to
Before of the introduction of this command the only way to perform inter-area route filtering was to use area range command with the no-advertise option.
But the area filter-list provides much more flexibility.
Hope to help
What if we make it more interesting & debatable if we can compare it with different approach, lets look at other option of using distribute list
Basic requirement is to disallow a route into the routing table of R2 (ABR), so we can try a different approach
If we use a distribute list along with route map and apply to the R2 OSPF process to deny the route to get installed in the routing table.
- make a route map with deny statement and match specific route (many contexts available like tag, source interface etc) to be denied entry to routing table
route-map filter-1 deny 10
- under ospf process , apply distribute list
distribute-list route-map filter-1 in
I hope this can prevent specific route entry to R2 routing table.
The distribute-list and area filter-list both serve somewhat different purpose and are not directly comparable.
The area filter-list command applies to inter-area routes only, and has an area-wide impact, depending on its direction. This command influences the contents of LSA3 that are generated by the ABR, therefore, the command influences link-state databases and routing tables of all routers to which this modified LSA3 is flooded.
The distribute-list in command only prevents a particular route from entering the routing table on a particular router after the SPF computation has taken place. The link-state database, however, is not modified in any sense. The LSAs are flooded without modification further, and the route will be present on remaining routers in the area. Because routing loops or traffic blackholing can ensue as a result of improper use of the distribute-list in command, I personally do not recommend using it until absolutely necessary.
to sum up
the possible solutions for this simple topology are:
area filter list:
under ABR R2:
area 0 filter-list prefix xx in
area 10 filter-list prefix xx out -- this work here without any issues because there are only two areas, if more this is will make blocking to other areas as well !!
distribute-list in this can be configured using prefix list, ACL or route-map
or area range in R2 with the option not-advertise
or you can use distance command in R1 with value or 255 for that prefix
if helpful Rate
Using "area filter list" under ABR R2 is not the required solution. Actually question was " but when I look at my routing table on R2, nothing changed, I still can see other routes like 188.8.131.52/32 in the routing table". This solution is to prevent this route to R1 only.
distribute-list will be the option to do in IN direction under Area 10.
in this case you right
but distribute list dose not work with areas i think you meant in "under area 10 " prefixes of area 10 !!
>> Using "area filter list" under ABR R2 is not the required solution.
We don't know if the original poster is studying OSPF route filtering in order to pass a Cisco exam, or for a need in a real network.
In real world, even in a small network made of less of one hundred routers the area filter-list or its predecessor area range+ no-advertise are the only manageable solutions.
You cannot expect that a change needs to be propagated on all nodes of the network as it is required with distribute-list or with distance command.
As noted by Peter these have to be considered last resort solutions and are not recommended.
Of course in a lab things are different and you can consider these solutions.
Hope to help