Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


Filtering Out Routes


Example below..

O E2 [110/0] via,

O [110/4] via,

I want to filter out the /24 - but keep the /20.

I have my access-list denying the routes, then my distribute list under OSPF but it always denies all the networks. Am I unable to achieve this?

  • WAN Routing and Switching

Filtering Out Routes

Hi again

Create an acl that matches on your mask as well and then apply that:

access-list 10 deny

access-list 10 permit any

router ospf

distribute-list 10 in


*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Filtering Out Routes

Hey John!

Yeah I did try that initially, but then both routes dissapeared. I just tried again to check, and when I use

access-list xx deny

access-list xx permit any

both the

dissapear :-(

I'm using ip access-list rather that access-list just so it's easier for me to edit, but I'm sure this won't be the problem?

Re: Filtering Out Routes


to avoid undesired filtering by the limitations of ACLs, you should use a prefix-list:

ip prefix-list TEST deny 
ip prefix-list TEST permit le 32

Useful Link: Understanding IP Prefix-Lists

Hope that helps


Filtering Out Routes

Yeah, you're going to need to use a prefix list. I labbed this up and it simply doesn't work, but a prefix-list will.

ip prefix-list AllowedRoute deny

ip prefix-list AllowedRoute permit le 32

router ospf 1

distribute-list prefix AllowedRoute in

This does work...


*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Filtering Out Routes

Hi Again!

I've been reading up on the forums here regarding some other routing info and came across this from Scott Morris..


Another thing to note in OSPF...  Everyone in an area must have the same database.  So you CANNOT do "distribute-list out" like you can in other protocols to permit/deny certain routes from particular interfaces.  Otherwise you break the rules of the RFC and threaten to end the universe as we know it." I causing issues by filtering routes from appearing in one routers RIB? Does this make the databases different, causing the end of the universe...?  :-)

Re: Filtering Out Routes


 So you CANNOT do "distribute-list out" like you can in other protocols (...)

This is key to link-state RPs, I didn't mention it because I thougt you already knew.

The LSDBs have to be the same within an Area to avoid routing loops and blackholing, so the only thing you can manipulate is what LSDB information will appear in the local routing table. This is the purpose of the distribute-list in command in OSPF.

One scenario for doing this is a OSPF-to-OSPF redistribution (2 different OSPF processes).

At area- or AS-borders things are different. A couple of weeks ago I posted some general information about OSPF hierarchy and manipulation (filtering, summarization) here, perhaps it's helpful:

Feel free to ask further!

Hope that helps


Re: Filtering Out Routes I causing issues by filtering routes from appearing in one routers RIB? Does this make the databases different ...?

No, it doesn't. Filtering out prefixes from the local forwarding table doesn't affect the LSDB.

R1#show ip prefix-list

ip prefix-list TEST: 2 entries

seq 5 deny

seq 10 permit le 32

R1#show run | sect ^router

router ospf 1


network area 0

distribute-list prefix TEST out (*)

distribute-list prefix TEST in

R1#show ip ospf database router | i Advert|\(Link

Advertising Router:

(Link ID) Network/subnet number:

(Link Data) Network Mask:

But depending on the next-best route which is used to forward traffic to reach the locally filtered network prefix (e.g. the default route), you could end up in a routing loop.

In the example you've posted, both routes have the same next-hop, so in this case you're safe.




(*): I expected to receive some kind of error message when applying the distribute-list out but there wasn't. So IOS let you apply it but it doesn't affect the LSDB at all.    

Hall of Fame Super Silver

Filtering Out Routes

Perhaps it will clarify the issue a bit if we understand that a distribute list or a prefix list will filter routes but can not filter Link State Advertisements. So a distribute list or a prefix list applied inbound can prevent routes from entering the RIB from OSPF but can not prevent the advertisement to other neighbors.

Also note that if you do use distribute list or prefix list inbound that it affects the local routing table. But it does not prevent advertising those filtered routes to other neighbors.




Filtering Out Routes

A distribute-list out only works, as far as I know, in OSPF in one situation and this is to filter out external prefixes at the ASBR that is injecting this external information.

A distribute-list in, as others said in this post, behavior works filtering the routes from the RIB but it will maintain the LSA's in the LSDB and therefore it will still send them to other routers in the area. However, there are two exceptions and these are for LSA type 3 in the ABR, it will filter prefixes in the RIB and LSA's in the LSDB. The same for type 7 LSA at the ABR/ASBR which is doing the translation between type 7 and type 5 LSA's.

The only way to filter prefixes and LSA's inside one area it would be to use a flooding filter ( ip ospf database-filter all out). However, this apply to ALL the LSA's from the Database. Another way would be to Max-Age all of them, but again it will apply to all the LSA's.

Best Regards,


This widget could not be displayed.