08-15-2007 07:15 AM - edited 03-05-2019 05:54 PM
Greetings,
OSPF only allows inbound distribute-lists, not outbound. I was wondering if you can apply an access-group outbound to an interface belonging to an OSPF network.
08-15-2007 09:50 AM
Charles
An outbound access-group would not work. And the reason does not really have anything to do with OSPF. An outbound access-group will only filter traffic that is transit through the router and will not filter any traffic that is generated by the router itself (which includes all routing updates).
And be aware that an inbound distribute list can prevent the route form being inserted into the routing table. But the LSA describing the route is still in the link state data base and will still be advertised to other OSPF neighbors. So you could have the symptom that OSPF will advertise to neighbors a route that is not in its own routing table.
HTH
Rick
08-15-2007 10:42 AM
Rick,
Thanks for the update. Sounds like a catch 22. A router builds its routing table based on routing updates from its neighbors within
a given protocol(like OSPF) & redistribution
from other routing protocols(like BGP, EIGRP).
So these routing updates will get advertised by OSPF no matter what. On the other hand, if an inbound packet from a known IP address attempts to traverse the router, this is the type of traffic you speak of that can be filtered on an access-group.
Please advise,
Regards,
Charles
08-15-2007 10:51 AM
Charles
I am not sure where the catch 22 comes into play. Filtering data packets that transit the router (using access-group out) is one thing and filtering routing updates is a quite separate issue.
One way of looking at this is to realize that OSPF as a link state protocol requires that all routers within the area have exactly the same content in the link state data base (this is so that they will all draw exactly the same topology map of the area and be able to accurately avoid loops). Maintaining consistency in the link state data base is the main reason that OSPF does not support filtering routing updates. Note that non-link state routing protocols do not have this restriction. For EIGRP, or RIP, or BGP you do have the ability to filter routing updates inbound and outbound. But not for OSPF.
HTH
Rick
08-15-2007 10:59 AM
Thanks. Appreciate the help.
08-17-2007 11:36 AM
If you want to filter your outbound LSA's you can do a "ip ospf database-filter all out" or "neighbor x.x.x.x database-filter all out" Adjacencies are still established but the other router wouldn't receive your LSA's. Sometimes this is used to reduce LSA flooding--used in very few situations with caveats.
A little more detail here:
http://fengnet.com/book/Cisco.IOS.Cookbook.2nd/I_0596527225_CHP_8_SECT_3.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide