OSPF ABR Type 3 LSA Filtering on Cisco IOS

I have a question Im configuring OSPF for some data links between my networks equipments and ISP equipment s but the ISP uses the area 0 for the data links and I use area 0 on my network .

How the ISP will redistribute the networks of area 0 to me and how can I redistribute the networks of area 0 to them.

Hello Helen.

I am assuming that you and the ISP are operating completely separate OSPF domains. That is, their OSPF routing is completely autonomous from yours. This means that your area 0 has nothing to do with their area 0. They are two completely separate systems.

If this is the case, then the way one OSPF domain communicates with another OSPF domain is via a router that has two separate OSPF processes running. One interface is using process number 1 for example, this may be your internal OSPF domain, and the outside interface is using process 2, which is part of the ISP’s OSPF domain. This is assuming that the redistribution point is your edge router. You can find detailed information of redistribution between separate OSPF domains at this comprehensive Cisco documentation.

Now if the ISP is participating in the SAME OSPF domain as you (which I consider unlikely, but I’m including this for completion), then there is essentially no redistribution taking place as far as domain to domain is concerned. Both are in the same domain.

I hope this has been helpful!


1 Like

By using filtering on ABR, does this method tell the ABR not to advertise this prefix list or it tell the router in the area not to install this prefix in their routing table ?

Hello Heng

When you apply LSA3 filtering, you are telling the ABR not to advertise the specific prefix. In other words, it does not send any information about the specific prefix in its LSAs.

I hope this has been helpful!


R4(config)#ip prefix-list INTO-AREA3 seq 6 deny
R4(config)#ip prefix-list INTO-AREA3 seq 7 deny

i dont understand what means seq 6 seq 7

Hello Bahri

When creating a prefix list, we can add multiple statements. For example, in Rene’s lesson, he initially started with the following two commands:

R4(config)#ip prefix-list INTO-AREA3 deny
R4(config)#ip prefix-list INTO-AREA3 permit le 32

Now because the INTO-AREA3 prefix list has two entries, these entries are given specific sequence numbers. Because Rene didn’t specify these sequence numbers, by default, the IOS will assign sequence numbers at intervals of 5 (or 10 depending on the IOS version and platform). If you were to display the INTO-AREA3 prefix list, you would see something like this:

R4# show prefix-list INTO-AREA3
5  deny
10 permit le 32

Now in the case where the commands in your post were implemented, it was required that these be entered between the two existing entries, that is, somewhere between sequence numbers 5 and 10. Using the seq keyword, the location of these two new entries can be specified. Once the commands are implemented, and you display the current prefix list, you would get something like this:

R4# show prefix-list INTO-AREA3
5  deny
6  deny
7  deny
10 permit le 32

I hope this has been helpful!


Thank you very much,
it useful


In the topic OSPF ABR Type 3 LSA Filtering (https://networklessons.com/cisco/ccie-routing-switching/ospf-abr-type-3-lsa-filtering-on-cisco-ios), the R4#show ip ospf neighbor snippet shows that R4 is elected BDR for all the other 3 routers, but shouldn’t it be the opposite i.e. R4 is DR for R1,R2 and R3. As R4 has the highest loopback address.

Also, in the topic, OSPF DR/BDR Election explained (https://networklessons.com/cisco/ccie-routing-switching/ospf-drbdr-election-explained), in the 2 multi-access segments topology R2#show ip ospf neighbor shows that R1 is elected BDR while the text below it says that “R1 is the DR for the segment”.

Are these changes correct or have I missed something in the DR/BDR election process?


Hello Apoorva

For the first case, you are correct, that R4 should be the DR, assuming that all routers were turned on simultaneously and that the DR/BDR elections took place once all devices came up. Now there are cases however, where the DR will have a lower loopback IP. Remember that in DR/BDR elections, there is no preemption. What this means is that if the DR fails at any point, the BDR becomes the DR. If the original DR comes back up again, it DOES NOT assume the role of DR again, but becomes the BDR. In other words, elections don’t take place again until the current DR has failed. So in the case of the lab, it may be that Rene reset the OSPF algorithm on R4, or restarted R4 at some point, which made all the other routers become the DR in their respective mutliaccess segments. When R4 came back up again, R1, R2, and R3 remained DRs. So although it is not intuitive, there are normal operating situations where the DR will not be the router with the highest loopback address. The same is true whether you use router IDs or highest physical interface IPs.

In the second case you mention, yes, there seems to be a typo. The text should read:

In the example above you can see that R2 is the DR for the segment and R3 is the DR for the segment.

I will let Rene know.

Thanks and I hope this has been helpful!


Good afternoon ,


Can you please hep me to understand the portion of this lab.
I verify that R1 & R2 don’t have route on their routing table once I applied router filtering out . I used this command area 3 filter-list prefix OUT-AREA3 out.

Question:? Why R4 is adding route to it’s routing table and not filtering out that route, since the loopback interface it’s on Area 0 .

R1 & R2 due to filtering can’t ping, cause is not on the routing table; which is fine , according to the purpose of the configuration.

R1#sh ip route
% Network not in table

R2#sh ip route
% Network not in table

R4#sh ip route
Routing entry for
  Known via "ospf 1", distance 110, metric 2, type intra area
  Last update from on FastEthernet1/0, 01:53:04 ago
  Routing Descriptor Blocks:
  *, from, 01:53:04 ago, via FastEthernet1/0
      Route metric is 2, traffic share count is 1

I sued extended ping to ping from lop to ping and it works, when it shuld be blocked.

R4#ping ip
Target IP address:
Repeat count [5]: 
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface:
Type of service [0]: 
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
Loose, Strict, Record, Timestamp, Verbose[none]: 
Sweep range of sizes [n]: 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of 
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/16/40 ms

Outbound Area LSA Type 3 filtering
R1 and R2 both know about the loopback interface of R3. Let’s create a prefix-list that matches /32:

*************CURRENT CONFIGURATION ON R4 ************************************

R4#show ip prefix-list OUT-AREA3 
ip prefix-list OUT-AREA3: 2 entries
   seq 5 deny
   seq 10 permit le 32
R4#show ip prefix-list INTO-AREA3    
ip prefix-list INTO-AREA3: 4 entries
   seq 5 deny
   seq 6 deny
   seq 7 deny
   seq 10 permit le 32
R4#sh run | s router              
router ospf 1
 area 3 filter-list prefix INTO-AREA3 in
 area 3 filter-list prefix OUT-AREA3 out
 network area 0
 network area 1
 network area 2
 network area 3

Can you please post your diagram as well? Thanks


Also pasting the whole configuration OSPF-FILTERING-TYPE-3-CONFIGURATION .txt (6.5 KB) for the 4 routers in the above topology.

Hello, the network is being permitted by the sequence 10 in your prefix-list named INTO-AREA3.

Does it make sense?

Hi Mercedes,
based on your first post…

R4 has routing entry for in database, it is because R4 has interface in OSPF area 3.
R4 is an ABR router and ABRs always have OSPF database for all the areas they have interfaces in.
Because is loopback on R4 then reachability is going to be there.

You can add another router, lets say R5 and interconnect it with R4. R4 and R5 interconnecting interfaces should belong to area 0. Because R4 is filtering (based on seq 5 in OUT-AREA3) then R5 should not have reachability to

Thank you for clarifying me this issue.
I created the R5 connected to R4 and it’s working like R1 & R2 , which area unable to reach loopack due to Filtering.
Thanks you for that.

What about if I want to block loopback on the ASBR too.
Is there a granular way or better way to block any route like for example loopback to reach loopback
In other words is better blocking access to using a route map on ABR for any specific route on R4?

Im glad it helped.

In your case R4 is ABR, not the ASBR.

  • ABR = router that is interconnecting OSPF area 0 with any other OSPF area then 0.
  • ASBR = router that is performing Redistribution into OSPF.

This is important to understand. ABR is producing LSA Type 3 (Inter Area routes) and ASBR is producing LSA Type 5 (External routes).

Because is loopback on R4 in area 0 (it is Intra area route for area 0) and R4 is ABR, then R4 is going to push as LSA Type 3 (Inter area route) to area 3.
You can block this LSA Type 3 using filter list. Same approach you used before.

! on R4:
ip prefix-list BLOCK-R4_LOOPBACK seq 4 deny
router ospf 1
 area 3 filter-list prefix BLOCK-R4_LOOPBACK in

This basically tells R4 to not flood LSA Type 3 for into area 3.

OSPF is a link state protocol, this makes filtration somehow limited, becase all routers in certain area needs to have same LSDB, othervise they wont become fully adjancent.

Within OSPF you can filter only on ABRs and ASBRs.

On ABRs you filter using Filter-list and it has following specifications:

  • Filters routes between areas (LSA Type 3 generated by ABR into another area).
  • Works only on ABR routers (ABR routers generate LSA Type 3).
  • Can reference only prefix-list.
  • in = inside referenced area
  • out = outside referenced area

There are other tricks how to filter, specifically using “area range”, but ABR needs to know LSA 1 and LSA 2 from area where filtered route is residing (needs to have interface in that area) othervise not-advertise is not possible.
For your example it would look like this.

! on R4:
router ospf 1
 area 0 range not-advertise

R4 as ABR is now not advertising to other areas.

As other appoach to filtration we can use Distribute-list:

  • in = apply distribute-list with “in” direction = allow incoming LSA into LSDB and flood to peers, however prevent LSA from becoming a routes in routers own local routing table, this can blackhole traffic. Applying distribute-list “in” is very uncommon.
  • out = only used on ASBRs to prevent redistribution of certain routes into External LSAs (do not CREATE external LSA). We should think if we want to redistribute these routes in the first place. This is the case where you pointed to route-map.
  • No interface allowed.
  • Can use standard or extended ACL. Standard = match on prefix. Extended = match on prefix and adv-rtr-ip (advertising router interface ip) of LSA (NOT the Router ID).

On ASBR we can also use “summary-address” and “not-advertise” filtering.

This is just an overview, the important thing is to uderstand how LSAs propagate routes, so you can filter them later.
I suggest you to go over various lessons on OSPF filtering, You can find them right here.

1 Like


Thank you very much for the excellent explanation .
I’ll take a a review to the LSA filtering Lessons.

Thanks for figuring out! I was having a hard time defining his problem.

A post was merged into an existing topic: OSPF Distribute-List Filtering