Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-route-configuration-OSPF-filter-routes

Outbound-filtering for OSPF routes

Learn how to configure outbound filtering in OSPF through the CLI to prevent specific interface subnets from being advertised to neighboring routers. You can create access lists and route maps to control which routes enter Link-State Advertisements (LSAs).

All routers in an OSPF area use Link-State Advertisements (LSAs) to build and maintain the same Link State Database (LSDB) and determine the Shortest Path First (SPF) to reach destinations.

How to filter routes

LSAs contain the interface subnets that belong to the OSPF network. To prevent OSPF from advertising an interface subnet, use one of the following options:

  • Make sure the interface subnet doesn't belong to the OSPF network's subnet.
  • Use access control lists (ACLs) and route maps to prevent OSPF routes from being advertised. You'll prevent the interface subnet from entering the neighbours' routing tables.

Example scenario

The following example shows how to prevent OSPF from advertising the subnet of a specific interface.

You must use your actual network, area, and router IDs based on your network topology. The example uses the following address for the interface you don't want to advertise: 10.10.10.1/24

Configuration summary

To prevent LSAs from advertising the subnet of the interface address 10.10.10.1/24 while still advertising the subnets of all other connected interfaces, do as follows:

  1. Create an access list with a rule to exclude the interface subnet.
  2. Add a rule to the access list to allow the other subnets.
  3. Create a route map and match the routes.
  4. Redistribute the connected interfaces with the route map.

Detailed configuration

To configure outbound filtering, create an access list with the necessary rules, then define a route map that references the access list, and apply it to match the desired routes. Finally, redistribute the connected interfaces using the route map.

  1. To enter OSPF mode, enter the following options:

    1. For Route configuration: 3
    2. For Configure unicast routing: 1
    3. For OSPF: 2

  2. To enter OSPF configuration mode, run the following commands:

    1. Enter global configuration mode: enable
    2. Enter OSPF configuration mode: conf t or conf terminal

  3. To create the access list, run the following commands:

    1. Create an access list with a deny rule for the interface subnet: access-list <acl name> deny <interface address/subnet>

    2. Allow the other subnets of the network: access-list <acl name> permit any

      Note

      By default, access lists have a deny all rule. So, you must add this command to allow OSPF routes.

      The firewall evaluates access lists in the order they're listed.

  4. To create the route map and match the routes, run the following commands:

    1. Create the route map entry: route-map <route map's name> permit <sequence number>

      The firewall reads route maps in the order they're listed. The sequence number determines the order. The sequence number can be from 1 to 65535.

    2. Match routes with the connected interfaces in the ACL: match ip address <acl name>

  5. To redistribute the connected interfaces with the route map, run the following commands:

    1. Exit the route map configuration: exit
    2. Enter the OSPF configuration mode: router ospf
    3. Redistribute the route map: redistribute connected route-map <route map's name>

  6. To exit and save the configuration, run the following commands:

    1. Exit the OSPF configuration mode: exit
    2. Save the configuration: write
    Example 
    ospf> enable
ospf# config t
ospf(config)#
ospf(config)# access-list testacl deny 10.10.10.0/24
ospf(config)# access-list testacl permit any
ospf(config)# route-map testmap permit 20
ospf(config-route-map)# match ip address testacl
ospf(config-route-map)# exit
ospf(config)# router ospf
ospf(config-router)# redistribute connected route-map testmap
ospf(config-router)# exit
ospf(config)# write
Configuration saved to /conf/routing/ospfd.conf