Building network automation solutions

9 module online course

Start now!

OSPF flooding filters in hub-and-spoke environment

Almost all articles describing large-scale DMVPN in combination with OSPF use the “magic” ip ospf database-filter all out command on the hub routers to minimize the OSPF traffic traversing the DMVPN part of the network.

NOTE: The same trick can be used in any hub-and-spoke network, including P2MP Carrier Ethernet networks.

What these articles usually fail to tell you is the true impact of this command: it stops all OSPF flooding from hub router. The spoke routers receive no OSPF information whatsoever; to establish connectivity to the network core, you have to use static default routes on the spoke routers.


  1. few restrictions i could quickly think worth mentioning when "ip ospf database-filter all out" is configured on hub and static default is used on spokes -

    1. For DMVPN phase2, this wont work as the spokes need the actual tunnel IP address of the other spokes as next-hop for direct spoke to spoke communication
    2. typically the spokes would already have a default route towards their ISP for internet access.

  2. "you have to use static default routes on the hub routers" - I think you meant to say "spoke routers" here?
  3. You're absolutely right. It helps if your network uses a nice addressing range so you don't have to use a default route on the spoke routers. Otherwise VRFs should help ;)
  4. Correct. Thanks. Fixed.
  5. An alternative, for example if we are using an IOS that do not support this feature or we are using another vendor, could be to MaxAge all the LSA's from the Hub increasing the transmit delay to 3600 seconds. However, the adjacency will be broken due to "too many retransmissions" , to avoid that we should increase the retransmit interval to a high value in order to maintain the adjacency up.

    So, the configuration in the Hub would be:

    ip ospf retransmit-interval 6000
    ip ospf transmit-delay 3600

    Best Regards.

  6. Hi, By filtering LSAs, won't this lead to inconsistent LSDB on the routers in the same area?
    1. Yes, it would. Not the best idea in OSPF world...
Add comment