[AusNOG] Cisco & Router OS help

J Williams jphwilliams at gmail.com
Mon Nov 4 17:44:47 EST 2013


Hi Alex,

You shouldn't need 2 OSPF processes.
First example looks like you are using area filter-list command which is
meant for type3 filtering.
Try adding "summary-address *<bgp_route>* *<bgp_route_mask>* not-advertise"
to stop the type7 to type5 translation.
The "area 10.172.0.0 range 10.172.0.0 255.255.0.0" will advertise the
summary route only.
Hope this helps.

Cheers,
Jules



On Mon, Nov 4, 2013 at 2:21 PM, Alex Samad - Yieldbroker <
Alex.Samad at yieldbroker.com> wrote:

> HI
>
> Okay brief description
>
> Area 0 with
> 2 x routerOS OSPF neighbours
> 2 x cisco switches/routers as OSPF
>
>  Area 1
> 2 x cisco switches/routers as OSPF (same as above so ABR's)
> 2 x RouterOS which also have BGP -> extern services (ASBR's_
>
>  I want to stop the routes I learn from BGP travelling from Area 1 into
>  Area 0 AND/or I would like to make sure that only 10.172.0.0/16 (and
> subnets) are only ever inject from from area1 to area0
>
> This is my original commands I used on the cisco routers
>
> no router ospf 1
> no router ospf 2
> no ip prefix-list OFilterOut
> ip prefix-list OFilterOut seq 10 permit 10.172.0.0/16 le 32
>
> router ospf 1
>  router-id 10.172.255.2
>  log-adjacency-changes
>  area 0.0.0.0 authentication message-digest
>  area 0.0.0.0 filter-list prefix OFilterOut in
>  area 10.172.0.0 authentication message-digest
>  area 10.172.0.0 nssa
>  area 10.172.0.0 filter-list prefix OFilterOut out
> area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise
>  redistribute connected subnets
> network 10.31.19.0 0.0.0.255 area 0.0.0.0
>  network 10.172.201.0 0.0.0.255 area 10.172.0.0
>  network 10.172.202.0 0.0.0.255 area 10.172.0.0
>  network 10.172.203.0 0.0.0.255 area 10.172.0.0
>  network 10.172.204.0 0.0.0.255 area 10.172.0.0
>  network 10.172.205.0 0.0.0.255 area 10.172.0.0
>  network 10.172.207.0 0.0.0.255 area 10.172.0.0
>  network 10.172.208.0 0.0.0.255 area 10.172.0.0
>  network 10.172.212.0 0.0.0.255 area 10.172.0.0
>  network 10.172.213.0 0.0.0.255 area 10.172.0.0
>  network 10.172.250.0 0.0.0.255 area 10.172.0.0
>  network 10.172.255.2 0.0.0.0 area 10.172.0.0
>
>
> Then I tried what was in the cisco document
>
> no ip prefix-list OFilterOut
> ip prefix-list OFilterOut seq 10 permit 10.172.0.0/16 le 32
>
> !! in list into router ospf 2 from ospf 1
> no route-map filter_ospf1
> route-map filter_ospf1 deny 10
> match tag 1
> route-map filter_ospf1 permit 20
>
>
> !! in list into router ospf 1 from ospf 2
> no route-map filter_ospf2
> route-map filter_ospf2 deny 10
> match tag 2
> route-map filter_ospf2 permit 20
> match ip  address prefix-list OFilterOut
> route-map filter_ospf2 deny 30
>
>
> // ybosw1
> no router ospf 1
> no router ospf 2
> router ospf 1
>  router-id 10.31.19.253
>  log-adjacency-changes
>  area 0.0.0.0 authentication message-digest
>  network 10.31.19.0 0.0.0.255 area 0.0.0.0
>  redistribute ospf 2 subnet tag 1
>  distribute-list route-map filter_ospf2 in
>
>
>
> router ospf 2
>  router-id 10.172.255.2
>  log-adjacency-changes
>  area 10.172.0.0 authentication message-digest
>  area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise
>  network 10.172.201.0 0.0.0.255 area 10.172.0.0
>  network 10.172.202.0 0.0.0.255 area 10.172.0.0
>  network 10.172.203.0 0.0.0.255 area 10.172.0.0
>  network 10.172.204.0 0.0.0.255 area 10.172.0.0
>  network 10.172.205.0 0.0.0.255 area 10.172.0.0
>  network 10.172.207.0 0.0.0.255 area 10.172.0.0
>  network 10.172.208.0 0.0.0.255 area 10.172.0.0
>  network 10.172.212.0 0.0.0.255 area 10.172.0.0
>  network 10.172.213.0 0.0.0.255 area 10.172.0.0
>  network 10.172.250.0 0.0.0.255 area 10.172.0.0
>  network 10.172.255.2 0.0.0.0 area 10.172.0.0
> !! redistribute connected subnets
>  redistribute ospf 1 subnet tag 2
>  distribute-list route-map filter_ospf1 in
>
>
> Both times I checked on the routerOS boxes in area 0, all the routes from
> BGP have  made it to area 0.
>
> Checking
>
> sh ip ospf 1 database
> sh ip ospf 2 database
>
>
> shows the BGP routes in both databases
>
> Interestingly I tried it with the routemap as just a deny all and the
> addresses still made it in......
>
>
> Thanks
> Alex
>
>
> > -----Original Message-----
> > From: Mark ZZZ Smith [mailto:markzzzsmith at yahoo.com.au]
> > Sent: Monday, 4 November 2013 2:02 PM
> > To: Alex Samad - Yieldbroker; ausnog at lists.ausnog.net
> > Subject: Re: [AusNOG] Cisco & Router OS help
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > > From: Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com>
> > > To: "ausnog at lists.ausnog.net" <ausnog at lists.ausnog.net>
> > > Cc:
> > > Sent: Monday, 4 November 2013 1:01 PM
> > > Subject: [AusNOG] Cisco & Router OS help
> > >
> > > Hi
> > >
> > > I got lots of help with my RouterOS problem before, wondering if I can
> > > find somebody to help with my new problem.
> > >
> > > OSPF & Cisco & RouterOS, this is an issue of filter OSPF LSA's at a
> > > ABR.
> > >
> > > What I am ref is
> > >
> > http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a
> > 00
> > > 80531fd2.shtml#prefixadmin
> > > ""
> > > There can be several reasons for redistribution between multiple
> > processes.
> > > These are a few examples:
> > > To filter an OSPF route from part of the domain To separate different
> > > OSPF domains To migrate between separate domains ""
> > >
> > > The first option "To filter an OSPF route from part of the domain"
> > > just doesn't seem to be working for me and I am not sure if it's my
> > > reading of the cisco or some strange thing of RouterOS or ...
> > >
> > > I am sure I am running into a gotcha that I don't know about.
> > >
> > > If you can email me off list please
> > >
> >
> > I think on-list might be better so that archive/Internet searches etc.
> later
> > show it up.
> >
> > It's a long time since I've done it/knew about it, however my guess is
> that
> > you might be falling into the Cisco "reverse bitmask" problem of subnet
> > masks verses ACLs. Route filters using ACLs use ACL format masks, not
> > subnet masks, so if you want to filter e.g. 192.168.0.0/24, your Cisco
> "ACL"
> > route filter would look something like "192.168.0.0 0.0.0.255". Check the
> > details, my memory might be incorrect.
> >
> > This was one of the reasons why using route-maps for route filtering was
> > much more intuitive, as they could then refer to prefix-lists, and
> prefix lists
> > followed standard subnet/prefix length conventions. If you have the
> option
> > of using route-maps to do your OSPF redistribution, I'd use them instead.
> >
> > (There are some traps with them too though - if there is a deny
> statement at
> > the end of one of the match prefix-lists (which I do to make the deny
> > explicit, similar to the ACL convention of doing it), it bails on that
> route-map
> > clause and then moves onto the next one. I've literally spent a day
> trying to
> > work out why there were never any matches on my second prefix list in the
> > match statement. A good rule is to never try to match multiple prefix
> lists in
> > one route-map clause, and to create another to match on it.)
> >
> >
> > Regards,
> > Mark.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131104/73b1e3b1/attachment.html>


More information about the AusNOG mailing list