[AusNOG] Cisco & Router OS help

Paul Gear ausnog at libertysys.com.au
Mon Nov 4 21:50:16 EST 2013 

I'm curious: why are you redistributing BGP into OSPF?  Most of the wise 
routing people I've read suggest that this is rarely a good idea 
anyway.  Set up your area 1 ABRs to participate in iBGP, and then all 
you need to send into area 0 is your defaults (using default-information 
originate) and any local routes in area 1.

On 11/04/2013 04:54 PM, Alex Samad - Yieldbroker wrote:
>
> Hi
>
> I was hoping to not need 2 ospf process.
>
> I went to the 2 process after reading up tha area is for LSA 3, I also 
> looked at the distribute-list in and out, but from reading that has 
> issue because it blocks routes hitting the routing table effectively 
> causing black holes ... read but not tested
>
> Thought of the no advertise, but there are a lot of BGP routes 
> injected into OSPF area 1 and I would also like to protect myself from 
> miss configuration as well..
>
> Alex
>
> *From:*J Williams [mailto:jphwilliams at gmail.com]
> *Sent:* Monday, 4 November 2013 5:45 PM
> *To:* Alex Samad - Yieldbroker; ausnog at lists.ausnog.net
> *Subject:* Re: [AusNOG] Cisco & Router OS help
>
> Hi Alex,
>
> You shouldn't need 2 OSPF processes.
> First example looks like you are using area filter-list command which 
> is meant for type3 filtering.
> Try adding "summary-address /<bgp_route>/ /<bgp_route_mask>/ 
> not-advertise" to stop the type7 to type5 translation.
> The "area 10.172.0.0 range 10.172.0.0 255.255.0.0" will advertise the 
> summary route only.
>
> Hope this helps.
>
> Cheers,
> Jules
>
> On Mon, Nov 4, 2013 at 2:21 PM, Alex Samad - Yieldbroker 
> <Alex.Samad at yieldbroker.com <mailto:Alex.Samad at yieldbroker.com>> wrote:
>
> HI
>
> Okay brief description
>
> Area 0 with
> 2 x routerOS OSPF neighbours
> 2 x cisco switches/routers as OSPF
>
>  Area 1
> 2 x cisco switches/routers as OSPF (same as above so ABR's)
> 2 x RouterOS which also have BGP -> extern services (ASBR's_
>
>  I want to stop the routes I learn from BGP travelling from Area 1 into
>  Area 0 AND/or I would like to make sure that only 10.172.0.0/16 
> <http://10.172.0.0/16> (and subnets) are only ever inject from from 
> area1 to area0
>
> This is my original commands I used on the cisco routers
>
> no router ospf 1
> no router ospf 2
> no ip prefix-list OFilterOut
> ip prefix-list OFilterOut seq 10 permit 10.172.0.0/16 
> <http://10.172.0.0/16> le 32
>
> router ospf 1
>  router-id 10.172.255.2
>  log-adjacency-changes
>  area 0.0.0.0 authentication message-digest
>  area 0.0.0.0 filter-list prefix OFilterOut in
>  area 10.172.0.0 authentication message-digest
>  area 10.172.0.0 nssa
>  area 10.172.0.0 filter-list prefix OFilterOut out
> area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise
>  redistribute connected subnets
> network 10.31.19.0 0.0.0.255 area 0.0.0.0
>  network 10.172.201.0 0.0.0.255 area 10.172.0.0
>  network 10.172.202.0 0.0.0.255 area 10.172.0.0
>  network 10.172.203.0 0.0.0.255 area 10.172.0.0
>  network 10.172.204.0 0.0.0.255 area 10.172.0.0
>  network 10.172.205.0 0.0.0.255 area 10.172.0.0
>  network 10.172.207.0 0.0.0.255 area 10.172.0.0
>  network 10.172.208.0 0.0.0.255 area 10.172.0.0
>  network 10.172.212.0 0.0.0.255 area 10.172.0.0
>  network 10.172.213.0 0.0.0.255 area 10.172.0.0
>  network 10.172.250.0 0.0.0.255 area 10.172.0.0
>  network 10.172.255.2 0.0.0.0 area 10.172.0.0
>
>
> Then I tried what was in the cisco document
>
> no ip prefix-list OFilterOut
> ip prefix-list OFilterOut seq 10 permit 10.172.0.0/16 
> <http://10.172.0.0/16> le 32
>
> !! in list into router ospf 2 from ospf 1
> no route-map filter_ospf1
> route-map filter_ospf1 deny 10
> match tag 1
> route-map filter_ospf1 permit 20
>
>
> !! in list into router ospf 1 from ospf 2
> no route-map filter_ospf2
> route-map filter_ospf2 deny 10
> match tag 2
> route-map filter_ospf2 permit 20
> match ip  address prefix-list OFilterOut
> route-map filter_ospf2 deny 30
>
>
> // ybosw1
> no router ospf 1
> no router ospf 2
> router ospf 1
>  router-id 10.31.19.253
>  log-adjacency-changes
>  area 0.0.0.0 authentication message-digest
>  network 10.31.19.0 0.0.0.255 area 0.0.0.0
>  redistribute ospf 2 subnet tag 1
>  distribute-list route-map filter_ospf2 in
>
>
>
> router ospf 2
>  router-id 10.172.255.2
>  log-adjacency-changes
>  area 10.172.0.0 authentication message-digest
>  area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise
>  network 10.172.201.0 0.0.0.255 area 10.172.0.0
>  network 10.172.202.0 0.0.0.255 area 10.172.0.0
>  network 10.172.203.0 0.0.0.255 area 10.172.0.0
>  network 10.172.204.0 0.0.0.255 area 10.172.0.0
>  network 10.172.205.0 0.0.0.255 area 10.172.0.0
>  network 10.172.207.0 0.0.0.255 area 10.172.0.0
>  network 10.172.208.0 0.0.0.255 area 10.172.0.0
>  network 10.172.212.0 0.0.0.255 area 10.172.0.0
>  network 10.172.213.0 0.0.0.255 area 10.172.0.0
>  network 10.172.250.0 0.0.0.255 area 10.172.0.0
>  network 10.172.255.2 0.0.0.0 area 10.172.0.0
> !! redistribute connected subnets
>  redistribute ospf 1 subnet tag 2
>  distribute-list route-map filter_ospf1 in
>
>
> Both times I checked on the routerOS boxes in area 0, all the routes 
> from BGP have  made it to area 0.
>
> Checking
>
> sh ip ospf 1 database
> sh ip ospf 2 database
>
>
> shows the BGP routes in both databases
>
> Interestingly I tried it with the routemap as just a deny all and the 
> addresses still made it in......
>
>
> Thanks
> Alex
>
>
>
> > -----Original Message-----
> > From: Mark ZZZ Smith [mailto:markzzzsmith at yahoo.com.au 
> <mailto:markzzzsmith at yahoo.com.au>]
> > Sent: Monday, 4 November 2013 2:02 PM
> > To: Alex Samad - Yieldbroker; ausnog at lists.ausnog.net 
> <mailto:ausnog at lists.ausnog.net>
> > Subject: Re: [AusNOG] Cisco & Router OS help
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > > From: Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com 
> <mailto:Alex.Samad at yieldbroker.com>>
> > > To: "ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>" 
> <ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>>
> > > Cc:
> > > Sent: Monday, 4 November 2013 1:01 PM
> > > Subject: [AusNOG] Cisco & Router OS help
> > >
> > > Hi
> > >
> > > I got lots of help with my RouterOS problem before, wondering if I can
> > > find somebody to help with my new problem.
> > >
> > > OSPF & Cisco & RouterOS, this is an issue of filter OSPF LSA's at a
> > > ABR.
> > >
> > > What I am ref is
> > >
> > http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a
> > 00
> > > 80531fd2.shtml#prefixadmin
> > > ""
> > > There can be several reasons for redistribution between multiple
> > processes.
> > > These are a few examples:
> > > To filter an OSPF route from part of the domain To separate different
> > > OSPF domains To migrate between separate domains ""
> > >
> > > The first option "To filter an OSPF route from part of the domain"
> > > just doesn't seem to be working for me and I am not sure if it's my
> > > reading of the cisco or some strange thing of RouterOS or ...
> > >
> > > I am sure I am running into a gotcha that I don't know about.
> > >
> > > If you can email me off list please
> > >
> >
> > I think on-list might be better so that archive/Internet searches 
> etc. later
> > show it up.
> >
> > It's a long time since I've done it/knew about it, however my guess 
> is that
> > you might be falling into the Cisco "reverse bitmask" problem of subnet
> > masks verses ACLs. Route filters using ACLs use ACL format masks, not
> > subnet masks, so if you want to filter e.g. 192.168.0.0/24 
> <http://192.168.0.0/24>, your Cisco "ACL"
> > route filter would look something like "192.168.0.0 0.0.0.255". 
> Check the
> > details, my memory might be incorrect.
> >
> > This was one of the reasons why using route-maps for route filtering was
> > much more intuitive, as they could then refer to prefix-lists, and 
> prefix lists
> > followed standard subnet/prefix length conventions. If you have the 
> option
> > of using route-maps to do your OSPF redistribution, I'd use them 
> instead.
> >
> > (There are some traps with them too though - if there is a deny 
> statement at
> > the end of one of the match prefix-lists (which I do to make the deny
> > explicit, similar to the ACL convention of doing it), it bails on 
> that route-map
> > clause and then moves onto the next one. I've literally spent a day 
> trying to
> > work out why there were never any matches on my second prefix list 
> in the
> > match statement. A good rule is to never try to match multiple 
> prefix lists in
> > one route-map clause, and to create another to match on it.)
> >
> >
> > Regards,
> > Mark.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131104/4ab72af5/attachment.html>

More information about the AusNOG mailing list