<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I'm curious: why are you redistributing
BGP into OSPF? Most of the wise routing people I've read suggest
that this is rarely a good idea anyway. Set up your area 1 ABRs
to participate in iBGP, and then all you need to send into area 0
is your defaults (using default-information originate) and any
local routes in area 1.<br>
<br>
On 11/04/2013 04:54 PM, Alex Samad - Yieldbroker wrote:<br>
</div>
<blockquote
cite="mid:A3FB5D9FD28C50429DF7692DC31054E6066B7549@DC1INTADCW8201.yieldbroker.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<div class="WordSection1">
<p class="MsoNormal"><span>Hi</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>I was hoping to not need 2 ospf
process.</span></p>
<p class="MsoNormal"><span>I went to the 2 process after reading
up tha area is for LSA 3, I also looked at the
distribute-list in and out, but from reading that has issue
because it blocks routes hitting the routing table
effectively causing black holes … read but not tested
</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Thought of the no advertise, but
there are a lot of BGP routes injected into OSPF area 1 and
I would also like to protect myself from miss configuration
as well..</span></p>
<p class="MsoNormal"><span> </span></p>
<p class="MsoNormal"><span>Alex</span></p>
<p class="MsoNormal"><span> </span></p>
<div>
<div>
<div>
<p class="MsoNormal"><b><span lang="EN-US">From:</span></b><span
lang="EN-US"> J Williams
[<a class="moz-txt-link-freetext" href="mailto:jphwilliams@gmail.com">mailto:jphwilliams@gmail.com</a>]
<br>
<b>Sent:</b> Monday, 4 November 2013 5:45 PM<br>
<b>To:</b> Alex Samad - Yieldbroker;
<a class="moz-txt-link-abbreviated" href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
<b>Subject:</b> Re: [AusNOG] Cisco & Router OS
help</span></p>
</div>
</div>
<p class="MsoNormal"> </p>
<div>
<div>
<div>
<p class="MsoNormal">Hi Alex,</p>
</div>
<p class="MsoNormal">You shouldn't need 2 OSPF processes.<br>
First example looks like you are using area filter-list
command which is meant for type3 filtering.<br>
Try adding "summary-address <i><bgp_route></i> <i><bgp_route_mask></i>
not-advertise" to stop the type7 to type5 translation.<br>
The "area 10.172.0.0 range 10.172.0.0 255.255.0.0" will
advertise the summary route only.</p>
</div>
<p class="MsoNormal">Hope this helps.<br>
<br>
Cheers,<br>
Jules</p>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
<div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">On Mon, Nov 4, 2013 at 2:21 PM, Alex
Samad - Yieldbroker <<a moz-do-not-send="true"
href="mailto:Alex.Samad@yieldbroker.com"
target="_blank">Alex.Samad@yieldbroker.com</a>>
wrote:</p>
<p class="MsoNormal">HI<br>
<br>
Okay brief description<br>
<br>
Area 0 with<br>
2 x routerOS OSPF neighbours<br>
2 x cisco switches/routers as OSPF<br>
<br>
Area 1<br>
2 x cisco switches/routers as OSPF (same as above so
ABR's)<br>
2 x RouterOS which also have BGP -> extern services
(ASBR's_<br>
<br>
I want to stop the routes I learn from BGP travelling
from Area 1 into<br>
Area 0 AND/or I would like to make sure that only <a
moz-do-not-send="true" href="http://10.172.0.0/16"
target="_blank">
10.172.0.0/16</a> (and subnets) are only ever inject
from from area1 to area0<br>
<br>
This is my original commands I used on the cisco routers<br>
<br>
no router ospf 1<br>
no router ospf 2<br>
no ip prefix-list OFilterOut<br>
ip prefix-list OFilterOut seq 10 permit <a
moz-do-not-send="true" href="http://10.172.0.0/16"
target="_blank">
10.172.0.0/16</a> le 32<br>
<br>
router ospf 1<br>
router-id 10.172.255.2<br>
log-adjacency-changes<br>
area 0.0.0.0 authentication message-digest<br>
area 0.0.0.0 filter-list prefix OFilterOut in<br>
area 10.172.0.0 authentication message-digest<br>
area 10.172.0.0 nssa<br>
area 10.172.0.0 filter-list prefix OFilterOut out<br>
area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise<br>
redistribute connected subnets<br>
network 10.31.19.0 0.0.0.255 area 0.0.0.0<br>
network 10.172.201.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.202.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.203.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.204.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.205.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.207.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.208.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.212.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.213.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.250.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.255.2 0.0.0.0 area 10.172.0.0<br>
<br>
<br>
Then I tried what was in the cisco document<br>
<br>
no ip prefix-list OFilterOut<br>
ip prefix-list OFilterOut seq 10 permit <a
moz-do-not-send="true" href="http://10.172.0.0/16"
target="_blank">
10.172.0.0/16</a> le 32<br>
<br>
!! in list into router ospf 2 from ospf 1<br>
no route-map filter_ospf1<br>
route-map filter_ospf1 deny 10<br>
match tag 1<br>
route-map filter_ospf1 permit 20<br>
<br>
<br>
!! in list into router ospf 1 from ospf 2<br>
no route-map filter_ospf2<br>
route-map filter_ospf2 deny 10<br>
match tag 2<br>
route-map filter_ospf2 permit 20<br>
match ip address prefix-list OFilterOut<br>
route-map filter_ospf2 deny 30<br>
<br>
<br>
// ybosw1<br>
no router ospf 1<br>
no router ospf 2<br>
router ospf 1<br>
router-id 10.31.19.253<br>
log-adjacency-changes<br>
area 0.0.0.0 authentication message-digest<br>
network 10.31.19.0 0.0.0.255 area 0.0.0.0<br>
redistribute ospf 2 subnet tag 1<br>
distribute-list route-map filter_ospf2 in<br>
<br>
<br>
<br>
router ospf 2<br>
router-id 10.172.255.2<br>
log-adjacency-changes<br>
area 10.172.0.0 authentication message-digest<br>
area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise<br>
network 10.172.201.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.202.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.203.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.204.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.205.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.207.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.208.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.212.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.213.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.250.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.255.2 0.0.0.0 area 10.172.0.0<br>
!! redistribute connected subnets<br>
redistribute ospf 1 subnet tag 2<br>
distribute-list route-map filter_ospf1 in<br>
<br>
<br>
Both times I checked on the routerOS boxes in area 0,
all the routes from BGP have made it to area 0.<br>
<br>
Checking<br>
<br>
sh ip ospf 1 database<br>
sh ip ospf 2 database<br>
<br>
<br>
shows the BGP routes in both databases<br>
<br>
Interestingly I tried it with the routemap as just a
deny all and the addresses still made it in......<br>
<br>
<br>
Thanks<br>
<span class="hoenzb"><span>Alex</span></span></p>
<div>
<div>
<p class="MsoNormal"><br>
<br>
> -----Original Message-----<br>
> From: Mark ZZZ Smith [mailto:<a
moz-do-not-send="true"
href="mailto:markzzzsmith@yahoo.com.au">markzzzsmith@yahoo.com.au</a>]<br>
> Sent: Monday, 4 November 2013 2:02 PM<br>
> To: Alex Samad - Yieldbroker; <a
moz-do-not-send="true"
href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
> Subject: Re: [AusNOG] Cisco & Router OS
help<br>
><br>
><br>
><br>
><br>
><br>
> ----- Original Message -----<br>
> > From: Alex Samad - Yieldbroker <<a
moz-do-not-send="true"
href="mailto:Alex.Samad@yieldbroker.com">Alex.Samad@yieldbroker.com</a>><br>
> > To: "<a moz-do-not-send="true"
href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>"
<<a moz-do-not-send="true"
href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>><br>
> > Cc:<br>
> > Sent: Monday, 4 November 2013 1:01 PM<br>
> > Subject: [AusNOG] Cisco & Router OS
help<br>
> ><br>
> > Hi<br>
> ><br>
> > I got lots of help with my RouterOS
problem before, wondering if I can<br>
> > find somebody to help with my new problem.<br>
> ><br>
> > OSPF & Cisco & RouterOS, this is
an issue of filter OSPF LSA's at a<br>
> > ABR.<br>
> ><br>
> > What I am ref is<br>
> ><br>
> <a moz-do-not-send="true"
href="http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a"
target="_blank">
http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a</a><br>
> 00<br>
> > 80531fd2.shtml#prefixadmin<br>
> > ""<br>
> > There can be several reasons for
redistribution between multiple<br>
> processes.<br>
> > These are a few examples:<br>
> > To filter an OSPF route from part of the
domain To separate different<br>
> > OSPF domains To migrate between separate
domains ""<br>
> ><br>
> > The first option "To filter an OSPF route
from part of the domain"<br>
> > just doesn't seem to be working for me and
I am not sure if it's my<br>
> > reading of the cisco or some strange thing
of RouterOS or ...<br>
> ><br>
> > I am sure I am running into a gotcha that
I don't know about.<br>
> ><br>
> > If you can email me off list please<br>
> ><br>
><br>
> I think on-list might be better so that
archive/Internet searches etc. later<br>
> show it up.<br>
><br>
> It's a long time since I've done it/knew about
it, however my guess is that<br>
> you might be falling into the Cisco "reverse
bitmask" problem of subnet<br>
> masks verses ACLs. Route filters using ACLs use
ACL format masks, not<br>
> subnet masks, so if you want to filter e.g. <a
moz-do-not-send="true"
href="http://192.168.0.0/24" target="_blank">
192.168.0.0/24</a>, your Cisco "ACL"<br>
> route filter would look something like
"192.168.0.0 0.0.0.255". Check the<br>
> details, my memory might be incorrect.<br>
><br>
> This was one of the reasons why using
route-maps for route filtering was<br>
> much more intuitive, as they could then refer
to prefix-lists, and prefix lists<br>
> followed standard subnet/prefix length
conventions. If you have the option<br>
> of using route-maps to do your OSPF
redistribution, I'd use them instead.<br>
><br>
> (There are some traps with them too though - if
there is a deny statement at<br>
> the end of one of the match prefix-lists (which
I do to make the deny<br>
> explicit, similar to the ACL convention of
doing it), it bails on that route-map<br>
> clause and then moves onto the next one. I've
literally spent a day trying to<br>
> work out why there were never any matches on my
second prefix list in the<br>
> match statement. A good rule is to never try to
match multiple prefix lists in<br>
> one route-map clause, and to create another to
match on it.)<br>
><br>
><br>
> Regards,<br>
> Mark.<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a moz-do-not-send="true"
href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a moz-do-not-send="true"
href="http://lists.ausnog.net/mailman/listinfo/ausnog"
target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a></p>
</div>
</div>
</div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
AusNOG mailing list
<a class="moz-txt-link-abbreviated" href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a>
<a class="moz-txt-link-freetext" href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a>
</pre>
</blockquote>
<br>
</body>
</html>