<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I was hoping to not need 2 ospf process.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I went to the 2 process after reading up tha area is for LSA 3, I also looked at the distribute-list in and out, but from reading that has issue because it
blocks routes hitting the routing table effectively causing black holes … read but not tested
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thought of the no advertise, but there are a lot of BGP routes injected into OSPF area 1 and I would also like to protect myself from miss configuration as
well..<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Alex<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> J Williams [mailto:jphwilliams@gmail.com]
<br>
<b>Sent:</b> Monday, 4 November 2013 5:45 PM<br>
<b>To:</b> Alex Samad - Yieldbroker; ausnog@lists.ausnog.net<br>
<b>Subject:</b> Re: [AusNOG] Cisco & Router OS help<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Hi Alex,<o:p></o:p></p>
</div>
<p class="MsoNormal">You shouldn't need 2 OSPF processes.<br>
First example looks like you are using area filter-list command which is meant for type3 filtering.<br>
Try adding "summary-address <i><bgp_route></i> <i><bgp_route_mask></i> not-advertise" to stop the type7 to type5 translation.<br>
The "area 10.172.0.0 range 10.172.0.0 255.255.0.0" will advertise the summary route only.<o:p></o:p></p>
</div>
<p class="MsoNormal">Hope this helps.<br>
<br>
Cheers,<br>
Jules<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Nov 4, 2013 at 2:21 PM, Alex Samad - Yieldbroker <<a href="mailto:Alex.Samad@yieldbroker.com" target="_blank">Alex.Samad@yieldbroker.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">HI<br>
<br>
Okay brief description<br>
<br>
Area 0 with<br>
2 x routerOS OSPF neighbours<br>
2 x cisco switches/routers as OSPF<br>
<br>
Area 1<br>
2 x cisco switches/routers as OSPF (same as above so ABR's)<br>
2 x RouterOS which also have BGP -> extern services (ASBR's_<br>
<br>
I want to stop the routes I learn from BGP travelling from Area 1 into<br>
Area 0 AND/or I would like to make sure that only <a href="http://10.172.0.0/16" target="_blank">
10.172.0.0/16</a> (and subnets) are only ever inject from from area1 to area0<br>
<br>
This is my original commands I used on the cisco routers<br>
<br>
no router ospf 1<br>
no router ospf 2<br>
no ip prefix-list OFilterOut<br>
ip prefix-list OFilterOut seq 10 permit <a href="http://10.172.0.0/16" target="_blank">
10.172.0.0/16</a> le 32<br>
<br>
router ospf 1<br>
router-id 10.172.255.2<br>
log-adjacency-changes<br>
area 0.0.0.0 authentication message-digest<br>
area 0.0.0.0 filter-list prefix OFilterOut in<br>
area 10.172.0.0 authentication message-digest<br>
area 10.172.0.0 nssa<br>
area 10.172.0.0 filter-list prefix OFilterOut out<br>
area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise<br>
redistribute connected subnets<br>
network 10.31.19.0 0.0.0.255 area 0.0.0.0<br>
network 10.172.201.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.202.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.203.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.204.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.205.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.207.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.208.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.212.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.213.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.250.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.255.2 0.0.0.0 area 10.172.0.0<br>
<br>
<br>
Then I tried what was in the cisco document<br>
<br>
no ip prefix-list OFilterOut<br>
ip prefix-list OFilterOut seq 10 permit <a href="http://10.172.0.0/16" target="_blank">
10.172.0.0/16</a> le 32<br>
<br>
!! in list into router ospf 2 from ospf 1<br>
no route-map filter_ospf1<br>
route-map filter_ospf1 deny 10<br>
match tag 1<br>
route-map filter_ospf1 permit 20<br>
<br>
<br>
!! in list into router ospf 1 from ospf 2<br>
no route-map filter_ospf2<br>
route-map filter_ospf2 deny 10<br>
match tag 2<br>
route-map filter_ospf2 permit 20<br>
match ip address prefix-list OFilterOut<br>
route-map filter_ospf2 deny 30<br>
<br>
<br>
// ybosw1<br>
no router ospf 1<br>
no router ospf 2<br>
router ospf 1<br>
router-id 10.31.19.253<br>
log-adjacency-changes<br>
area 0.0.0.0 authentication message-digest<br>
network 10.31.19.0 0.0.0.255 area 0.0.0.0<br>
redistribute ospf 2 subnet tag 1<br>
distribute-list route-map filter_ospf2 in<br>
<br>
<br>
<br>
router ospf 2<br>
router-id 10.172.255.2<br>
log-adjacency-changes<br>
area 10.172.0.0 authentication message-digest<br>
area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise<br>
network 10.172.201.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.202.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.203.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.204.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.205.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.207.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.208.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.212.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.213.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.250.0 0.0.0.255 area 10.172.0.0<br>
network 10.172.255.2 0.0.0.0 area 10.172.0.0<br>
!! redistribute connected subnets<br>
redistribute ospf 1 subnet tag 2<br>
distribute-list route-map filter_ospf1 in<br>
<br>
<br>
Both times I checked on the routerOS boxes in area 0, all the routes from BGP have made it to area 0.<br>
<br>
Checking<br>
<br>
sh ip ospf 1 database<br>
sh ip ospf 2 database<br>
<br>
<br>
shows the BGP routes in both databases<br>
<br>
Interestingly I tried it with the routemap as just a deny all and the addresses still made it in......<br>
<br>
<br>
Thanks<br>
<span class="hoenzb"><span style="color:#888888">Alex</span></span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
<br>
> -----Original Message-----<br>
> From: Mark ZZZ Smith [mailto:<a href="mailto:markzzzsmith@yahoo.com.au">markzzzsmith@yahoo.com.au</a>]<br>
> Sent: Monday, 4 November 2013 2:02 PM<br>
> To: Alex Samad - Yieldbroker; <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
> Subject: Re: [AusNOG] Cisco & Router OS help<br>
><br>
><br>
><br>
><br>
><br>
> ----- Original Message -----<br>
> > From: Alex Samad - Yieldbroker <<a href="mailto:Alex.Samad@yieldbroker.com">Alex.Samad@yieldbroker.com</a>><br>
> > To: "<a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>" <<a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a>><br>
> > Cc:<br>
> > Sent: Monday, 4 November 2013 1:01 PM<br>
> > Subject: [AusNOG] Cisco & Router OS help<br>
> ><br>
> > Hi<br>
> ><br>
> > I got lots of help with my RouterOS problem before, wondering if I can<br>
> > find somebody to help with my new problem.<br>
> ><br>
> > OSPF & Cisco & RouterOS, this is an issue of filter OSPF LSA's at a<br>
> > ABR.<br>
> ><br>
> > What I am ref is<br>
> ><br>
> <a href="http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a" target="_blank">
http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a</a><br>
> 00<br>
> > 80531fd2.shtml#prefixadmin<br>
> > ""<br>
> > There can be several reasons for redistribution between multiple<br>
> processes.<br>
> > These are a few examples:<br>
> > To filter an OSPF route from part of the domain To separate different<br>
> > OSPF domains To migrate between separate domains ""<br>
> ><br>
> > The first option "To filter an OSPF route from part of the domain"<br>
> > just doesn't seem to be working for me and I am not sure if it's my<br>
> > reading of the cisco or some strange thing of RouterOS or ...<br>
> ><br>
> > I am sure I am running into a gotcha that I don't know about.<br>
> ><br>
> > If you can email me off list please<br>
> ><br>
><br>
> I think on-list might be better so that archive/Internet searches etc. later<br>
> show it up.<br>
><br>
> It's a long time since I've done it/knew about it, however my guess is that<br>
> you might be falling into the Cisco "reverse bitmask" problem of subnet<br>
> masks verses ACLs. Route filters using ACLs use ACL format masks, not<br>
> subnet masks, so if you want to filter e.g. <a href="http://192.168.0.0/24" target="_blank">
192.168.0.0/24</a>, your Cisco "ACL"<br>
> route filter would look something like "192.168.0.0 0.0.0.255". Check the<br>
> details, my memory might be incorrect.<br>
><br>
> This was one of the reasons why using route-maps for route filtering was<br>
> much more intuitive, as they could then refer to prefix-lists, and prefix lists<br>
> followed standard subnet/prefix length conventions. If you have the option<br>
> of using route-maps to do your OSPF redistribution, I'd use them instead.<br>
><br>
> (There are some traps with them too though - if there is a deny statement at<br>
> the end of one of the match prefix-lists (which I do to make the deny<br>
> explicit, similar to the ACL convention of doing it), it bails on that route-map<br>
> clause and then moves onto the next one. I've literally spent a day trying to<br>
> work out why there were never any matches on my second prefix list in the<br>
> match statement. A good rule is to never try to match multiple prefix lists in<br>
> one route-map clause, and to create another to match on it.)<br>
><br>
><br>
> Regards,<br>
> Mark.<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>