[AusNOG] Cisco & Router OS help

Alex Samad - Yieldbroker Alex.Samad at yieldbroker.com
Mon Nov 4 17:54:00 EST 2013


Hi

I was hoping to not need 2 ospf process.
I went to the 2 process after reading up tha area is for LSA 3, I also looked at the distribute-list in and out, but from reading that has issue because it blocks routes hitting the routing table effectively causing black holes ... read but not tested

Thought of the no advertise, but there are a lot of BGP routes injected into OSPF area 1 and I would also like to protect myself from miss configuration as well..

Alex

From: J Williams [mailto:jphwilliams at gmail.com]
Sent: Monday, 4 November 2013 5:45 PM
To: Alex Samad - Yieldbroker; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Cisco & Router OS help

Hi Alex,
You shouldn't need 2 OSPF processes.
First example looks like you are using area filter-list command which is meant for type3 filtering.
Try adding "summary-address <bgp_route> <bgp_route_mask> not-advertise" to stop the type7 to type5 translation.
The "area 10.172.0.0 range 10.172.0.0 255.255.0.0" will advertise the summary route only.
Hope this helps.

Cheers,
Jules


On Mon, Nov 4, 2013 at 2:21 PM, Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com<mailto:Alex.Samad at yieldbroker.com>> wrote:
HI

Okay brief description

Area 0 with
2 x routerOS OSPF neighbours
2 x cisco switches/routers as OSPF

 Area 1
2 x cisco switches/routers as OSPF (same as above so ABR's)
2 x RouterOS which also have BGP -> extern services (ASBR's_

 I want to stop the routes I learn from BGP travelling from Area 1 into
 Area 0 AND/or I would like to make sure that only 10.172.0.0/16<http://10.172.0.0/16> (and subnets) are only ever inject from from area1 to area0

This is my original commands I used on the cisco routers

no router ospf 1
no router ospf 2
no ip prefix-list OFilterOut
ip prefix-list OFilterOut seq 10 permit 10.172.0.0/16<http://10.172.0.0/16> le 32

router ospf 1
 router-id 10.172.255.2
 log-adjacency-changes
 area 0.0.0.0 authentication message-digest
 area 0.0.0.0 filter-list prefix OFilterOut in
 area 10.172.0.0 authentication message-digest
 area 10.172.0.0 nssa
 area 10.172.0.0 filter-list prefix OFilterOut out
area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise
 redistribute connected subnets
network 10.31.19.0 0.0.0.255 area 0.0.0.0
 network 10.172.201.0 0.0.0.255 area 10.172.0.0
 network 10.172.202.0 0.0.0.255 area 10.172.0.0
 network 10.172.203.0 0.0.0.255 area 10.172.0.0
 network 10.172.204.0 0.0.0.255 area 10.172.0.0
 network 10.172.205.0 0.0.0.255 area 10.172.0.0
 network 10.172.207.0 0.0.0.255 area 10.172.0.0
 network 10.172.208.0 0.0.0.255 area 10.172.0.0
 network 10.172.212.0 0.0.0.255 area 10.172.0.0
 network 10.172.213.0 0.0.0.255 area 10.172.0.0
 network 10.172.250.0 0.0.0.255 area 10.172.0.0
 network 10.172.255.2 0.0.0.0 area 10.172.0.0


Then I tried what was in the cisco document

no ip prefix-list OFilterOut
ip prefix-list OFilterOut seq 10 permit 10.172.0.0/16<http://10.172.0.0/16> le 32

!! in list into router ospf 2 from ospf 1
no route-map filter_ospf1
route-map filter_ospf1 deny 10
match tag 1
route-map filter_ospf1 permit 20


!! in list into router ospf 1 from ospf 2
no route-map filter_ospf2
route-map filter_ospf2 deny 10
match tag 2
route-map filter_ospf2 permit 20
match ip  address prefix-list OFilterOut
route-map filter_ospf2 deny 30


// ybosw1
no router ospf 1
no router ospf 2
router ospf 1
 router-id 10.31.19.253
 log-adjacency-changes
 area 0.0.0.0 authentication message-digest
 network 10.31.19.0 0.0.0.255 area 0.0.0.0
 redistribute ospf 2 subnet tag 1
 distribute-list route-map filter_ospf2 in



router ospf 2
 router-id 10.172.255.2
 log-adjacency-changes
 area 10.172.0.0 authentication message-digest
 area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise
 network 10.172.201.0 0.0.0.255 area 10.172.0.0
 network 10.172.202.0 0.0.0.255 area 10.172.0.0
 network 10.172.203.0 0.0.0.255 area 10.172.0.0
 network 10.172.204.0 0.0.0.255 area 10.172.0.0
 network 10.172.205.0 0.0.0.255 area 10.172.0.0
 network 10.172.207.0 0.0.0.255 area 10.172.0.0
 network 10.172.208.0 0.0.0.255 area 10.172.0.0
 network 10.172.212.0 0.0.0.255 area 10.172.0.0
 network 10.172.213.0 0.0.0.255 area 10.172.0.0
 network 10.172.250.0 0.0.0.255 area 10.172.0.0
 network 10.172.255.2 0.0.0.0 area 10.172.0.0
!! redistribute connected subnets
 redistribute ospf 1 subnet tag 2
 distribute-list route-map filter_ospf1 in


Both times I checked on the routerOS boxes in area 0, all the routes from BGP have  made it to area 0.

Checking

sh ip ospf 1 database
sh ip ospf 2 database


shows the BGP routes in both databases

Interestingly I tried it with the routemap as just a deny all and the addresses still made it in......


Thanks
Alex


> -----Original Message-----
> From: Mark ZZZ Smith [mailto:markzzzsmith at yahoo.com.au<mailto:markzzzsmith at yahoo.com.au>]
> Sent: Monday, 4 November 2013 2:02 PM
> To: Alex Samad - Yieldbroker; ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
> Subject: Re: [AusNOG] Cisco & Router OS help
>
>
>
>
>
> ----- Original Message -----
> > From: Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com<mailto:Alex.Samad at yieldbroker.com>>
> > To: "ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>" <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
> > Cc:
> > Sent: Monday, 4 November 2013 1:01 PM
> > Subject: [AusNOG] Cisco & Router OS help
> >
> > Hi
> >
> > I got lots of help with my RouterOS problem before, wondering if I can
> > find somebody to help with my new problem.
> >
> > OSPF & Cisco & RouterOS, this is an issue of filter OSPF LSA's at a
> > ABR.
> >
> > What I am ref is
> >
> http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a
> 00
> > 80531fd2.shtml#prefixadmin
> > ""
> > There can be several reasons for redistribution between multiple
> processes.
> > These are a few examples:
> > To filter an OSPF route from part of the domain To separate different
> > OSPF domains To migrate between separate domains ""
> >
> > The first option "To filter an OSPF route from part of the domain"
> > just doesn't seem to be working for me and I am not sure if it's my
> > reading of the cisco or some strange thing of RouterOS or ...
> >
> > I am sure I am running into a gotcha that I don't know about.
> >
> > If you can email me off list please
> >
>
> I think on-list might be better so that archive/Internet searches etc. later
> show it up.
>
> It's a long time since I've done it/knew about it, however my guess is that
> you might be falling into the Cisco "reverse bitmask" problem of subnet
> masks verses ACLs. Route filters using ACLs use ACL format masks, not
> subnet masks, so if you want to filter e.g. 192.168.0.0/24<http://192.168.0.0/24>, your Cisco "ACL"
> route filter would look something like "192.168.0.0 0.0.0.255". Check the
> details, my memory might be incorrect.
>
> This was one of the reasons why using route-maps for route filtering was
> much more intuitive, as they could then refer to prefix-lists, and prefix lists
> followed standard subnet/prefix length conventions. If you have the option
> of using route-maps to do your OSPF redistribution, I'd use them instead.
>
> (There are some traps with them too though - if there is a deny statement at
> the end of one of the match prefix-lists (which I do to make the deny
> explicit, similar to the ACL convention of doing it), it bails on that route-map
> clause and then moves onto the next one. I've literally spent a day trying to
> work out why there were never any matches on my second prefix list in the
> match statement. A good rule is to never try to match multiple prefix lists in
> one route-map clause, and to create another to match on it.)
>
>
> Regards,
> Mark.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131104/e8e68975/attachment.html>


More information about the AusNOG mailing list