[AusNOG] Cisco & Router OS help
Alex Samad - Yieldbroker
Alex.Samad at yieldbroker.com
Mon Nov 4 17:54:00 EST 2013
Hi
I was hoping to not need 2 ospf process.
I went to the 2 process after reading up tha area is for LSA 3, I also looked at the distribute-list in and out, but from reading that has issue because it blocks routes hitting the routing table effectively causing black holes ... read but not tested
Thought of the no advertise, but there are a lot of BGP routes injected into OSPF area 1 and I would also like to protect myself from miss configuration as well..
Alex
From: J Williams [mailto:jphwilliams at gmail.com]
Sent: Monday, 4 November 2013 5:45 PM
To: Alex Samad - Yieldbroker; ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Cisco & Router OS help
Hi Alex,
You shouldn't need 2 OSPF processes.
First example looks like you are using area filter-list command which is meant for type3 filtering.
Try adding "summary-address <bgp_route> <bgp_route_mask> not-advertise" to stop the type7 to type5 translation.
The "area 10.172.0.0 range 10.172.0.0 255.255.0.0" will advertise the summary route only.
Hope this helps.
Cheers,
Jules
On Mon, Nov 4, 2013 at 2:21 PM, Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com<mailto:Alex.Samad at yieldbroker.com>> wrote:
HI
Okay brief description
Area 0 with
2 x routerOS OSPF neighbours
2 x cisco switches/routers as OSPF
Area 1
2 x cisco switches/routers as OSPF (same as above so ABR's)
2 x RouterOS which also have BGP -> extern services (ASBR's_
I want to stop the routes I learn from BGP travelling from Area 1 into
Area 0 AND/or I would like to make sure that only 10.172.0.0/16<http://10.172.0.0/16> (and subnets) are only ever inject from from area1 to area0
This is my original commands I used on the cisco routers
no router ospf 1
no router ospf 2
no ip prefix-list OFilterOut
ip prefix-list OFilterOut seq 10 permit 10.172.0.0/16<http://10.172.0.0/16> le 32
router ospf 1
router-id 10.172.255.2
log-adjacency-changes
area 0.0.0.0 authentication message-digest
area 0.0.0.0 filter-list prefix OFilterOut in
area 10.172.0.0 authentication message-digest
area 10.172.0.0 nssa
area 10.172.0.0 filter-list prefix OFilterOut out
area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise
redistribute connected subnets
network 10.31.19.0 0.0.0.255 area 0.0.0.0
network 10.172.201.0 0.0.0.255 area 10.172.0.0
network 10.172.202.0 0.0.0.255 area 10.172.0.0
network 10.172.203.0 0.0.0.255 area 10.172.0.0
network 10.172.204.0 0.0.0.255 area 10.172.0.0
network 10.172.205.0 0.0.0.255 area 10.172.0.0
network 10.172.207.0 0.0.0.255 area 10.172.0.0
network 10.172.208.0 0.0.0.255 area 10.172.0.0
network 10.172.212.0 0.0.0.255 area 10.172.0.0
network 10.172.213.0 0.0.0.255 area 10.172.0.0
network 10.172.250.0 0.0.0.255 area 10.172.0.0
network 10.172.255.2 0.0.0.0 area 10.172.0.0
Then I tried what was in the cisco document
no ip prefix-list OFilterOut
ip prefix-list OFilterOut seq 10 permit 10.172.0.0/16<http://10.172.0.0/16> le 32
!! in list into router ospf 2 from ospf 1
no route-map filter_ospf1
route-map filter_ospf1 deny 10
match tag 1
route-map filter_ospf1 permit 20
!! in list into router ospf 1 from ospf 2
no route-map filter_ospf2
route-map filter_ospf2 deny 10
match tag 2
route-map filter_ospf2 permit 20
match ip address prefix-list OFilterOut
route-map filter_ospf2 deny 30
// ybosw1
no router ospf 1
no router ospf 2
router ospf 1
router-id 10.31.19.253
log-adjacency-changes
area 0.0.0.0 authentication message-digest
network 10.31.19.0 0.0.0.255 area 0.0.0.0
redistribute ospf 2 subnet tag 1
distribute-list route-map filter_ospf2 in
router ospf 2
router-id 10.172.255.2
log-adjacency-changes
area 10.172.0.0 authentication message-digest
area 10.172.0.0 range 10.172.0.0 255.255.0.0 advertise
network 10.172.201.0 0.0.0.255 area 10.172.0.0
network 10.172.202.0 0.0.0.255 area 10.172.0.0
network 10.172.203.0 0.0.0.255 area 10.172.0.0
network 10.172.204.0 0.0.0.255 area 10.172.0.0
network 10.172.205.0 0.0.0.255 area 10.172.0.0
network 10.172.207.0 0.0.0.255 area 10.172.0.0
network 10.172.208.0 0.0.0.255 area 10.172.0.0
network 10.172.212.0 0.0.0.255 area 10.172.0.0
network 10.172.213.0 0.0.0.255 area 10.172.0.0
network 10.172.250.0 0.0.0.255 area 10.172.0.0
network 10.172.255.2 0.0.0.0 area 10.172.0.0
!! redistribute connected subnets
redistribute ospf 1 subnet tag 2
distribute-list route-map filter_ospf1 in
Both times I checked on the routerOS boxes in area 0, all the routes from BGP have made it to area 0.
Checking
sh ip ospf 1 database
sh ip ospf 2 database
shows the BGP routes in both databases
Interestingly I tried it with the routemap as just a deny all and the addresses still made it in......
Thanks
Alex
> -----Original Message-----
> From: Mark ZZZ Smith [mailto:markzzzsmith at yahoo.com.au<mailto:markzzzsmith at yahoo.com.au>]
> Sent: Monday, 4 November 2013 2:02 PM
> To: Alex Samad - Yieldbroker; ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>
> Subject: Re: [AusNOG] Cisco & Router OS help
>
>
>
>
>
> ----- Original Message -----
> > From: Alex Samad - Yieldbroker <Alex.Samad at yieldbroker.com<mailto:Alex.Samad at yieldbroker.com>>
> > To: "ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>" <ausnog at lists.ausnog.net<mailto:ausnog at lists.ausnog.net>>
> > Cc:
> > Sent: Monday, 4 November 2013 1:01 PM
> > Subject: [AusNOG] Cisco & Router OS help
> >
> > Hi
> >
> > I got lots of help with my RouterOS problem before, wondering if I can
> > find somebody to help with my new problem.
> >
> > OSPF & Cisco & RouterOS, this is an issue of filter OSPF LSA's at a
> > ABR.
> >
> > What I am ref is
> >
> http://www.cisco.com/en/US/tech/tk365/technologies_white_paper09186a
> 00
> > 80531fd2.shtml#prefixadmin
> > ""
> > There can be several reasons for redistribution between multiple
> processes.
> > These are a few examples:
> > To filter an OSPF route from part of the domain To separate different
> > OSPF domains To migrate between separate domains ""
> >
> > The first option "To filter an OSPF route from part of the domain"
> > just doesn't seem to be working for me and I am not sure if it's my
> > reading of the cisco or some strange thing of RouterOS or ...
> >
> > I am sure I am running into a gotcha that I don't know about.
> >
> > If you can email me off list please
> >
>
> I think on-list might be better so that archive/Internet searches etc. later
> show it up.
>
> It's a long time since I've done it/knew about it, however my guess is that
> you might be falling into the Cisco "reverse bitmask" problem of subnet
> masks verses ACLs. Route filters using ACLs use ACL format masks, not
> subnet masks, so if you want to filter e.g. 192.168.0.0/24<http://192.168.0.0/24>, your Cisco "ACL"
> route filter would look something like "192.168.0.0 0.0.0.255". Check the
> details, my memory might be incorrect.
>
> This was one of the reasons why using route-maps for route filtering was
> much more intuitive, as they could then refer to prefix-lists, and prefix lists
> followed standard subnet/prefix length conventions. If you have the option
> of using route-maps to do your OSPF redistribution, I'd use them instead.
>
> (There are some traps with them too though - if there is a deny statement at
> the end of one of the match prefix-lists (which I do to make the deny
> explicit, similar to the ACL convention of doing it), it bails on that route-map
> clause and then moves onto the next one. I've literally spent a day trying to
> work out why there were never any matches on my second prefix list in the
> match statement. A good rule is to never try to match multiple prefix lists in
> one route-map clause, and to create another to match on it.)
>
>
> Regards,
> Mark.
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net<mailto:AusNOG at lists.ausnog.net>
http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20131104/e8e68975/attachment.html>
More information about the AusNOG
mailing list