From: Daniel Kutchin (daniel@kutchin.com)
Date: Mon Feb 09 2009 - 12:32:08 ARST
Route-maps work best with OSPF distribute-lists (my opinion though)
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/routmap.html
You can match the following
match ip address
match ip next-hop <--- Gateway ( _don't_ use RID)
match ip route-source
match interface
match metric
match route-type
match tag
!!!! Also don't match prefix-lists in the route-maps !!!!
--Daniel
-----Original Message----- From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Roger RPF Sent: Montag, 9. Februar 2009 14:09 To: 'Hobbs' Cc: 'Luan Nguyen'; 'Tim'; 'Cisco certification'; security@groupstudy.com Subject: AW: distribute-list gateway
Hello Hobbs, Group
I just checked this issue again and it seems that for the distribute-list gateway in ospf we have to use the neighbor address and NOT the router-id. This is somehow strange to me because for example with the distance command is OSPF we need the router id of the originating router.
Can one of the "OSPF Gurus" confirm this??
Here my example. I have a hub&spoke topology with R4 as hub. He learns the route 99.99.99.1 from 3 different spokes, R2,R5,R6 but R5 has the best metric (metric3) so he installs that in the routing table. The prefix 99.99.99.1 comes from another area, in this case area 0 (it is a loopback on my R1 router)
Note that the router-id of R5 is 99.99.99.5
R4(config-router)#do sh ip ospf neig
Neighbor ID Pri State Dead Time Address Interface 99.99.99.6 0 FULL/DROTHER 00:01:59 146.46.44.6 Serial0/0 --> R6 99.99.99.5 0 FULL/DROTHER 00:01:45 146.46.44.5 Serial0/0 --> R5 99.99.99.2 0 FULL/DROTHER 00:01:48 146.46.44.2 Serial0/0 --> R2 R4(config-router)#
R4(config)#do sh ip ospf data summ 99.99.99.1
OSPF Router with ID (99.99.99.4) (Process ID 1)
Summary Net Link States (Area 246)
Routing Bit Set on this LSA LS age: 1266 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: 99.99.99.1 (summary Network Number) Advertising Router: 99.99.99.2 LS Seq Number: 80000001 Checksum: 0x324C Length: 28 Network Mask: /32 TOS: 0 Metric: 103
Routing Bit Set on this LSA LS age: 1291 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: 99.99.99.1 (summary Network Number) Advertising Router: 99.99.99.5 LS Seq Number: 80000001 Checksum: 0x34AB Length: 28 Network Mask: /32 TOS: 0 Metric: 3
LS age: 952 Options: (No TOS-capability, DC, Upward) LS Type: Summary Links(Network) Link State ID: 99.99.99.1 (summary Network Number) Advertising Router: 99.99.99.6 LS Seq Number: 80000001 Checksum: 0x3D20 Length: 28 Network Mask: /32 TOS: 0 Metric: 132
R4(config)# R4(config-router)#do sir 99.99.99.1 Routing entry for 99.99.99.1/32 Known via "ospf 1", distance 110, metric 132, type inter area Last update from 146.46.44.5 on Serial0/0, 1d21h ago Routing Descriptor Blocks: * 146.46.44.5, from 99.99.99.5, 1d21h ago, via Serial0/0 Route metric is 132, traffic share count is 1
++++++++++++++++++++++ Now I configure the incoming distribute-list with the address of R5 (146.46.44.5) NOT the router-id
R4(config)#do sh ip prefix-list ip prefix-list ospf: 2 entries seq 4 deny 146.46.44.5/32 seq 10 permit 0.0.0.0/0 le 32 R4(config)#do sr | b router ospf router ospf 1 router-id 99.99.99.4 log-adjacency-changes auto-cost reference-bandwidth 200 network 99.99.99.4 0.0.0.0 area 246 network 146.46.44.4 0.0.0.0 area 246 neighbor 146.46.44.6 neighbor 146.46.44.5 neighbor 146.46.44.2 distribute-list gateway ospf in Serial0/0 !
And now you can see that he learns the prefix 99.99.99.1 from R2 (RID 99.99.99.2, neigh 146.46.44.2) which has the second best ospf metric (103)
R4(config)#do sir 99.99.99.1 Routing entry for 99.99.99.1/32 Known via "ospf 1", distance 110, metric 232, type inter area Last update from 146.46.44.2 on Serial0/0, 00:20:49 ago Routing Descriptor Blocks: * 146.46.44.2, from 99.99.99.2, 00:20:49 ago, via Serial0/0 Route metric is 232, traffic share count is 1
So this works fine. If I try the same with the router id of R5 (99.99.99.5) instead of the neighbor in the prefix list, nothing gets filtered, I still have the prefix with R5 as next hop in the routing table (146.46.44.5 with RID 99.99.99.5):
R4(config)#do sh ip prefix-lis ip prefix-list ospf: 2 entries seq 3 deny 99.99.99.5/32 seq 10 permit 0.0.0.0/0 le 32
R4(config)#do sir 99.99.99.1 Routing entry for 99.99.99.1/32 Known via "ospf 1", distance 110, metric 132, type inter area Last update from 146.46.44.5 on Serial0/0, 00:00:37 ago Routing Descriptor Blocks: * 146.46.44.5, from 99.99.99.5, 00:00:37 ago, via Serial0/0 Route metric is 132, traffic share count is 1
-----Urspr|ngliche Nachricht----- Von: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Im Auftrag von Hobbs Gesendet: Mittwoch, 4. Februar 2009 23:31 An: Roger RPF Cc: Luan Nguyen; Tim; Cisco certification; security@groupstudy.com Betreff: Re: distribute-list gateway
Funny thing, that was a PERMIT prefix-list, hmm... So it must not have matched the router-ID and just denied everything.
Back to the drawing the board...
On Wed, Feb 4, 2009 at 3:27 PM, Hobbs <deadheadblues@gmail.com> wrote: > Hello Roger, > > Yes, it appears to work that way: > > R4#sho ip osp ne > > Neighbor ID Pri State Dead Time Address Interface > 3.3.3.3 0 FULL/ - 00:00:35 192.168.34.3 Serial1/1 > 5.5.5.5 0 FULL/ - 00:00:32 192.168.45.5 Serial1/0 > > R4#sho ip route | inc 34.3 > Gateway of last resort is 192.168.34.3 to network 0.0.0.0 > O 192.168.23.0/24 [110/6] via 192.168.34.3, 00:00:10, Serial1/1 > O 192.168.3.0/24 [110/2] via 192.168.34.3, 00:00:10, Serial1/1 > O*E2 0.0.0.0/0 [110/1] via 192.168.34.3, 00:00:05, Serial1/1 > > Next hop is 192.168.34.3, router-id is 3.3.3.3 > > Now I make the list: > > R4(config)#ip prefix-list R3 permit 3.3.3.3/32 > R4(config)#router ospf 1 > R4(config-router)#distribute-list gateway R3 in serial 1/1 > R4(config-router)#^Z > R4#clear ip route * > > No more routes from 34.3: > > R4#sho ip route | inc 34.3 > R4# > > > -hth > > > On Wed, Feb 4, 2009 at 3:11 PM, Roger RPF <rpf@bluemail.ch> wrote: >> Luan, >> >> In the first link of your post, it is written (according to this cisco guy) >> that with OSPF it is the router-id of the neighbor...as I would imagine. >> >> Copy from this mail of the link... >> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> Hi George... following is an explanation by Faraz Shamim @cisco. >> >> //snip// >> >> This is a generic options for all the routing protocols not just OSPF. >> Gateway is the ip address of the neighbor whom you receive a routing update >> from. This term make more sense in RIP and IGRP. Incase of OSPF its the >> router ID of the neighbor. >> >> Lets say you want to block full or partial routing update from a neighbor on >> a broadcast segment like ethernet. If you do passive interface in case of >> OSPF then it will affect all the neighbors on that segment so one option >> there is to use gateway with distribute-list. >> >> Note, this option is only valid for inbound distribute-list. Outbound >> distribute-list will not work and it does not make sense, thats why its not >> supported. >> >> //snip// >> +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ >> >> So I guess I really have to check it once with ospf, for the other protocols >> it is clear to me... >> Can one proof the correct behavior with OSPF??? >> >> >> regards >> >> Roger >> >> >> -----Urspr|ngliche Nachricht----- >> Von: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Im Auftrag von >> Luan Nguyen >> Gesendet: Mittwoch, 4. Februar 2009 21:58 >> An: 'Tim'; 'Cisco certification'; security@groupstudy.com >> Betreff: RE: distribute-list gateway >> >> Here's a link >> http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rdrip.ht >> ml#wp1025003 >> >> Link to older group study post: >> http://www.groupstudy.com/archives/ccielab/200206/msg00924.html >> >> Use prefix-list with next-hop IP address and not router-ID. >> >> Regards, >> >> Luan Nguyen >> Chesapeake NetCraftsmen, LLC. >> [W] http://www.netcraftsmen.net >> [M] luan@netcraftsmen.net >> [Blog] http://cnc-networksecurity.blogspot.com/ >> >> >> >> >> -----Original Message----- >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Tim >> Sent: Wednesday, February 04, 2009 11:57 AM >> To: 'Cisco certification'; security@groupstudy.com >> Subject: distribute-list gateway >> >> Hi Guys, >> >> >> >> Is the above command undocumented? >> >> >> >> I couldn't find it in the command reference or by using the command lookup >> tool. >> >> >> >> If the command is documented somewhere, could you post the link to it? >> >> >> >> >> >> Also, when using this command with ospf, should the ip of the neighbor >> router be specified with the router ID or the ip add assigned to the >> interface from which the updates are coming? >> >> >> >> Thanks in advance, >> >> Tim >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html >> >> >> Blogs and organic groups at http://www.ccie.net >> >> _______________________________________________________________________ >> Subscription information may be found at: >> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST