Solved: Restricting Networks in OSPF

saquib.tandel · ‎01-15-2010

Hi

Can I get help on how to restrict a traffic from Site_A to Site_B

Site_A is connected to Site_B via Wireless
I want to restrict 192.168.2.0 subnet of Site_A reaching to Site_B
Restrict 10.10.10.0 subnet of Site_B reching to Site_A

=========
((SITE_A))
=========
Site_A has these network
192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
192.168.100.0/30

interface fa 0/9
ip address 192.168.100.1 255.255.255.252

router ospf 1
network 192.168.1.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.3 area 0

interface fa 0/9
ip address 192.168.100.1 255.255.255.252

=========
((SITE_B))
=========
Site_B has these network
10.10.10.0/24
10.10.20.0/24
192.168.100.0/30

interface fa 0/9
ip address 192.168.100.1 255.255.255.252

router ospf 1
network 10.10.10.0 0.0.0.255 area 0
network 10.10.20.0 0.0.0.255 area 0
network 192.168.100.0 0.0.0.3 area 0

interface fa 10/22
ip address 192.168.100.2 255.255.255.252

Ganesh Hariharan · ‎01-15-2010

Hi Saquib,

Distribution list and Route maps are appilcable to all routing protocols,Hope that clear out your query !!

If comments are helpful please rate for usefuls comments.

Regards

Ganesh.H

View solution in original post

Ganesh Hariharan · ‎01-15-2010

Hi Saquib,

There few methods to deny certain network to float in routing protocol like Distribution list and Route map implementation in routing protocol.

I would suggest as you want to deny only few subnet reaching to other site via ospf just go with distribution list configuration and apply that to ospf configuration to deny reaching to other site.

Configures a distribution list to explicitly deny specific routes from being eligible for installation in the IP route table. By default, all OSPF routes in the OSPF route table are eligible for installation in the IP route table.

NOTE: This feature does not block receipt of LSAs for the denied routes. The Routing Switch still receives the routes and installs them in the OSPF database. The feature only prevents the software from installing the denied OSPF routes into the IP route table.

To configure an OSPF distribution list:

Configure a standard or extended ACL that identifies the routes you want to deny. Using a standard ACL lets you deny routes based on the destination network, but does not filter based on the network mask. To also filter based on the destination network’s network mask, use an extended ACL.

Configure an OSPF distribution list that uses the ACL as input.

NOTE: If you change the ACL after you configure the OSPF distribution list, you must clear the IP route table to place the changed ACL into effect. To clear the IP route table, enter the clear ip route command at the Privileged EXEC level of the CLI.

EXAMPLE:
The following examples show how to use the CLI to configure an OSPF distribution list. Separate examples are provided for standard and extended ACLs.

The examples show named ACLs. However, you also can use a numbered ACL as input to the OSPF distribution list.

To use a standard ACL to configure an OSPF distribution list for denying specific routes, enter commands such as the following:

HP9300(config)# ip access-list standard no_ip
HP9300(config-std-nacl)# deny 4.0.0.0 0.255.255.255
HP9300(config-std-nacl)# permit any any
HP9300(config-std-nacl)# exit
HP9300(config)# router ospf
HP9300(config-ospf-router)# distribute-list no_ip in

The first three commands configure a standard ACL that denies routes to any 4.x.x.x destination network and allows all other routes for eligibility to be installed in the IP route table. The last three commands change the CLI to the OSPF configuration level and configure an OSPF distribution list that uses the ACL as input. The distribution list prevents routes to any 4.x.x.x destination network from entering the IP route table. The distribution list does not prevent the routes from entering the OSPF database.

To use an extended ACL to configure an OSPF distribution list for denying specific routes, enter commands such as the following:

HP9300(config)# ip access-list extended no_ip
HP9300(config-ext-nacl)# deny ip 4.0.0.0 0.255.255.255 255.255.0.0 0.0.255.255
HP9300(config-ext-nacl)# permit ip any any
HP9300(config-ext-nacl)# exit
HP9300(config)# router ospf
HP9300(config-ospf-router)# distribute-list no_ip in

The first three commands configure an extended ACL that denies routes to any 4.x.x.x destination network with a 255.255.0.0 network mask and allows all other routes for eligibility to be installed in the IP route table. The last three commands change the CLI to the OSPF configuration level and configure an OSPF distribution list that uses the ACL as input. The distribution list prevents routes to any 4.x.x.x destination network with network mask 255.255.0.0 from entering the IP route table. The distribution list does not prevent the routes from entering the OSPF database.

Hope that clear out your query !!

Regards

Ganesh.H

saquib.tandel · ‎01-15-2010

Many Thanks Ganesh.

Its very clear.

Does it applies the same for EIGRP.

One more question

Site_A

Vlan 5

ip address 192.168.1.1 255.255.255.0

Vlan 6

ip address 192.168.2.1 255.255.255.0

from Site_B I cannot telnet 192.168.1.1 but can telnet to 192.168.2.1

there is no ACL, From site_B if I do show ip route 192.168.1.0 I can see it via ospf

but it starts working when I do clear ip route * on both site_A and Site_B and in a couple of days again I cannot telnet.

both switches are 3560, any idea what could be the reason.

Ganesh Hariharan · ‎01-15-2010

Hi Saquib,

Distribution list and Route maps are appilcable to all routing protocols,Hope that clear out your query !!

If comments are helpful please rate for usefuls comments.

Regards

Ganesh.H