Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5943
Views
0
Helpful
4
Replies

vlan advertise in OSPF

ilsanto21
Level 1
Level 1

‎01-19-2010 07:42 PM - edited ‎03-06-2019 09:21 AM

Hi,

I have a 3750 switch configured with 6 vlan interface(something like below) I am running eigrp to route inside the network also running OSPF to tak to a Firewall for wan traffic.

There is any way to filter subnet I dont wat vlan 101 and 102 to be advertise on OSPF.

I guess I can create an access list to permit subnet on OSPF any idea how to accomplish that?

Thanks

interface Vlan10
  ip address 172.22.132.67 255.255.255.224
no ip redirects
no ip route-cache
!
interface Vlan15
ip address 172.22.132.211 255.255.255.240
no ip redirects
no ip route-cache
!
interface Vlan20
  ip address 172.22.133.3 255.255.255.128
no ip redirects
no ip route-cache
!
interface Vlan30
  ip address 172.22.133.131 255.255.255.128
  no ip redirects
no ip route-cache
  !
interface Vlan101
  ip address 172.22.134.3 255.255.255.224
no ip redirects
no ip route-cache
!
interface Vlan102
  ip address 172.22.134.35 255.255.255.248
no ip redirects
no ip route-cache
!
router eigrp 99
no auto-summary
!
  network 172.22.0.0
no auto-summary
no eigrp log-neighbor-changes
!
router ospf 1
log-adjacency-changes
  area 0 authentication
timers throttle spf 2000 5000 5000
redistribute connected subnets
redistribute eigrp 99 metric 30 metric-type 1 subnets route-map DO_NOT_ADVERTISE

Labels:
0 Helpful
4 Replies 4

Jerry Ye
Cisco Employee
Cisco Employee

‎01-19-2010 08:21 PM

You can do the following

access-list 12 permit 172.22.134.0 0.0.0.31

access-list 12 permit 172.22.134.32 0.0.0.7


route-map BLOCK_CONNECTED_VLANS deny 10

match ip address 12

route-map BLOCK_CONNECTED_VLANS permit 1000


router ospf 1

redistribute connected subnets route-map BLOCK_CONNECTED_VLANS

HTH,

jerry

0 Helpful

Ganesh Hariharan
VIP Alumni
VIP Alumni

‎01-19-2010 10:42 PM

Hi,

There few methods to deny certain network to float in routing protocol like Distribution list  and Route map implementation in routing protocol.

I would suggest as you want to deny only few subnet reaching to other site via ospf just go with distribution list configuration and apply that to ospf configuration to deny reaching to other site.

Configures a distribution list to explicitly deny specific routes from being eligible for installation in the IP route table. By default, all OSPF routes in the OSPF route table are eligible for installation in the IP route table.


NOTE: This feature does not block receipt of LSAs for the denied routes. The Routing Switch still receives the routes and installs them in the OSPF database. The feature only prevents the software from installing the denied OSPF routes into the IP route table.

To configure an OSPF distribution list:

Configure a standard or extended ACL that identifies the routes you want to deny. Using a standard ACL lets you deny routes based on the destination network, but does not filter based on the network mask. To also filter based on the destination network’s network mask, use an extended ACL.

Configure an OSPF distribution list that uses the ACL as input.


NOTE: If you change the ACL after you configure the OSPF distribution list, you must clear the IP route table to place the changed ACL into effect. To clear the IP route table, enter the clear ip route command at the Privileged EXEC level of the CLI.


EXAMPLE:
The following examples show how to use the CLI to configure an OSPF distribution list. Separate examples are provided for standard and extended ACLs.

The examples show named ACLs. However, you also can use a numbered ACL as input to the OSPF distribution list.


To use a standard ACL to configure an OSPF distribution list for denying specific routes, enter commands such as the following:


HP9300(config)# ip access-list standard no_ip
HP9300(config-std-nacl)# deny 4.0.0.0 0.255.255.255
HP9300(config-std-nacl)# permit any any
HP9300(config-std-nacl)# exit
HP9300(config)# router ospf
HP9300(config-ospf-router)# distribute-list no_ip in


The first three commands configure a standard ACL that denies routes to any 4.x.x.x destination network and allows all other routes for eligibility to be installed in the IP route table. The last three commands change the CLI to the OSPF configuration level and configure an OSPF distribution list that uses the ACL as input. The distribution list prevents routes to any 4.x.x.x destination network from entering the IP route table. The distribution list does not prevent the routes from entering the OSPF database.


To use an extended ACL to configure an OSPF distribution list for denying specific routes, enter commands such as the following:


HP9300(config)# ip access-list extended no_ip
HP9300(config-ext-nacl)# deny ip 4.0.0.0 0.255.255.255 255.255.0.0 0.0.255.255
HP9300(config-ext-nacl)# permit ip any any
HP9300(config-ext-nacl)# exit
HP9300(config)# router ospf
HP9300(config-ospf-router)# distribute-list no_ip in


The first three commands configure an extended ACL that denies routes to any 4.x.x.x destination network with a 255.255.0.0 network mask and allows all other routes for eligibility to be installed in the IP route table. The last three commands change the CLI to the OSPF configuration level and configure an OSPF distribution list that uses the ACL as input. The distribution list prevents routes to any 4.x.x.x destination network with network mask 255.255.0.0 from entering the IP route table. The distribution list does not prevent the routes from entering the OSPF database.

Hope that clear out your query !!

Regards

Ganesh.H

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-20-2010 02:36 AM

Hello Santo,

the simplest way to achieve what you want is to use network ... area commands instead of redistribute connected.

In this way, you can specify what IP subnets you want to advertise in OSPF.

router ospf

network 172.22.132.64 0.0.0.31 area 0

network 172.22.132.211 0.0.0.0 area 0

network 172.22.133.0 0.0.0.127 area 0

network 172.22.133.128 0.0.0.127 area 0

no red connected subnets

Note: you need a filter to avoid to import from EIGRP the routes that don't have to be sent to the FW.

so a route-map is needed, it may be already implemented in your route-map named DO_NOT_ADVERTISE

I would expect it to have the same aspect of route-map proposed by Jerry.

access-list 11 permit 172.22.134.0 0.0.0.31

access-list 11 permit 172.22.134.32 0.0.0.7

route-map DO_NOT_ADVERTISE deny 10

match ip address 11

route-map DO_NOT_ADVERTISE permit 20

!

a distribute-list can be used in OSPF only on receiving device so it should be configured on the FW itself.

It is not recommended for the link state nature of OSPF a distribute-list can be used inbound to decide what prefixes to install in local routing table but it does not influence LSA propagation. If FW speaks OSPF with somebody else it would pass the LSAs for prefixes blocked by distribute-list causing a routing black hole

Hope to help

Giuseppe

0 Helpful

ilsanto21
Level 1
Level 1
In response to Giuseppe Larosa

‎01-20-2010 06:25 AM

I am working from home today will try this tomorrow.

Thanks to all

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card