Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4826
Views
10
Helpful
8
Replies

Prefer OSPF route over per-user static route(Injected via Radius)

johnelliot6
Level 2
Level 2

‎01-19-2010 07:50 PM - edited ‎03-04-2019 07:14 AM

Hi,

Have a clients site with Eth(PRimary)+DSL(Redundant) tails terminating in vrf(Same PE), We are running ospf over Eth service, with CE advertising LAN Subnets, and DSL service is injecting same LAN subnets on auth via Radius - Our issue is that the Radius injected routes are being preferred over the OSPF routes:

Eg.

10.0.0.0/24

Preferred via DSL:

U       10.0.0.0/24 [1/0] via 172.18.19.8   <-- When DSL service is connected

Disconnect DSL and Eth (OSPF route) is preferred:

O E2    10.0.0.0/24 [110/1] via 10.11.6.186, 00:00:02, Port-channel1.91 <-- DSL has been disconnected.

Tried manipulating ospf advertisements from ce (default-metric 1), but obviously per-user static is 1/0, so still prefered

Is there a way to add weight to avpair radius reply - Tried the following, but it fails to connect

route="10.0.0.0 255.255.255.0 254"

Hoping there is some way to make the DSL routes less attractive than the OSPF routes.

Thanks in advance.

Labels:
0 Helpful
8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-20-2010 06:39 AM

Hello John,

most specific routes are used first regardless of Administrative distance settings. If possible you should try to inject via Radius less specific routes then those learned by  OSPF. This should fix your problem.

Hope to help

Giuseppe

0 Helpful

johnelliot6
Level 2
Level 2
In response to Giuseppe Larosa

‎01-20-2010 02:06 PM

Thank Giuseppe - Do you know if it is possible to inject less specific route via radius with av-pair reply attribute?

0 Helpful

johnelliot6
Level 2
Level 2
In response to johnelliot6

‎01-20-2010 02:27 PM

Hi,

Sorted it out -The following works like a charm.

cisco-avpair = "ip:route=10.0.0.0 255.255.255.0 172.18.19.8 254 name test"

Peter Paluch
Cisco Employee
Cisco Employee
In response to johnelliot6

‎01-20-2010 03:43 PM

Hi John,

Are you suggesting that you have simply extended the avpair content to the form of an usual ip route command including the administrative distance and even the route name - and it got accepted? That is fabulous - you're a genius! I've browsed over the Cisco website and tried to google out any usable information but every page staunchly maintained that the syntax of the route# avpair is rather terse. This is not even in the official Cisco documentation

I am glad you got it running and thanks for having all of us know the solution!

Best regards,

Peter

0 Helpful

johnelliot6
Level 2
Level 2
In response to Peter Paluch

‎01-20-2010 03:58 PM

Hi Peter,

Yes, Cisco doc's are a little light on this subject, so tried a few variations, and the avpair above was accepted....the "framed-route" reply attribute is very restrictive.

LNS is 7200, with Radiator radius server.

FYI, radius logs, after successful auth and with routes etc.

Code:       Access-Accept
Identifier: 152
Authentic:  y<12><31><180><31>~<192><160><9><14><197><17><13>9YS
Attributes:
        Framed-IP-Address = 172.18.19.8
        cisco-avpair = "lcp:interface-config=ip vrf forwarding REGENTS \nip unnumbered Loopback35"
        cisco-avpair = "ip:route=192.168.10.0 255.255.255.0 172.18.19.8 254 name REGENTS_LAN"
        cisco-avpair = "ip:route=10.0.0.0 255.255.255.0 172.18.19.8 254 name REGENTS_LAN"
        cisco-avpair = "ip:route=192.168.0.0 255.255.255.0 172.18.19.8 254 name REGENTS_LAN"
        cisco-avpair = "ip:route=192.168.101.11 255.255.255.255 172.18.19.8 254 name REGENTS_MNGMT"
        Framed-Protocol = PPP
        Framed-IP-Netmask = 255.255.255.255
        Framed-Routing = None
        Framed-MTU = 1500     
        Framed-Compression = Van-Jacobson-TCP-IP
        Service-Type = Framed-User

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to johnelliot6

‎01-21-2010 12:29 AM

Hello John,

very good job.

as Peter has noted you have been very kind to provide a feedback on this.

with less specific route I meant for example to advertise a 10.0.0.0/23 instead of 10.0.0.0/24 so that when OSPF comes back its most specific route is used.

But your solution is better because can work in any case, my  suggestion can be used if address plan allows for use of these less specific summary route (no overlapping with another remote site)

I had used a similar setup for ISDN backup access to MPLS VPN involving a radius server but without L2TP (direct access)

Hope to help

Giuseppe

0 Helpful

Dr.X
Level 2
Level 2
In response to Giuseppe Larosa

‎11-06-2012 01:21 AM

hi ,

i have the same issue of Per-user static routes from AAA ,

but i want to deny this issue from router , what command to put it on router so as to prevent the per-user route from being installed into routing table ??

i mean i want to still allow it from radius but i want to deny it from router ?

regards

0 Helpful

networksplanning
Level 1
Level 1
In response to johnelliot6

‎01-31-2013 01:04 AM

Hi Lohn,

thanks for this valuable info, but please I have a concern and need your help for that ,

you mentioned that you can add static route as below :

cisco-avpair = "ip:route=10.0.0.0 255.255.255.0 172.18.19.8 254 name test"

but what about adding static route under a vrf is it would be something like below :

cisco-avpair = "ip:route=10.0.0.0 255.255.255.0 172.18.19.8 254 vrf TEST name test"

thanks again and waiting your repy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card