Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

OSPFv3 Redistribution using Route-Map w/ ACL

How's it going?

So I'm trying to force myself to use an access-list to redistribute an IPv6 static route into OSPFv3... I can do it no problem using a prefix-list but cannot figure out the logic for the extended IPv6 access-list, any direction or linkage is appreciated:

Here's the scenario:

I need to redistribute a static route into OSPFv3 using a route-map with an access-list. The network is 2001:1111:2222:ff00::/56, here's what I have for configs...

------------------------------------------------------------------------------------------------------------------

ipv6 route 2001:1111:2222:ff00::/56 2001:1111:2222::21

ipv6 router ospf 1

  <router-id>

  redistribute static metric-type 1 route-map IPv6Statics2OSPF

  <etc...>

route-map IPv6Statics2OSPF permit 10

  match ipv6 address IPv6Statics2OSPF-ACL

ipv6 access-list IPv6Statics2OSPF-ACL permit <what goes here, I can't figure out the logic?>

------------------------------------------------------------------------------------------------------------------

OSPFv3 is completely operational and the only thing I need assistance with is the CLI of the ipv6 access-list (because it's extended it's a little tricky).

I've tried using "host" entries with "F's" for a mask similar to IPv4 extended access-lists with route-maps... but no dice.

Thanks,

-Jeremy

2 REPLIES
New Member

Re: OSPFv3 Redistribution using Route-Map w/ ACL

The closest I can get this to working is to use:

"ipv6 access-list IPv6Statics2OSPF permit 2001:1111:2222:FF00::/56 any"

But I'd prefer to make this permit only routes with a /64 prefix-length... using the above line, the router will advertise anything with 2001:1111:2222:FF as the first 56 bits, at that point the masks can be variable which is "working but not as intended."

*BUMP*

Check this output for clarification:

IPv6 access list IPv6Statics2OSPF

  permit ipv6 2001:1111:2222:FF00::/56 FFFF:FFFF:FFFF:FF00::/56 sequence 1

  permit ipv6 2001:1111:2222:FF00::/56 FFFF:FFFF:FFFF:FFFF::/64 sequence 2

  permit ipv6 2001:1111:2222:FF00::/56 any (14 matches) sequence 510

The routes that are advertised are:

2001:1111:2222:FF00::/56 (via the last ACL entry)

2001:1111:2222:FF01::/64 (via the last ACL entry)

2001:1111:2222:FF01:9999::/80 (via the last ACL entry)

The routes that are correctly filtered are:

2001:1111:2222:EE00::/56

2011:1111:2222:EE01::/64

You would expect the 1st network to be permitted via the 1st ACL entry, and so on down to the 3rd network... There must be something more to the mask on the access-list that I'm not understanding.

Message was edited by: Jeremy Buck

New Member

OSPFv3 Redistribution using Route-Map w/ ACL

Hello Jeremy,

I am also stuck while trying to understand how ACLs work when redistributing routes into OSPF. So far I saw the exact same behavior as on your last post. The "source" address of the ACL is used to match the destination address of a route, to a prefix of specified length. What the "destination" field is used for, in the the ACL, I still haven't figured out. It does not seem to follow the same logic as with IPv2 ACLs when applied to redistribution route-maps.

Some extra points Id like to add, based on my observations of trying to match a particular network address length:

When used for the "destination" field of the "permit ipv6" access-list-configuration command:

- If you enter "::/0", "sh run" and "sh ipv6 access-list" will show that automatically edited to "any"

- The same for "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF/0"

-" FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF/128" is edited to "FFFF:... ...:FFFF" (w/o the prefix length)

- "::128" is edited to "::" (Once again, w/o the prefix length)

- "FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF/63" is edited to "FFFF:FFFF:FFFF:FFFE::/63"

The last example reveals that the 63 here means: "Match the first 63 bits, the rest I don't care."

Observations made w/ SW/HW:

3600 Software (C3660-IS-M), Version 12.4(15)T9, RELEASE SOFTWARE (fc5)

884
Views
0
Helpful
2
Replies