OSPF route filtering check. I have a layer 3 interface VLAN ( int vlan 38) that is connected to set of firewalls. I want to control the routes I recieve from the firewalls OSPF advertisements (similar to an EIGRP distribute list).
Someone sanity check this for me - I think this should limit what I learn to just one route. I don't think it is.
access-list 20 permit 10.2.5.0
route-map filter-firewalls permit 10
match ip address 20
route-map filter-firewalls deny 20
router ospf 10
network 10.2.0.194 0.0.0.0 area 0
distribute-list filter-firewalls in Vlan38
The behavior of distribute lists in OSPF is a bit complicated. OSPF is a link-state protocol rather than a distance vector, so every router in the area shares the same database. In fact the distribute list will not affect the LS database on any router, and will only determine which routes make it to the active routing table in this router only. But all the other routers in the area will still know the route.
That makes distibute lists quite dangerous, and in some cases can invite black-hole routing.
If this is the only router connected to the firewalls, and you are re-distributing into another protocol, then you are OK. If you have any other situation, then you will need to consider the whole architecture, not just this router.
Kevin is quite right in the way distribute lists affect OSPF routes and OSPF database entries so you need to be careful.
However if you are sure you want this and your current config is not working, try
access-list 20 permit 10.2.5.0
router ospf 10
distribute-list 20 in vlan38
There is no need to add the route-map config.
Kevin and Jon are quite right about the behavior of distribute-list in OSPF. And I agree with Jon's comment about not needing the route-map here.
I offer a slightly different way of looking at this behavior which has helped me to understand why it works the way that it does. The distribute-list concept works to filter advertisement of a "route". OSPF, as a Link State Protocol, does not advertise routes but advertises LSAs. The distribute-list filtering routes can prevent insertion of a route from OSPF into the local routing table but can not filter receipt of an LSA, insertion of the LSA into the Link State Data Base, and subsequent advertisement of the LSA to other OSPF neighbors.
Thanks for clarifying that. I was aware of the behavior of the distribute list in OSPF, but I am not really familiar with the way you would use it in practice. (More lab-hours required.) I have a couple of thoughts.
1. If I have a distribute list on a router, then would it not be good practice to put the same distribute list in all the routers in the same area?
2. If I follow the scheme of #1, then the distribute list would also be on any ABR for the area. Would that prevent the type-3 crossing into the backbone? Or, alternatively, from the backbone to an outlying area? That is, does it mean I only need to put the DL in the area that is sourcing the route, and not anywhere else?
To answer your question I believe that we need to be careful to have a good understanding of where you want OSPF routers to know about the route and where you want OSPF routers to not know the route. (If you want all OSPF routers to not know the route then why inject it into OSPF in the first place?)
To deal with your specific points
1) If all routers within an area should not know about the route then all routers within the area need the DL.
2) I do not believe that the DL would prevent type 3 LSAs being generated into the backbone. I do not believe that there is anything about a DL that would change the behavior of taking type 1 and type 2 LSAs from an area and generating corresponding type 3 LSAs into the backbone. Remember that the DL only supresses putting the route into the routing table. It does not impact processing of the Link State Data Base.
Thanks Rick. OK, but that leaves me wondering how to tame the beast. If I put a DL in this router, then the route will not make it to the my routing table. But other routers will work out a route according to the state of the links, and that route might or might not go through me. I have no way of knowing. And they have no way of knowing that I made a DL. So I may well black-hole the traffic.
By applying the DL to all the routers, I was thinking of the situation where you are afraid that someone will generate a bad route - for example a wizz-kid in one of the branch offices.
I am still puzzling over where you could safely put an OSPF DL to good use. Except perhaps to stop a route getting redistributed ... but there are cleaner ways of doing that.
Very Good points regarding the exhchange of the OSP database versus individual routes. The point of this was to make sure I didn't get a default route from these firewalls into my network at this point. I can see the issue of having then to put this DL on all routers in the area which of course is not where I want to go. I atree with kevin then, I'm still puzzeled as to when a DL can be put to good use.
Your question has initiated a very interesting discussion of OSPF behavior. Given your explanation of what you are trying to accomplish (prevent advertisement of a default route from the firewall into your OSPF domain) I will suggest a slightly different solution. My suggestion is that on the router that connects to the firewall you run 2 OSPF processes. One OSPF process will have the interface that connects to the firewall. The other OSPF process has all the other OSPF interfaces. Then you redistribute between processes. Redistribution between processes can be controlled by a distribute-list. So you can filter out the default from the firewall easily and not have to worry about potentially doing something on every other OSPF router.
To address your question I believe that there probably is not a good situation to use a distribute list on OSPF. It is inherent in the design of the protocol that every router should have knowledge of all available routes (especially true for routes within the area) and to attempt to supress certain routes on a router is to work against the basic architecture of the protocol. If you need to supress certain routes on certain routers then OSPF might not be the best choice of routing protocols.
Thank you Rick, that is a great help. One of these days I will understand this networking, and that will be mostly due to your postings on NetPro!
Thank you for the compliment. Your posts show that you already understand quite a large amount about networking and are making good progress in increasing your knowledge. I am glad that I have been able to play some part in that. I hope you will keep up the good work.