Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
557
Views
0
Helpful
1
Replies

OSPF E1 route filtering - strange behaviour

Miroslav10hr
Level 1
Level 1

‎07-26-2010 04:55 AM - edited ‎03-04-2019 09:11 AM

Hi,

I was doing something and found a problem regarding route filtering in OSPF. It seemed to me like this was a trivial thing but it turned out that is not.

I have a network with one central router, one backup router and remote locations routers connected through IPsec VPN to central and backup router. Primary and backup tunnel are differentiated with lower and higher OSPF costs on the tunnel. Everything works fine, all routes are propagating OK and there is no problem with that.

Here are networks in this example.

Central router

LAN: 10.168.1.0/24

Backup router

LAN: 10.168.105.0/24


Remoto location

LAN: 10.169.1.0/24

I have one static route on central router 10.0.0.0 255.0.0.0 10.168.1.107

What I wanted to do is to redistribute this route in the network as E1 type route and then filter routing tables on remote locations so that they have only this (default) 10.0.0.0 route in their routing tables. Remote locations are not communicating with each other, only with central and backup locations. So all the traffic from remote locations is going only to central or backup location.

Here are the routing tables, I will put only entries concerning this problem, because I have some loopback interfaces, VTI interfaces and so on. But basically everything is on the network 10.0.0.0.

Central router:

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 13 subnets, 5 masks

S       10.0.0.0/8 [1/0] via 10.168.1.107
O       10.169.1.0/24 [110/51] via 10.168.211.6, 00:01:36, Tunnel20
C       10.168.1.0/24 is directly connected, FastEthernet0/0

O       10.168.105.0/24 [110/60] via 10.168.211.105, 04:07:12, Tunnel1


Backup router

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 13 subnets, 5 masks

O E1    10.0.0.0/8 [110/71] via 10.168.211.1, 01:08:36, Tunnel0

O       10.169.1.0/24 [110/151] via 10.168.211.6, 01:01:55, Tunnel21

O       10.168.1.0/24 [110/51] via 10.168.211.1, 04:30:51, Tunnel0
C       10.168.105.0/24 is directly connected, FastEthernet0/0

Remote location

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 10 subnets, 4 masks
O E1    10.0.0.0/8 [110/121] via 10.168.211.1, 00:00:08, Tunnel1
C       10.169.1.0/24 is directly connected, FastEthernet0/0
O       10.168.1.0/24 [110/101] via 10.168.211.1, 00:00:08, Tunnel1
O       10.168.105.0/24 [110/160] via 10.168.211.105, 00:00:03, Tunnel2

The problem is when I configure "distribute-list in" on local router permitting only network 10.0.0.0, all OSPF routes are blocked, althoug this route was previously in the table as it was posted above.

Here is the distribute list:

distribute-list DEFAULT_ROUTE in

ip access-list standard DEFAULT_ROUTE
permit 10.0.0.0

Remote location

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

C       10.169.1.0/24 is directly connected, FastEthernet0/0

It took me a while and then I found out that i have to additonally permit route 10.168.1.0 (LAN of the central router) and then route 10.0.0.0 also appears. I tried permitting 10.0.0.0 0.255.255.255 in access list also and every other possible combination but, until I permit 10.168.1.0 this route will not appear in routing table of remot router.

ip access-list standard DEFAULT_ROUTE
permit 10.0.0.0
permit 10.168.1.0 0.0.0.255

Remote location

10.0.0.0/8 is variably subnetted, 5 subnets, 4 masks
O E1    10.0.0.0/8 [110/121] via 10.168.211.1, 00:00:03, Tunnel1
C       10.169.1.0/24 is directly connected, FastEthernet0/0
O       10.168.1.0/24 [110/101] via 10.168.211.1, 00:00:03, Tunnel1

Could someone explain me why is that? Is it because originally this static route is on central router pointing to host in that network (10.0.0.0 255.0.0.0 10.168.1.107) and that has to something with that? It seems to me that this has no sense, but maybe I am missing something.

Thanks.

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎07-26-2010 05:42 AM

Hello Miroslav,

>>> I have one static route on central router 10.0.0.0 255.0.0.0 10.168.1.107

This is the key point

you need to examine the LSA with

sh ip ospf database external 10.0.0.0

the forwarding address field FA is probably set to 10.168.1.107.

For OSPF to accept external route 10.0.0.0/8 its forwarding address (= next-hop) has to be known as an OSPF internal route.

And this is what you see

to be noted that using distribute-list with OSPF is tricky as you are actually filtering IP prefixes entering the IP routing table you are not able to change the DB contents.

if another OSPF device is added at a remote site it will see the LSAs describing the filtered routes.

I would use a different approach:

you can use a different area for the remote routers and on HUB routers you can use area range command

ip prefix-list onlymajor10 permit 10.0.0.0/8

router ospf

area 0 range 10.0.0.0 255.0.0.0

area 1 fllter-list onlymajor10 in

putting all remote devices in area 1

see

http://www.cisco.com/en/US/docs/ios/iproute_ospf/command/reference/iro_osp1.html#wp1011184

http://www.cisco.com/en/US/docs/ios/iproute_ospf/command/reference/iro_osp1.html#wp1011537

12.4.4   AS-external-LSAs

http://www.rfc-editor.org/rfc/rfc2328.txt

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card