AW: distribute-list gateway

From: Roger RPF (rpf@bluemail.ch)
Date: Mon Feb 09 2009 - 11:08:55 ARST

• Next message: ALL From_NJ: "Re: No access-list"
• Previous message: ron.wilkerson@gmail.com: "Re: Repeated Exam"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello Hobbs, Group

I just checked this issue again and it seems that for the distribute-list
gateway in ospf we have to use the neighbor address and NOT the router-id.
This is somehow strange to me because for example with the distance command
is OSPF we need the router id of the originating router.

Can one of the "OSPF Gurus" confirm this??

Here my example. I have a hub&spoke topology with R4 as hub. He learns the
route 99.99.99.1 from 3 different spokes, R2,R5,R6 but R5 has the best
metric (metric3) so he installs that in the routing table. The prefix
99.99.99.1 comes from another area, in this case area 0 (it is a loopback on
my R1 router)

Note that the router-id of R5 is 99.99.99.5

R4(config-router)#do sh ip ospf neig

Neighbor ID Pri State Dead Time Address Interface
99.99.99.6 0 FULL/DROTHER 00:01:59 146.46.44.6 Serial0/0
--> R6
99.99.99.5 0 FULL/DROTHER 00:01:45 146.46.44.5 Serial0/0
--> R5
99.99.99.2 0 FULL/DROTHER 00:01:48 146.46.44.2 Serial0/0
--> R2
R4(config-router)#

R4(config)#do sh ip ospf data summ 99.99.99.1

            OSPF Router with ID (99.99.99.4) (Process ID 1)

                Summary Net Link States (Area 246)

  Routing Bit Set on this LSA
  LS age: 1266
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 99.99.99.1 (summary Network Number)
  Advertising Router: 99.99.99.2
  LS Seq Number: 80000001
  Checksum: 0x324C
  Length: 28
  Network Mask: /32
        TOS: 0 Metric: 103

  Routing Bit Set on this LSA
  LS age: 1291
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 99.99.99.1 (summary Network Number)
  Advertising Router: 99.99.99.5
  LS Seq Number: 80000001
  Checksum: 0x34AB
  Length: 28
  Network Mask: /32
        TOS: 0 Metric: 3

  LS age: 952
  Options: (No TOS-capability, DC, Upward)
  LS Type: Summary Links(Network)
  Link State ID: 99.99.99.1 (summary Network Number)
  Advertising Router: 99.99.99.6
  LS Seq Number: 80000001
  Checksum: 0x3D20
  Length: 28
  Network Mask: /32
        TOS: 0 Metric: 132

R4(config)#
R4(config-router)#do sir 99.99.99.1
Routing entry for 99.99.99.1/32
  Known via "ospf 1", distance 110, metric 132, type inter area
  Last update from 146.46.44.5 on Serial0/0, 1d21h ago
  Routing Descriptor Blocks:
  * 146.46.44.5, from 99.99.99.5, 1d21h ago, via Serial0/0
      Route metric is 132, traffic share count is 1

++++++++++++++++++++++
Now I configure the incoming distribute-list with the address of R5
(146.46.44.5) NOT the router-id

R4(config)#do sh ip prefix-list
ip prefix-list ospf: 2 entries
   seq 4 deny 146.46.44.5/32
   seq 10 permit 0.0.0.0/0 le 32
R4(config)#do sr | b router ospf
router ospf 1
 router-id 99.99.99.4
 log-adjacency-changes
 auto-cost reference-bandwidth 200
 network 99.99.99.4 0.0.0.0 area 246
 network 146.46.44.4 0.0.0.0 area 246
 neighbor 146.46.44.6
 neighbor 146.46.44.5
 neighbor 146.46.44.2
 distribute-list gateway ospf in Serial0/0
!

And now you can see that he learns the prefix 99.99.99.1 from R2 (RID
99.99.99.2, neigh 146.46.44.2) which has the second best ospf metric (103)

R4(config)#do sir 99.99.99.1
Routing entry for 99.99.99.1/32
  Known via "ospf 1", distance 110, metric 232, type inter area
  Last update from 146.46.44.2 on Serial0/0, 00:20:49 ago
  Routing Descriptor Blocks:
  * 146.46.44.2, from 99.99.99.2, 00:20:49 ago, via Serial0/0
      Route metric is 232, traffic share count is 1

So this works fine.
If I try the same with the router id of R5 (99.99.99.5) instead of the
neighbor in the prefix list, nothing gets filtered, I still have the prefix
with R5 as next hop in the routing table (146.46.44.5 with RID 99.99.99.5):

R4(config)#do sh ip prefix-lis
ip prefix-list ospf: 2 entries
   seq 3 deny 99.99.99.5/32
   seq 10 permit 0.0.0.0/0 le 32

R4(config)#do sir 99.99.99.1
Routing entry for 99.99.99.1/32
  Known via "ospf 1", distance 110, metric 132, type inter area
  Last update from 146.46.44.5 on Serial0/0, 00:00:37 ago
  Routing Descriptor Blocks:
  * 146.46.44.5, from 99.99.99.5, 00:00:37 ago, via Serial0/0
      Route metric is 132, traffic share count is 1

-----Urspr|ngliche Nachricht-----
Von: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Im Auftrag von
Hobbs
Gesendet: Mittwoch, 4. Februar 2009 23:31
An: Roger RPF
Cc: Luan Nguyen; Tim; Cisco certification; security@groupstudy.com
Betreff: Re: distribute-list gateway

Funny thing, that was a PERMIT prefix-list, hmm...
So it must not have matched the router-ID and just denied everything.

Back to the drawing the board...

On Wed, Feb 4, 2009 at 3:27 PM, Hobbs <deadheadblues@gmail.com> wrote:
> Hello Roger,
>
> Yes, it appears to work that way:
>
> R4#sho ip osp ne
>
> Neighbor ID Pri State Dead Time Address
Interface
> 3.3.3.3 0 FULL/ - 00:00:35 192.168.34.3
Serial1/1
> 5.5.5.5 0 FULL/ - 00:00:32 192.168.45.5
Serial1/0
>
> R4#sho ip route | inc 34.3
> Gateway of last resort is 192.168.34.3 to network 0.0.0.0
> O 192.168.23.0/24 [110/6] via 192.168.34.3, 00:00:10, Serial1/1
> O 192.168.3.0/24 [110/2] via 192.168.34.3, 00:00:10, Serial1/1
> O*E2 0.0.0.0/0 [110/1] via 192.168.34.3, 00:00:05, Serial1/1
>
> Next hop is 192.168.34.3, router-id is 3.3.3.3
>
> Now I make the list:
>
> R4(config)#ip prefix-list R3 permit 3.3.3.3/32
> R4(config)#router ospf 1
> R4(config-router)#distribute-list gateway R3 in serial 1/1
> R4(config-router)#^Z
> R4#clear ip route *
>
> No more routes from 34.3:
>
> R4#sho ip route | inc 34.3
> R4#
>
>
> -hth
>
>
> On Wed, Feb 4, 2009 at 3:11 PM, Roger RPF <rpf@bluemail.ch> wrote:
>> Luan,
>>
>> In the first link of your post, it is written (according to this cisco
guy)
>> that with OSPF it is the router-id of the neighbor...as I would imagine.
>>
>> Copy from this mail of the link...
>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>> Hi George... following is an explanation by Faraz Shamim @cisco.
>>
>> //snip//
>>
>> This is a generic options for all the routing protocols not just OSPF.
>> Gateway is the ip address of the neighbor whom you receive a routing
update
>> from. This term make more sense in RIP and IGRP. Incase of OSPF its the
>> router ID of the neighbor.
>>
>> Lets say you want to block full or partial routing update from a neighbor
on
>> a broadcast segment like ethernet. If you do passive interface in case of
>> OSPF then it will affect all the neighbors on that segment so one option
>> there is to use gateway with distribute-list.
>>
>> Note, this option is only valid for inbound distribute-list. Outbound
>> distribute-list will not work and it does not make sense, thats why its
not
>> supported.
>>
>> //snip//
>>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>
>> So I guess I really have to check it once with ospf, for the other
protocols
>> it is clear to me...
>> Can one proof the correct behavior with OSPF???
>>
>>
>> regards
>>
>> Roger
>>
>>
>> -----Urspr|ngliche Nachricht-----
>> Von: nobody@groupstudy.com [mailto:nobody@groupstudy.com] Im Auftrag von
>> Luan Nguyen
>> Gesendet: Mittwoch, 4. Februar 2009 21:58
>> An: 'Tim'; 'Cisco certification'; security@groupstudy.com
>> Betreff: RE: distribute-list gateway
>>
>> Here's a link
>>
http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rdrip.ht
>> ml#wp1025003
>>
>> Link to older group study post:
>> http://www.groupstudy.com/archives/ccielab/200206/msg00924.html
>>
>> Use prefix-list with next-hop IP address and not router-ID.
>>
>> Regards,
>>
>> Luan Nguyen
>> Chesapeake NetCraftsmen, LLC.
>> [W] http://www.netcraftsmen.net
>> [M] luan@netcraftsmen.net
>> [Blog] http://cnc-networksecurity.blogspot.com/
>>
>>
>>
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Tim
>> Sent: Wednesday, February 04, 2009 11:57 AM
>> To: 'Cisco certification'; security@groupstudy.com
>> Subject: distribute-list gateway
>>
>> Hi Guys,
>>
>>
>>
>> Is the above command undocumented?
>>
>>
>>
>> I couldn't find it in the command reference or by using the command
lookup
>> tool.
>>
>>
>>
>> If the command is documented somewhere, could you post the link to it?
>>
>>
>>
>>
>>
>> Also, when using this command with ospf, should the ip of the neighbor
>> router be specified with the router ID or the ip add assigned to the
>> interface from which the updates are coming?
>>
>>
>>
>> Thanks in advance,
>>
>> Tim
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: ALL From_NJ: "Re: No access-list"
• Previous message: ron.wilkerson@gmail.com: "Re: Repeated Exam"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST