distribute-list gateway with OSPF
The following example is showing how to use distribute-list with the gateway option for inbound route filtering in OSPF. The diagram below shows R1 directly connected to R2 with OSPF configured between them.
Initial Configuration:
!-- R1 OSPF configuration
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 172.16.12.1 0.0.0.0 area 0
network 172.16.101.1 0.0.0.0 area 0 !-- R1's Loopback0
network 10.10.10.1 0.0.0.0 area 0 !-- R1's Loopback1
!-- R2 OSPF configuration
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
network 172.16.12.2 0.0.0.0 area 0
network 172.16.102.1 0.0.0.0 area 0 !-- R2's Loopback0
!-- Routing tables
R1(config-router)#do sh ip route ospf
172.16.0.0/16 is variably subnetted, 5 subnets, 2 masks
O 172.16.102.1/32 [110/2] via 172.16.12.2, 00:14:12, FastEthernet0/0.12
R2(config-router)#do sh ip route ospf
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
O 172.16.101.1/32 [110/2] via 172.16.12.1, 00:00:07, FastEthernet0/0.12
10.0.0.0/32 is subnetted, 1 subnets
O 10.10.10.1 [110/2] via 172.16.12.1, 00:00:07, FastEthernet0/0.12
Now I am going to apply a distribute-list to filter R1′s Loopback0 (172.16.101.1/32) specially from R1 using the gateway option.
R2(config)#ip prefix-list Loop deny 172.16.101.1/32
R2(config)#ip prefix-list Loop permit 0.0.0.0/0 le 32
R2(config)#
R2(config)#ip prefix-list R1 permit 172.16.12.1/32
R2(config)#
R2(config)#router ospf 1
R2(config-router)#distribute-list prefix Loop gateway R1 in
!-- verification; as shown 172.16.101.1/32 is filtered
R2(config-router)#do sh ip route ospf
10.0.0.0/32 is subnetted, 1 subnets
O 10.10.10.1 [110/2] via 172.16.12.1, 00:00:05, FastEthernet0/0.12
I just want to spot one point here; the gateway option uses the Next-Hop address of the route and not the router-id as used in the distance command.
No related posts.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
June 15th, 2009 at 6:07 pm
Just to add a few more things to this topic. Using distribute list actually it doesn’t prevent LSA messages to be exchanged in between peers! It just suppress their installation into the FIB. If Router 2 has another neighbor (depending of topology of course, but let’s say that R2 is p2p connected to R3) it will advertise (maybe advertise is not the appropriate word to say) the information which is denied by the distribute list. By doing this R3 will have routing information for prefixes that were denied in his next hop router (R2) – therefore black hole is occurred . So, in an OSPF networks distribute list has local significance.
Best regards,
Dani