OSPF Redistribution route-map with prefix-list not working after upgr

heinrichsra · ‎12-29-2023

Dear Cisco DevOps for OSPF on ASA,

why has the configuration of prefix-lists been removed from OSPF v3/OSPFv4 when your DevOps colleagues for BGP, IS-IS and EIGRP continue to implement prefix-list?

Furthermore, without prefix-list it is no longer possible to use "less specific" routes as a backup path.
According to the workaround in CSCwi31091, how should it be possible to filter a "less-specific" route via ACL?
Example:
route outside 10.246.2.0 255.255.255.0 [BackupPath-NextHop] 15 <=== DO NOT redistribute
route outside 10.246.2.0 255.255.255.128 [PrimaryPath-NextHop] 10 <= Prefix for redistribution
route outside 10.246.2.128 255.255.255.128 [PrimaryPath-NextHop] 10 <= Prefix for redistribution

Kind regards
Ralf

MHM Cisco World · ‎12-29-2023

can you more elaborate
MHM

heinrichsra · ‎12-29-2023

With prefix-list and the mentioned example I used ...
prefix-list Redistribute_VPN_OSPF seq 10 permit 10.246.2.0/25
prefix-list Redistribute_VPN_OSPF seq 20 permit 10.246.2.128/25

Without prefix-list I have no luck to redistribute only the two /25.
access-list Redistribute_STATIC_OSPF standard permit 10.246.2.0 255.255.255.128
access-list Redistribute_STATIC_OSPF standard permit 10.246.2.128 255.255.255.128
access-list Redistribute_STATIC_OSPF standard deny 10.246.2.0 255.255.255.0 (just as a reminder not to redistribute the /24)

MHM Cisco World · ‎12-29-2023

you redistribute static into OSPF,
the access list check update
so you have three static route two with /25 and and with /24 ?
MHM

heinrichsra · ‎12-29-2023

exactly I have all Three in the routing:
O E1 10.246.2.0 255.255.255.128 [110/90] via ...
O E1 10.246.2.0 255.255.255.0 [110/90] via ... <== WRONG!!! Should NOT be redistributed
O E1 10.246.2.0 255.255.255.128 [110/90] via ...

MHM Cisco World · ‎12-29-2023

Maybe I am wrong but are you sure acl use wildcard or mask? Can you double check

MHM

heinrichsra · ‎12-29-2023

Yeah, on Routers/L3-Switches it's the wildcard but not with the ASA:

access-list Redistribute_STATIC_OSPF standard permit 10.246.2.0 ?

configure mode commands/options:
A.B.C.D Netmask for the IP address

Ruben Cocheno · ‎12-29-2023

@heinrichsra

Outch!

New changes and your Devops team will have to adapt to the new reality of the new software release. You might want to test using ACLs on a Lab prior do it in Production, unless you have it already in production

You might want to redistribute the preferred paths using Type-1 and remain as Type-2 on the OSPF or not advertise the remain at all.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

heinrichsra · ‎12-29-2023

@Ruben Cocheno
The two are redistributed as Type-1 and the /24 is not redistributed at all.

Ruben Cocheno · ‎12-29-2023

@heinrichsra

Feel that your Deny clause on your ACL is breaking as per the reference below...

For reference:
Route maps can have permit and deny clauses. The deny clause rejects route matches from redistribution. You can use an ACL as the matching criterion in the route map. Because ACLs also have permit and deny clauses, the following rules apply when a packet matches the ACL:

ACL permit + route map permit: routes are redistributed.
ACL permit + route map deny: routes are not redistributed.
ACL deny + route map permit or deny: the route map clause is not matched, and the next route-map clause is evaluated.

A route map clause without a match or set entry does perform an action. An empty permit clause allows a redistribution of the remaining routes without modification. An empty deny clause does not allow redistribution of other routes (this is the default action if a route map is completely scanned, but no explicit match is found).

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

heinrichsra · ‎12-29-2023

@Ruben Cocheno

The following is just that what I was testing in the lab env:

route outside 10.246.2.0 255.255.255.0 [BackupPath-NextHop] 15 <=== DO NOT redistribute
route outside 10.246.2.0 255.255.255.128 [PrimaryPath-NextHop] 10 <= prefix for redistribution
route outside 10.246.2.128 255.255.255.128 [PrimaryPath-NextHop] 10 <= prefix for redistribution
!
prefix-list Redistribute_VPN_OSPF seq 10 permit 10.246.2.0/25
prefix-list Redistribute_VPN_OSPF seq 20 permit 10.246.2.128/25
!
access-list Redistribute_STATIC_OSPF standard permit 10.246.2.0 255.255.255.128
access-list Redistribute_STATIC_OSPF standard permit 10.246.2.128 255.255.255.128
!
route-map Redistribute_VPN_OSPF permit 10
match ip address Redistribute_STATIC_OSPF

But the result in the routing showing both /25 as well the /24

Ruben Cocheno · ‎12-29-2023

@heinrichsra

Remove and add back the static routes, to flush out any doubts. As per the sentence below that should work, if still not working after you bounce apply a deny clause *last) on the route-map and bounce again.

An empty deny clause does not allow redistribution of other routes (this is the default action if a route map is completely scanned, but no explicit match is found).

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

heinrichsra · ‎12-29-2023

Same as before

access-list Redistribute_STATIC_OSPF standard permit 10.246.2.0 255.255.255.128
access-list Redistribute_STATIC_OSPF standard permit 10.246.2.128 255.255.255.128
access-list Redistribute_STATIC_OSPF_DENY standard permit 10.246.2.0 255.255.255.0
!
route-map Redistribute_STATIC_OSPF permit 10
match ip address Redistribute_STATIC_OSPF
route-map Redistribute_STATIC_OSPF deny 20
match ip address Redistribute_STATIC_OSPF_DENY

O E1 10.246.2.0 255.255.255.0 [110/90] via ... <== WRONG!!! Should NOT be redistributed
O E1 10.246.2.0 255.255.255.128 [110/90] via ...
O E1 10.246.2.0 255.255.255.128 [110/90] via ...

MHM Cisco World · ‎12-30-2023

I not recommend to use ACL for redistribute
and this case is one of limitation that support my recommendation
I try in lab same result even if I use router and wildcard
after some trying I found solution

use tag with static route then match tag in route-map instead of matching the prefix itself

route-map MHM permit 10
match tag 25
route-map MHM deny 20
match tag 24

MHM

heinrichsra · ‎01-01-2024

On Routers or L3-Switches is exactly as you wrote.
However, the ASA works very differently to any known other routing devices; I guess this "weird" routing on the ASA is an ancient relict from the PIX.

Sadly, your solution does not work with ASA; an ASA does not have the feature to tag static routes:
route outside 10.246.2.0 255.255.255.0 198.18.255.12 ?
configure mode commands/options:
<1-255> Distance metric for this route, default is 1
track Install route depending on tracked item
tunneled Enable the default tunnel gateway option, metric is set to 255
<cr>

There are a couple of reasons why the ASA OSPF DevOps should think about it once again to remove the prefix-list command from the OSPF on ASA (while prefix-list command on BGP, IS-IS, EIGRP persist).

BTW, tagging routes are possible inside the redistribute statement:
router ospf 1
redistribute static metric 30 metric-type 1 subnets tag 7 route-map Redistribute_VPN_OSPF

From my experience, your solution using "route-map MHM deny 20" is not needed as an implicite deny came up with the same result.

So, any helpfull tips to find a solution on an ASA without using prefix-list command are very welcome.