Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
5
Replies

Cannot seem to get Distribution lists to work at all - Especially over a hub and spoke NBMA

David Anderson
Level 1
Level 1

‎01-13-2017 07:45 AM - edited ‎03-05-2019 07:50 AM

I am using Chris Bryants toplogy for a 3 router Hub-and-Spoke through a frame switch setup with a couple extra routers:

The Frame network is running RIP, a router connected to R5 is in EIGRP AS 100, and a spoke has several different OSPF Areas (including Area 0 in the ASBR).

However, I cannot write the most standard list, and have anything happen:

R1:

access-list 55 deny any

conf t

router eigrp 100

distribute-list 55 out rip / fa0/1 (tried both protocol and interface)

cleared ip route * to get a fresh routing table, and R1 still see's all the routes from EIGRP being redistributed into RIP

R2, my spoke router with no other protocols can see it, my OSPF filled spoke router R3 and the virtual-link all the way to R4 can see it.

I've tried this same thing over on the OSPF ASBR of R3, I absolutely cannot get this to filter anything to save my life, help?

No matter how simple the distribute-list, it will not do anything on these routers, and when I do debug ip pack it simply doesn't show any sort of filter messages, however "sh ip proto" on R1 does show that EIGRP is being filtered matching 55.

I have confirmed the ACL with a simple deny any above is configured on R1, applied to EIGRP router config, I've done the same deal for OSPF any just nothing is happening at all - What am I doing wrong?

Labels:
0 Helpful
5 Replies 5

Georg Pauwen
VIP
VIP

‎01-13-2017 09:21 AM

Hello,

I am not sure if a standard access list is sufficient. To deny RIP and OSPF, I usually use these:

access-list 101 deny udp any any eq rip
access-list 101 deny any any ospf

0 Helpful

David Anderson
Level 1
Level 1
In response to Georg Pauwen

‎01-13-2017 10:53 AM

Your answer really just has the same effect as mine though, they both state deny all traffic (or in dist-list context suppress all route updates) off that interface. I tried it with OSPF on R3 in the lower right hand corner, and that also didn't work.

Does it just not work across an NBMA? or RIP?

0 Helpful

Georg Pauwen
VIP
VIP
In response to David Anderson

‎01-13-2017 11:23 AM

Hello,

I am going to lab this. In the meantime, I somehow seem to remember that the distribute list only works inbound. Can you test that ?

distribute-list xx in 

?

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎01-13-2017 12:03 PM

Hello.

I just labbed this, both in and out distribute lists work for RIP (version 1 and 2). 

Which IOS versions are you running ? You might want to try prefix lists instead of access lists:

ip prefix-list DENY_RIP seq 5 deny 0.0.0.0/0 le 32


router rip
 distribute-list prefix DENY_RIP in

0 Helpful

David Anderson
Level 1
Level 1
In response to Georg Pauwen

‎01-13-2017 12:51 PM

I will first try what you posted, then I'm going to try to lab without the NBMA between 3 routers, O---OSPF----O---EIGRP----O if it doesn't work, to see if I can get it working at all.

I will post back my findings here, again I appreciate your feedback, I'll be sure to update with my finding!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card