Hi guys,

I realised the routes will still show with the access-lists configured - I just won't be able to access any resources within the 150.2.0.0 when the access-list is applied to the interface.

Cheers

Carlton

Carlton,

You have to distinguish between the effect of having an ACL put directly on an interface and used in a distribute-list. An ACL used on an interface using the ip access-group command will filter packets based on their header contents. An ACL used in a distribute-list in will filter networks in incoming routing updates, or in case of OSPF, networks as they enter the routing table. Notice the subtle but very important difference - ACL on an interface does not apply to packet contents, rather to packets themselves! The distribute-list, on the other hand, filters the contents of routing protocol updates, and only routing protocol updates. Placing your ACL on the interface is not correct here.

Can I ask you what IOS image are you running? The behavior of your IOS suggests there may be a bug involved.

I have reviewed your configuration that uses the prefix-list. I do not see any obvious mistake in it. Can you revert to that configuration that uses the prefix lists, and post the output of the following commands?

show ip ospf neighbor

show ip ospf database

show ip route ospf

show ip prefix-list

Thank you!

Best regards,

Peter

Hi Peter,

Sorry for the delayed response - I had to run out.

Any I have done as you asked - reverted back to original configuration you provided. I have attached the configs of the four routers in the lab and a topololgy. Below is the contents of the show commands:

R4#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
1.1.1.1           0   FULL/  -        00:01:59    10.0.1.1        Ethernet1/0
3.3.3.3           1   FULL/BDR        00:00:36    10.0.0.13       FastEthernet0/0
R4#
R4#show ip ospf database

            OSPF Router with ID (4.4.4.4) (Process ID 1)

                Router Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum Link count
1.1.1.1         1.1.1.1         541         0x80000002 0x00CC9A 4
4.4.4.4         4.4.4.4         540         0x80000002 0x0028DD 5

                Summary Net Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
10.0.0.0        1.1.1.1         571         0x80000001 0x00E050
10.0.0.4        1.1.1.1         571         0x80000001 0x00B874
10.0.0.4        4.4.4.4         526         0x80000001 0x0068B7
10.0.0.12       1.1.1.1         517         0x80000001 0x0072B1
10.0.0.12       4.4.4.4         571         0x80000001 0x000E0B

                Summary ASB Link States (Area 0)

Link ID         ADV Router      Age         Seq#       Checksum
1.1.1.1         4.4.4.4         516         0x80000001 0x00E83D
3.3.3.3         1.1.1.1         519         0x80000001 0x00DC4E
3.3.3.3         4.4.4.4         528         0x80000001 0x00829C
         
R4#how ip route ospf
    ^
% Invalid input detected at '^' marker.

R4#
R4#show ip prefix-list
ip prefix-list OSPF: 1 entries
   seq 5 permit 150.2.2.0/24
R4#
R4#show ip route ospf
R4#show ip route ospf

R4#

Hi Carlton,

I apologize - I did not yet have the time to go over your configurations in detail. However, your output puzzles me - I see no LSA-5 being displayed in the show ip ospf database, i.e. those topological elements that carry redistributed (external) networks. Logically, if they are not in the link-state database, the routes they contain can not be placed into the routing table. I wonder - why are they missing?

Best regards,

Peter