Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2106
Views
0
Helpful
3
Replies

Distribute-list using route-map with Prefix-list not working on OSPF

Go to solution
sarahr202
Level 5
Level 5

‎07-24-2016 01:33 PM - last edited on ‎02-13-2024 12:37 AM by Community Manager

Hi everybody,

I am at my wits'end .

Please consider the following example:

 

R1-12.12.12.1 AREA0--12.12.12.2 R2




We want to achieve following:

Using distribute-list on R2 which references a route-map which then references a prefix-list, block installing R1 's  loopbacks: 11.11.1.0/24,11.11.2.0/24, 11.11.3.0/24, except for loopback  1.1.1.1/32

##R1##

R1 has following loop backs, advertised with network commands in OSPF:

interface Loopback0
ip address 1.1.1.1 255.255.255.255

interface Loopback1
ip address 11.11.1.1 255.255.255.0

interface Loopback2
ip address 11.11.2.2 255.255.255.0

interface Loopback3
ip address 11.11.3.3 255.255.255.0



R1#show running-config | section ospf
router ospf 1
log-adjacency-changes
network 1.0.0.0 0.255.255.255 area 0
network 11.0.0.0 0.255.255.255 area 0
network 12.12.0.0 0.0.255.255 area 0



##R2##

Below we can see R2  is learning R1's loopbacks:

R2#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 12.12.12.1, 00:24:27, FastEthernet0/0
11.0.0.0/32 is subnetted, 3 subnets
O 11.11.3.3 [110/2] via 12.12.12.1, 00:24:27, FastEthernet0/0
O 11.11.2.2 [110/2] via 12.12.12.1, 00:24:27, FastEthernet0/0
O 11.11.1.1 [110/2] via 12.12.12.1, 00:24:27, FastEthernet0/0




Next we apply configure distribute-list  to prevent R2 from installing 11.11.1.0/24,11.11.2.0/24, 11.11.3.0/24, except for loopback  1.1.1.1/32




router ospf 1
network 12.12.0.0 0.0.255.255 area 0
distribute-list route-map DENY-R1 in

ip prefix-list DENY-R1 seq 10 deny 11.11.0.0/16 le 32
ip prefix-list DENY-R1 seq 20 permit 1.1.1.1/32

route-map DENY-R1 permit 10
match ip address DENY-R1




But it does not have any effect, R2 still has11.11.1.0/24,11.11.2.0/24, 11.11.3.0/24,

R2#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 12.12.12.1, 00:24:27, FastEthernet0/0
11.0.0.0/32 is subnetted, 3 subnets
O 11.11.3.3 [110/2] via 12.12.12.1, 00:24:27, FastEthernet0/0
O 11.11.2.2 [110/2] via 12.12.12.1, 00:24:27, FastEthernet0/0
O 11.11.1.1 [110/2] via 12.12.12.1, 00:24:27, FastEthernet0/0

 

 

What am I missing here?

Thanks and have a great weekend!!

 

 

 

 

 

 

 

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-24-2016 01:47 PM

Hi Sarah,

You have a small but significant omission in your route-map: The line match ip address DENY-R1 references an ACL, not a prefix-list, and because that ACL does not exist, no filtering takes place. The route-map should correctly say:

route-map DENY-R1 permit 10
  match ip address prefix-list DENY-R1

Just as an optimization remark, notice that your prefix-list denies certain prefixes, permits another ones (that do not overlap with the denied ones), and has no permit 0.0.0.0/0 le 32 on its end, meaning that it still acts as "what's not permitted is denied". If the goal of the prefix-list is to permit 1.1.1.1/32 exclusively then a single line would suffice:

ip prefix-list DENY-R1 permit 1.1.1.1/32

If its purpose is to filter out the unwanted prefixes and permit everything else then it could be reworked as follows:

ip prefix-list DENY-R1 deny 11.11.0.0/16 le 32
ip prefix-list DENY-R1 permit 0.0.0.0/0 le 32

Best regards,
Peter

View solution in original post

0 Helpful

Go to solution
ahmedshoaib
Level 4
Level 4

‎07-24-2016 01:48 PM - last edited on ‎02-13-2024 12:38 AM by Community Manager

Hi;

Use distribute-list in without route-map;

router ospf 1

 distribute-list prefix DENY-R1 in


Thanks & Best regards;

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎07-24-2016 01:47 PM

Hi Sarah,

You have a small but significant omission in your route-map: The line match ip address DENY-R1 references an ACL, not a prefix-list, and because that ACL does not exist, no filtering takes place. The route-map should correctly say:

route-map DENY-R1 permit 10
  match ip address prefix-list DENY-R1

Just as an optimization remark, notice that your prefix-list denies certain prefixes, permits another ones (that do not overlap with the denied ones), and has no permit 0.0.0.0/0 le 32 on its end, meaning that it still acts as "what's not permitted is denied". If the goal of the prefix-list is to permit 1.1.1.1/32 exclusively then a single line would suffice:

ip prefix-list DENY-R1 permit 1.1.1.1/32

If its purpose is to filter out the unwanted prefixes and permit everything else then it could be reworked as follows:

ip prefix-list DENY-R1 deny 11.11.0.0/16 le 32
ip prefix-list DENY-R1 permit 0.0.0.0/0 le 32

Best regards,
Peter

0 Helpful

Go to solution
sarahr202
Level 5
Level 5
In response to Peter Paluch

‎07-24-2016 02:11 PM

Good catch Peter,

Agreed , better to use single command to allow 1.1.1.1/32 rather than 0/0 le 32

Thanks and have a great weekend:)

0 Helpful

Go to solution
ahmedshoaib
Level 4
Level 4

‎07-24-2016 01:48 PM - last edited on ‎02-13-2024 12:38 AM by Community Manager

Hi;

Use distribute-list in without route-map;

router ospf 1

 distribute-list prefix DENY-R1 in


Thanks & Best regards;

0 Helpful
Customers Also Viewed These Support Documents