Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
0
Helpful
3
Replies

DMVPN OSPF filtering

tahscolony
Level 1
Level 1

‎02-07-2017 08:51 AM - edited ‎03-05-2019 07:59 AM

Trying to come up with a method to create a simple ACL for filtering inbound routes. We have one router that has a second connection to the core and it is distributing routes we do not want to see in Area 1. All the DMVPN networks are picking up these routes via the hub.  Will creating an ACL with 192.168.0.0/16 and 10.0.0.0/8 applied to the OSPF incoming on the DMVPN tunnel prevent all routes except for anything out of those two subnets, or do I need to specify each individual network from the remote sites in the ACL?  We are trying to prevent traffic from heading up the tunnel to the one sight and using that connection to get to Area 0, and instead use the DMVPN hub to get to Area 0.

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎02-07-2017 09:12 AM

It is possible to configure an access list and to use that access list in a distribute list to filter out routing advertisements for some protocols such as RIP or EIGRP. But that does not work the same when you use OSPF. You can use a distribute list in OSPF but the results may not be entirely what you expect. If you use a distribute list inbound in OSPF then the routes that you deny in the access list will not appear in the local routing table. But those routes are in the OSPF database and they will be advertised to other OSPF neighbors regardless of the distribute list. This is because of one of the fundamental properties of a Link State routing protocol which is that the all devices in an area must have the same content in their link state database for that area.

It may help to think of it in this way - a distribute list is for controlling the advertisement of routes but an OSPF advertisement is advertising link states and not actual routes.

HTH

Rick 

HTH

Rick
0 Helpful

tahscolony
Level 1
Level 1
In response to Richard Burts

‎02-07-2017 09:49 AM

Following this doc is what I am trying to do

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-mt/iro-15-mt-book/iro-abr-type-3.html

The question is, can I use a supernet in the ACL, or do I need to specify each individual subnet that I want to allow in.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to tahscolony

‎02-07-2017 10:41 AM

It was not clear in your original post that you were asking about ABR Type 3 LSA filtering. Thank you for clarifying that this is what you were asking about. Since the Type 3 LSA filter uses a prefix list rather than a simple access list then yes you can use a supernet in your prefix list.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents