Re: Filter RFC1918 in OSPF

johnelliot · ‎08-14-2006

Hi,

Have the following ospf config, and am wanting to stop ospf from advertising interface fastEthernet0/0.999 (Which is used for management, and uses 192.168.1.0/24 range)

router ospf 100

router-id xxx.xxx.xxx.xxx

log-adjacency-changes

area 0.0.0.0 authentication message-digest

redistribute connected subnets

redistribute static subnets

redistribute rip subnets

passive-interface default

#show ip route 192.168.1.1

Routing entry for 192.168.1.0/24

Known via "connected", distance 0, metric 0 (connected, via interface)

Redistributing via ospf 100

Advertised by ospf 100 subnets

Routing Descriptor Blocks:

* directly connected, via FastEthernet0/0.999

Route metric is 0, traffic share count is 1

ospf is reporting that it is not enabled on the FE subint:

#show ip ospf interface fastEthernet0/0.999

%OSPF: OSPF not enabled on FastEthernet0/0.999

But as it is a connected subnet, it is advertising....

ilya.varlashkin · ‎08-14-2006

From part of your config I can't see that OSPF is running on any interface at all, since there is no any 'network' or 'neighbor' command, and then all interfaces are passive.

If you want to advertise only some of the connected networks you have generally two options:

1) careful use of 'network' statement will enable OSPF only on the interfaces that should be in OSPF; or

2) using a route-map when redistributing, like

access-list 1 perm 192.168.1.0 0.0.0.255

route-map connected-to-ospf deny 10

match ip address 1

route-map connected-to-ospf perm 20

!

router ospf 100

redistribute connected subnets route-map connected-to-ospf

Both will get right routes into OSPF database, but in case of redistribution you routes will be external Type-2 (unless you also specify 'metric-type 1' in redistribute command), which may or may not be important (depending on your topology). Unless there's specific reason of using redistribution, I'd prefer using 'network' command to choose which directly connected networks should be advertised.

johnelliot · ‎08-14-2006

Thanks for the reply...

The following ints are non-passive:

no passive-interface FastEthernet0/0.10

no passive-interface FastEthernet0/0.50

no passive-interface FastEthernet0/0.101

no passive-interface FastEthernet0/0.102

no passive-interface FastEthernet0/0.801

no passive-interface FastEthernet0/0.802

no passive-interface FastEthernet0/0.803

no passive-interface ATM1/0.100

no passive-interface ATM1/0.102

no passive-interface FastEthernet4/0

no passive-interface Loopback10

no passive-interface Loopback101

no passive-interface Loopback102

And I do not have a network statement for the 192.168.1.0/24 subnet...so I assumed "redistribute connected subnets" was overiding this?

Thanks for the tip on the route-map.

ilya.varlashkin · ‎08-14-2006

Ok, but you do have 'network' statement covering other interfaces, don't you? Yes, redistribute command doesn't care whether interface is passive or not so route-map is essential tool to control what routes should be redistributed (whether they're connected, static or learned from some other routing protocol).

I'd suggest you to remove 'redistribute connected' command at all, and use 'network' command possible in combination with passive-interface for some interfaces in order to get your connected networks into OSPF.

johnelliot · ‎08-14-2006

Yes - Have multiple "network" statements covering the other interfaces.

Thanks for the assistance, I'll remove the "redistribute connected" and see how it goes.