Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3624
Views
0
Helpful
5
Replies

NX-OS - OSPF route filtering by route-map deny "match tag" failing to match inbound routes

david.stanbridge
Level 1
Level 1

‎06-17-2015 03:41 AM - edited ‎03-05-2019 01:41 AM

Hi,

I am trying to filter inbound routes into my headquarters core network, whereby the routes are originating from within the same area (0), but which are redistribution routes from and via the MPLS WAN providers backbone into my customer OSPF instance.

I'm running NX-OS 5.2 and have applied the following config to my network to try and match a custom tag associated to each branch office who are part of the MPLS WAN.

Traffic Flow:

Branch 1. 10.2.6.0/24 OSPF process 1 Area 0 ----> Branch CPE adds tag of 875 -----> Redistribute via BGP into MPLS network ---> HQ CPE redistributes branch network learned routes with associated tag of 875 ---> into HQ OSPF 1 Area 0.

I have created a route-map deny statement on HQ router and a second statement to permit all other learnt routes:

route-map ospf-inbound-tag deny 10
  match tag 875
route-map ospf-inbound-tag permit 20

and applied the route-map to my HQ Router ospf instance

router ospf 1
  router-id 10.9.100.2
  area 0.0.0.0 filter-list route-map ospf-inbound-tag in
  log-adjacency-changes
  summary-address 10.9.0.0/16
  passive-interface default

But can see the routes I want to block still being shown in the routing table:

10.2.6.0/25, ubest/mbest: 1/0
    *via 10.9.248.1, Vlan248, [110/1], 02:51:10, ospf-1, type-2, tag 875
10.2.6.128/26, ubest/mbest: 1/0
    *via 10.9.248.1, Vlan248, [110/1], 02:51:10, ospf-1, type-2, tag 875
10.2.6.192/26, ubest/mbest: 1/0
    *via 10.9.248.1, Vlan248, [110/1], 02:51:10, ospf-1, type-2, tag 875
10.2.7.0/26, ubest/mbest: 1/0

HQ NEXUS# show ip ospf policy statistics area 0.0.0.0 filter-list in
C: No. of comparisions, M: No. of matches

route-map ospf-inbound-tag deny 10
  match tag 875                                          C: 0      M: 0
route-map ospf-inbound-tag permit 20

Total accept count for policy: 0
Total reject count for policy: 0

I've been reading up and this may be to do with the fact that the routes being learned are because they are within the same area and are therefore not being filtered as the Branch router is not a ABR, but my references are related to prefix lists and IOS.

I was hoping someone has had a similar experience or could possibly assist with troubleshooting.

Many Thanks

David

 

 

 

Labels:
0 Helpful
5 Replies 5

branfarm1
Level 4
Level 4

‎06-17-2015 06:27 AM

With the MPLS network in the middle, your Branch and HQ are effectively in two separate OSPF domains even though they are both configured to be in area 0.  You can see this because the routes from the branch are being received as E2 External routes (ospf-1, type-2), which are learned from Type-5 LSA messages from an ASBR (The HQ CPE where BGP/OSPF interact).

The area x filter-list command only filters Type-3 LSA's at ABR's, which is why it doesn't seem to be doing anything for you.   If you want to prevent these routes from being entered into the routing table, I believe you should be using a distribute-list on the HQ router.

0 Helpful

david.stanbridge
Level 1
Level 1
In response to branfarm1

‎06-17-2015 08:14 AM

Hi,

Thank you for the reply - I thought that may have been the case, so thank you for confirming for me the ABR reasoning.

I've been looking into this a bit more and it seems the distribute-list isn't supported in NX-OS:

Additionally, i've found some information in the below link about using table-maps, but again the command fails to apply to the OSPF Process (in fact table-map is not in the list of commands)

https://supportforums.cisco.com/discussion/11985186/distribute-list-nexus-7000-ospf

NXSW01(config)# router ospf 1
NXSW01(config-router)# table-map ospf-inbound-tag
ERROR: Unable to get table-map name

I think I will have to raise a TAC case, as it may be a version issue or that it's not supported on the 5k's.

 

 

0 Helpful

branfarm1
Level 4
Level 4
In response to david.stanbridge

‎06-17-2015 08:35 AM

Yeah, you're right -- distribute lists are not supported in NX-OS. I didn't realize that. This page also has a helpful feature comparison -- NX-OS/IOS OSPF Comparison.  

Sounds like they added the table-maps to in later versions though, so TAC should be able to tell you which version will support it.

 

 

0 Helpful

david.stanbridge
Level 1
Level 1
In response to branfarm1

‎06-18-2015 01:45 AM

Thanks branfarm1. 

raising a support case now.

I'll update this discussion with the response from TAC for sanity reasons.

0 Helpful

david.stanbridge
Level 1
Level 1
In response to david.stanbridge

‎06-29-2015 03:48 AM

From Cisco TAC - 

"Table-maps were introduced indeed but for the Nexus 7K platform. I understand you have a Nexus 5K. This feature is not supported there as of now. The “distribute-list” command is on the road map though, but we have no information yet as to what code will include that feature."

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card