06-17-2015 03:41 AM - edited 03-05-2019 01:41 AM
Hi,
I am trying to filter inbound routes into my headquarters core network, whereby the routes are originating from within the same area (0), but which are redistribution routes from and via the MPLS WAN providers backbone into my customer OSPF instance.
I'm running NX-OS 5.2 and have applied the following config to my network to try and match a custom tag associated to each branch office who are part of the MPLS WAN.
Traffic Flow:
Branch 1. 10.2.6.0/24 OSPF process 1 Area 0 ----> Branch CPE adds tag of 875 -----> Redistribute via BGP into MPLS network ---> HQ CPE redistributes branch network learned routes with associated tag of 875 ---> into HQ OSPF 1 Area 0.
I have created a route-map deny statement on HQ router and a second statement to permit all other learnt routes:
route-map ospf-inbound-tag deny 10
match tag 875
route-map ospf-inbound-tag permit 20
and applied the route-map to my HQ Router ospf instance
router ospf 1
router-id 10.9.100.2
area 0.0.0.0 filter-list route-map ospf-inbound-tag in
log-adjacency-changes
summary-address 10.9.0.0/16
passive-interface default
But can see the routes I want to block still being shown in the routing table:
10.2.6.0/25, ubest/mbest: 1/0
*via 10.9.248.1, Vlan248, [110/1], 02:51:10, ospf-1, type-2, tag 875
10.2.6.128/26, ubest/mbest: 1/0
*via 10.9.248.1, Vlan248, [110/1], 02:51:10, ospf-1, type-2, tag 875
10.2.6.192/26, ubest/mbest: 1/0
*via 10.9.248.1, Vlan248, [110/1], 02:51:10, ospf-1, type-2, tag 875
10.2.7.0/26, ubest/mbest: 1/0
HQ NEXUS# show ip ospf policy statistics area 0.0.0.0 filter-list in
C: No. of comparisions, M: No. of matches
route-map ospf-inbound-tag deny 10
match tag 875 C: 0 M: 0
route-map ospf-inbound-tag permit 20
Total accept count for policy: 0
Total reject count for policy: 0
I've been reading up and this may be to do with the fact that the routes being learned are because they are within the same area and are therefore not being filtered as the Branch router is not a ABR, but my references are related to prefix lists and IOS.
I was hoping someone has had a similar experience or could possibly assist with troubleshooting.
Many Thanks
David
06-17-2015 06:27 AM
With the MPLS network in the middle, your Branch and HQ are effectively in two separate OSPF domains even though they are both configured to be in area 0. You can see this because the routes from the branch are being received as E2 External routes (ospf-1, type-2), which are learned from Type-5 LSA messages from an ASBR (The HQ CPE where BGP/OSPF interact).
The area x filter-list command only filters Type-3 LSA's at ABR's, which is why it doesn't seem to be doing anything for you. If you want to prevent these routes from being entered into the routing table, I believe you should be using a distribute-list on the HQ router.
06-17-2015 08:14 AM
Hi,
Thank you for the reply - I thought that may have been the case, so thank you for confirming for me the ABR reasoning.
I've been looking into this a bit more and it seems the distribute-list isn't supported in NX-OS:
Additionally, i've found some information in the below link about using table-maps, but again the command fails to apply to the OSPF Process (in fact table-map is not in the list of commands)
https://supportforums.cisco.com/discussion/11985186/distribute-list-nexus-7000-ospf
NXSW01(config)# router ospf 1
NXSW01(config-router)# table-map ospf-inbound-tag
ERROR: Unable to get table-map name
I think I will have to raise a TAC case, as it may be a version issue or that it's not supported on the 5k's.
06-17-2015 08:35 AM
Yeah, you're right -- distribute lists are not supported in NX-OS. I didn't realize that. This page also has a helpful feature comparison -- NX-OS/IOS OSPF Comparison.
Sounds like they added the table-maps to in later versions though, so TAC should be able to tell you which version will support it.
06-18-2015 01:45 AM
Thanks branfarm1.
raising a support case now.
I'll update this discussion with the response from TAC for sanity reasons.
06-29-2015 03:48 AM
From Cisco TAC -
"Table-maps were introduced indeed but for the Nexus 7K platform. I understand you have a Nexus 5K. This feature is not supported there as of now. The “distribute-list” command is on the road map though, but we have no information yet as to what code will include that feature."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide