08-05-2022 08:38 AM
Hello all,
I am doing OSPF config.
Fortinate is connected to Core Switch, using deafult route.
On Core Switch has many static routes, I want to Redistribute Static route into OSPF and filter Static route using access list and route-map.
But in ospf default-information originate in ospf causes all route to pass Via Core Switch.
Please Help to me filter Redistributed Static Route.
******Core Switch
router ospf 10
log-adjacency-changes detail
redistribute static metric 20 metric-type 1 subnets tag 13 route-map BlockStatic
network 172.17.254.1 0.0.0.0 area 0
network 172.17.254.5 0.0.0.0 area 0
network 172.17.254.255 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.17.254.150 #### (Fortinate default route)
ip route 10.1.1.1 255.255.255.255 172.17.254.130
ip route 192.168.13.13 255.255.255.255 172.17.254.130
ip route 192.168.14.10 255.255.255.255 172.17.254.130
!
ip access-list standard Route
permit 10.1.1.1
deny any
!
!
!
route-map BlockStatic permit 10
match ip address Route
set metric 200
08-05-2022 08:58 AM - edited 08-05-2022 09:24 AM
redistribute static metric 20 metric-type 1 subnets tag 13 route-map BlockStatic
route-map BlockStatic permit 10
match ip address prefix Route
set metric 200
route-map BlockStatic permit 20
!
ip prefix-list Route seq 10 permit 10.1.1.1/32
use prefix instead as shown above, AND ALSO ADD SECOND ROUTE_MAP LINE
and why there is two metric ??? you want to change the metric for this prefix to be 200 and other to be 20?
08-05-2022 12:56 PM
Metric is not concern for me I just and want to block some Static redistribute route into ospf domain
08-05-2022 01:02 PM
if you want only 10.1.1.1/32 then
same only
route-map BlockStatic permit 10
match ip address prefix Route
route-map BlockStatic permit 20<<- REMOVE THIS
!
ip prefix-list Route seq 10 permit 10.1.1.1/32
08-05-2022 01:22 PM
I Changed the config to this but same issue... I am sharing the route table of Distribution switch
router ospf 10
log-adjacency-changes detail
redistribute static metric-type 1 subnets tag 13 route-map BlockStatic
network 172.17.254.1 0.0.0.0 area 0
network 172.17.254.5 0.0.0.0 area 0
network 172.17.254.255 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.17.254.150
ip route 10.1.1.1 255.255.255.255 172.17.254.130
ip route 192.168.13.13 255.255.255.255 172.17.254.130
ip route 192.168.14.10 255.255.255.255 172.17.254.130
!
!
!
ip prefix-list Route seq 10 permit 10.1.1.1/32
!
route-map BlockStatic permit 10
match ip address prefix-list Route
set metric 200
############
D1(config)#exit
D1#sh ip r
*Aug 5 20:06:00.053: %SYS-5-CONFIG_I: Configured from console by consoleoute
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.17.254.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 172.17.254.1, 00:08:09, GigabitEthernet0/0
10.0.0.0/32 is subnetted, 1 subnets
O E1 10.1.1.1 [110/201] via 172.17.254.1, 00:08:09, GigabitEthernet0/0
172.17.0.0/16 is variably subnetted, 13 subnets, 5 masks
C 172.17.200.0/27 is directly connected, Vlan200
L 172.17.200.1/32 is directly connected, Vlan200
C 172.17.210.0/28 is directly connected, Vlan210
L 172.17.210.1/32 is directly connected, Vlan210
C 172.17.230.0/24 is directly connected, Vlan230
L 172.17.230.1/32 is directly connected, Vlan230
C 172.17.254.0/30 is directly connected, GigabitEthernet0/0
L 172.17.254.2/32 is directly connected, GigabitEthernet0/0
O 172.17.254.4/30
[110/2] via 172.17.254.25, 00:08:09, GigabitEthernet0/1
[110/2] via 172.17.254.1, 00:08:09, GigabitEthernet0/0
C 172.17.254.24/30 is directly connected, GigabitEthernet0/1
L 172.17.254.26/32 is directly connected, GigabitEthernet0/1
C 172.17.254.253/32 is directly connected, Loopback1
O 172.17.254.255/32
[110/2] via 172.17.254.1, 00:08:09, GigabitEthernet0/0
08-05-2022 01:29 PM
08-05-2022 01:42 PM
ip route 0.0.0.0 0.0.0.0 172.17.254.150 <<- this advertise as E2 please see note below
ip route 10.1.1.1 255.255.255.255 172.17.254.130 <<- this advertise as E1 so route-map is OK
ip route 192.168.13.13 255.255.255.255 172.17.254.130 <<- this not advertise as E1 so route-map is OK
ip route 192.168.14.10 255.255.255.255 172.17.254.130 <<- this not advertise as E1 so route-map is OK
!
router ospf 10
log-adjacency-changes detail
redistribute static metric-type 1 subnets tag 13 route-map BlockStatic
network 172.17.254.1 0.0.0.0 area 0
network 172.17.254.5 0.0.0.0 area 0
network 172.17.254.255 0.0.0.0 area 0
default-information originate <<<- you advertise 0.0.0.0/0 here
08-05-2022 03:00 PM
the route-map with prefix work perfectly and not advertise the 50.0.0.0/24
but still R1 advertise the Default route because of default-information origin not because redistribute static.
NOTE:- the OSPF handle the default route not like static route that why default-information command is add to OSPF.
08-05-2022 01:32 PM - edited 08-05-2022 01:32 PM
I think that blocked static route are going through default static route which is originated by ospf (default-informattion originate)
08-05-2022 02:11 PM - edited 08-05-2022 11:10 PM
Hello
As that router is redistributing statica it is in theroy an ASBR as such you should be able negate prefixes egress
ip prefix-list no-default deny 0.0.0.0/0
ip prefix-list tst permit 0.0.0.0/0 le 32
router ospf 10
distribute-list prefix no-default out
or apply the filter on the router you do not want to receive the default
ip prefix-list no-default deny 0.0.0.0/0
ip prefix-list tst permit 0.0.0.0/0 le 32
router ospf 10
distribute-list prefix no-default in
08-05-2022 10:39 PM
Hi Paul,
Please check the diagram
08-05-2022 11:11 PM
Hi,MHM
Why you use null0 static route ??
I am sharing my new config.
08-05-2022 11:12 PM
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2022.08.06 11:29:34 =~=~=~=~=~=~=~=~=~=~=~=
sh run
^
% Invalid input detected at '^' marker.
D1>en
D1#sh run'
Building configuration...
Current configuration : 4280 bytes
!
! Last configuration change at 03:51:02 UTC Sat Aug 6 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname D1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
--More-- !
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
--More-- !
!
!
!
interface Loopback1
ip address 172.17.254.253 255.255.255.255
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
media-type rj45
negotiation auto
!
interface GigabitEthernet0/3
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0
no switchport
ip address 172.17.254.2 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/1
--More-- no switchport
ip address 172.17.254.26 255.255.255.252
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
--More-- !
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
--More-- negotiation auto
!
interface GigabitEthernet3/3
media-type rj45
negotiation auto
!
interface Vlan200
ip address 172.17.200.1 255.255.255.224
!
interface Vlan210
ip address 172.17.210.1 255.255.255.240
!
interface Vlan230
ip address 172.17.230.1 255.255.255.0
!
router ospf 30
log-adjacency-changes detail
passive-interface default
no passive-interface GigabitEthernet0/0
no passive-interface GigabitEthernet0/1
network 172.17.200.1 0.0.0.0 area 30
network 172.17.210.1 0.0.0.0 area 30
network 172.17.230.1 0.0.0.0 area 30
--More-- network 172.17.254.2 0.0.0.0 area 0
network 172.17.254.26 0.0.0.0 area 0
network 172.17.254.253 0.0.0.0 area 0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
--More-- * Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
--More-- line vty 0 4
login
!
!
end
D1#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.17.254.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 172.17.254.1, 01:37:39, GigabitEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
O E1 10.10.1.0 [110/21] via 172.17.254.1, 00:02:52, GigabitEthernet0/0
20.0.0.0/24 is subnetted, 1 subnets
O E1 20.10.1.0 [110/21] via 172.17.254.1, 00:02:52, GigabitEthernet0/0
172.17.0.0/16 is variably subnetted, 13 subnets, 5 masks
C 172.17.200.0/27 is directly connected, Vlan200
L 172.17.200.1/32 is directly connected, Vlan200
C 172.17.210.0/28 is directly connected, Vlan210
L 172.17.210.1/32 is directly connected, Vlan210
--More-- C 172.17.230.0/24 is directly connected, Vlan230
L 172.17.230.1/32 is directly connected, Vlan230
C 172.17.254.0/30 is directly connected, GigabitEthernet0/0
L 172.17.254.2/32 is directly connected, GigabitEthernet0/0
O 172.17.254.4/30
[110/2] via 172.17.254.25, 00:19:42, GigabitEthernet0/1
[110/2] via 172.17.254.1, 01:37:39, GigabitEthernet0/0
C 172.17.254.24/30 is directly connected, GigabitEthernet0/1
L 172.17.254.26/32 is directly connected, GigabitEthernet0/1
C 172.17.254.253/32 is directly connected, Loopback1
O 172.17.254.255/32
[110/2] via 172.17.254.1, 01:37:39, GigabitEthernet0/0
D1#ping 30.10.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.10.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 25/38/54 ms
D1#sh ip route 301= .10.1.1
% Network not in table
D1#
08-06-2022 03:48 AM
network 172.17.254.2 0.0.0.0 area 0 <<- what about this prefix ? I dont get what you want here ?
08-05-2022 11:13 PM
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2022.08.06 11:32:33 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 4482 bytes
!
! Last configuration change at 05:31:38 UTC Sat Aug 6 2022
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname CIT
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
--More-- !
!
!
!
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
--More-- !
!
!
!
interface Loopback1
ip address 172.17.254.255 255.255.255.255
!
interface GigabitEthernet0/0
no switchport
ip address 172.17.254.1 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/1
no switchport
ip address 172.17.254.5 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/2
no switchport
ip address 172.17.254.149 255.255.255.252
negotiation auto
!
interface GigabitEthernet0/3
--More-- no switchport
ip address 172.17.254.129 255.255.255.252
negotiation auto
!
interface GigabitEthernet1/0
media-type rj45
negotiation auto
!
interface GigabitEthernet1/1
media-type rj45
negotiation auto
!
interface GigabitEthernet1/2
media-type rj45
negotiation auto
!
interface GigabitEthernet1/3
media-type rj45
negotiation auto
!
interface GigabitEthernet2/0
media-type rj45
negotiation auto
--More-- !
interface GigabitEthernet2/1
media-type rj45
negotiation auto
!
interface GigabitEthernet2/2
media-type rj45
negotiation auto
!
interface GigabitEthernet2/3
media-type rj45
negotiation auto
!
interface GigabitEthernet3/0
media-type rj45
negotiation auto
!
interface GigabitEthernet3/1
media-type rj45
negotiation auto
!
interface GigabitEthernet3/2
media-type rj45
--More-- negotiation auto
!
interface GigabitEthernet3/3
media-type rj45
negotiation auto
!
router ospf 10
log-adjacency-changes detail
redistribute static metric-type 1 subnets tag 13 route-map static-ospf
network 172.17.254.1 0.0.0.0 area 0
network 172.17.254.5 0.0.0.0 area 0
network 172.17.254.255 0.0.0.0 area 0
default-information originate
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.17.254.150
ip route 10.10.1.0 255.255.255.0 172.17.254.130
ip route 10.10.1.1 255.255.255.255 172.17.254.130
ip route 20.10.1.0 255.255.255.0 172.17.254.130
--More-- ip route 30.10.1.0 255.255.255.0 172.17.254.130
!
!
!
ip prefix-list External-Route seq 5 permit 10.10.1.0/24
ip prefix-list External-Route seq 10 permit 20.10.1.0/24
ip prefix-list External-Route seq 15 deny 30.10.1.0/24
!
route-map static-ospf permit 10
match ip address prefix-list External-Route
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
--More-- **************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
line aux 0
line vty 0 4
--More-- login
!
!
end
CIT#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 172.17.254.150 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.17.254.150
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S 10.10.1.0/24 [1/0] via 172.17.254.130
S 10.10.1.1/32 [1/0] via 172.17.254.130
20.0.0.0/24 is subnetted, 1 subnets
S 20.10.1.0 [1/0] via 172.17.254.130
30.0.0.0/24 is subnetted, 1 subnets
S 30.10.1.0 [1/0] via 172.17.254.130
172.17.0.0/16 is variably subnetted, 14 subnets, 5 masks
O IA 172.17.200.0/27
--More-- [110/2] via 172.17.254.2, 01:44:46, GigabitEthernet0/0
O IA 172.17.210.0/28
[110/2] via 172.17.254.2, 01:44:46, GigabitEthernet0/0
O IA 172.17.230.0/24
[110/2] via 172.17.254.2, 01:44:46, GigabitEthernet0/0
C 172.17.254.0/30 is directly connected, GigabitEthernet0/0
L 172.17.254.1/32 is directly connected, GigabitEthernet0/0
C 172.17.254.4/30 is directly connected, GigabitEthernet0/1
L 172.17.254.5/32 is directly connected, GigabitEthernet0/1
O 172.17.254.24/30
[110/2] via 172.17.254.6, 00:23:35, GigabitEthernet0/1
[110/2] via 172.17.254.2, 01:44:46, GigabitEthernet0/0
C 172.17.254.128/30 is directly connected, GigabitEthernet0/3
L 172.17.254.129/32 is directly connected, GigabitEthernet0/3
C 172.17.254.148/30 is directly connected, GigabitEthernet0/2
L 172.17.254.149/32 is directly connected, GigabitEthernet0/2
O 172.17.254.253/32
[110/2] via 172.17.254.2, 01:44:46, GigabitEthernet0/0
C 172.17.254.255/32 is directly connected, Loopback1
CIT# sh ip route 30.10.1.1
Routing entry for 30.10.1.0/24
Known via "static", distance 1, metric 0
Redistributing via ospf 10
Routing Descriptor Blocks:
* 172.17.254.130
Route metric is 0, traffic share count is 1
CIT#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide