08-24-2021 07:06 AM
Hello together,
I use Catalyst 2960XR Switches with IOS 15.2(7)E3 and I want to redistribute all connected interfaces (and static routes) to my OSPF process with the beautiful No 9, - exept the Out-of-Band interface fa0!
(By the way: This is a misbehavior of IOS in my eyes... The OoB interface network should never be redistributed to OSPF by default! Why is this happening? Senseless... But anyway:)
My config is like this:
# OoB Interface:
interface FastEthernet0
description OoB-Mgmt
ip address 10.254.99.61 255.255.255.0
no ip route-cache
spanning-tree portfast edge
!
# some (many) VLAN interfaces:
interface Vlan1xx
ip address 10.x.y.z 255.255.255.0
interface Vlan2xx
ip address 192.168.y.z 255.255.255.0
! and so on...
!
# and for the OSPF process:
router ospf 9
router-id 192.168.10.29
area 0.0.0.0 authentication
redistribute connected subnets
redistribute static subnets
network 192.168.10.0 0.0.0.255 area 0.0.0.0
What is the best way, to deny the redistribution of the OoB interface network to OSPF? (my first idea was to use a VRF at the fa0 interface, but this is not supported by this IOS)
Any hints? (Does I have to use route maps? Really??? Can anyone suggest a simpler method?)
Or is this a bug and fixed in a newer IOS release?
Many Thanks in advance!
Christian
08-24-2021 08:47 AM
redistribute connect subent route-map,
modify the redistribute with route-map can may be solve this issue.
08-24-2021 09:49 PM
Ok... than I have to use route maps.
08-24-2021 09:04 AM
Do you really need to redistribute connected interfaces rather than use OSPF network statements (you do realize OSPF network statements work much like ACLs for matching?) and/or OSPF interface statements to get those interfaces into OSPF? (I ask for two reasons. First, if you use network statements and/or OSPF interfaces you could select, and exclude, interfaces of your choice. Second, redistribution of connected interfaces makes all those routes externals, which means they are advertised differently, within OSPF's LSAs. I recall [?] as externals, by default, they flood all OSPF areas.)
08-24-2021 10:09 PM
To redistribute connected interfaces is the easiest way for me to tell some firewalls in the 192.168.10.0/24 subnet all the used interfaces. (These interfaces will be changed quickly, we set up new and delete old VLAN-interfaces every day... - call it a developer environment) And: I do not want to talk OSPF in these (other) subnets. As far as I know, if I using the network statement, the Cat2960 will try to form OSPF adjacencys with neighbor devices in these networks. This is not what I want. The only thing I want, is to tell all the "known Subnets" to some firewalls in the (transfer-)subnet 192.168.10.0. Thats all... I Know, OSPF is completly overkill for this use case, but the firewalls we have to use, does not support other routing protocols.
08-25-2021 07:58 AM
Well, you can actually match all interface IPs with a single OSPF network statement, much like a default route matches all. I.e. Just as easy to keep up with rapidly changing interface IPs yet avoids flooding them into OSPF as externals.
Regarding not wanting to form OSPF adjacencies, by default, Paul mentions setting passive as a default. Further, it takes two to tango, i.e. an adjacent router would have to be properly configured to form an adjacency too.
08-24-2021 09:18 AM
Hello @itiss-cisco-team ,
as noted by other colleagues you should use a route-map that invokes a prefix-list to deny the unwanted prefix.
There is nothing that tells the device that fas0 is an out of band link ( ok there is a description). You can consider this a defect.
However, using redistribute connected creates LSA type 5 external type that you cannot control or filter in a granular way.
Using redistribute connected can be seen as a lazy way to advertise connected routes.
Using network ... area command is recommended as in this way instead of creating one LSA type 5 for each prefix, you are simply adding a link to the router LSA and internal routes can be controlled in a granular way in OSPF.
To be noted the network area command does not need to match a single interface with a single network ... area command you can include multiple interfaces depending on your addressing plan.
Hope to help
Giuseppe
08-24-2021 10:25 PM
Hello Giuseppe,
ok, I see, I have to use route maps...
But: Cisco "sold" the interface FastEthernet0 explicit as an "Out-of-Band" network management interface. Routing to this interface is not possible! I will not understand, why this interface is being redistributed internally... In my point of view, this is not meaningful and a misbehavior.
And yes, you can call me lazy
Anyway... Thank you (and all others) for the answers!
Best Regards,
Christian
08-24-2021 11:19 PM
Hello Christian,
>> But: Cisco "sold" the interface FastEthernet0 explicit as an "Out-of-Band" network management interface. Routing to this interface is not possible! I will not understand, why this interface is being redistributed internally... In my point of view, this is not meaningful and a misbehavior.
I do agree on this on other platforms a management VRF is implemented for the OOB interface.
I apologize for the unpolite definition of lazy way for redistribute connected.
If you have a configuration template for your SVIs you should consider using the other way to make an interface participate in OSPF:
inteface mode:
ip router ospf <process-id> area <area-id>
as part of the configuration of each SVI.
Hope to help
Giuseppe
08-25-2021 12:00 AM
Hello Guiseppe,
This is a good idea! I will try this...
Thank you!
Christian
08-25-2021 12:43 AM - edited 08-25-2021 12:47 AM
Hello
@itiss-cisco-team wrote:
The OoB interface network should never be redistributed to OSPF by
What is the best way, to deny the redistribution of the OoB interface network to OSPF? (my first idea was to use a VRF at the fa0 interface, but this is not supported by this IOS)
Any hints? (Does I have to use route maps? Really??? Can anyone suggest a simpler method?)
And: I do not want to talk OSPF in these (other) subnets. As far as I know, if I using the network statement, the Cat2960 will try to form OSPF adjacencys with neighbor devices in these networks.
FYI - OOB interfaces have no routing function, they are explicitly used for OOB they cannot be included in any routing process
Also to negate unwarranted ospf peering you should by default passive all interfaces by default and then allow just the interfaces you would like to ospf peer, and tbh I would suggest not to redistribute your connected subnets and use the network command to include all your locally connected interfaces, or apply ospf at the interface level (most preffered)
router ospf xx
passive interface default
no passive interface xxx
network 0.0.0.0 0.0.0.0 area x
or
router ospf xx
passive interface default
no passive interface xxx
int x/x
ip ospf x area 0
08-25-2021 01:28 AM
Hello Paul,
Thank you for yoour answer!
> FYI - OOB interfaces have no routing function, they are explicitly used for OOB they cannot be included in any routing process
Oh, yes, I fully agree with you! But the Cisco Catalyst 2960XR does it anyhow! The interface fa0 is an explicit OOB management interface (see datasheet/manual). But the Switch redistribute the fa0-network to OSPF! I am looking for a method to prevent this (mis-)behavoir...
Your idea to apply ospf at intf level is an interesting option. Thank you for this! I will try it next days...
Best Regards,
Christian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide