Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
928
Views
10
Helpful
11
Replies

Redistributing the Out-of-band Interface to OSPF? (and how not?)

itiss-cisco-team
Level 1
Level 1

‎08-24-2021 07:06 AM

Hello together,

I use Catalyst 2960XR Switches with IOS 15.2(7)E3 and I want to redistribute all connected interfaces (and static routes) to my OSPF process with the beautiful No 9, - exept the Out-of-Band interface fa0! 

(By the way: This is a misbehavior of IOS in my eyes... The OoB interface network should never be redistributed to OSPF by default! Why is this happening? Senseless... But anyway:)

 

My config is like this: 

# OoB Interface:

interface FastEthernet0
description OoB-Mgmt
ip address 10.254.99.61 255.255.255.0
no ip route-cache
spanning-tree portfast edge
!

# some (many) VLAN interfaces:

interface Vlan1xx
ip address 10.x.y.z 255.255.255.0

interface Vlan2xx
ip address 192.168.y.z 255.255.255.0

! and so on...

!

# and for the OSPF process:

router ospf 9
 router-id 192.168.10.29
 area 0.0.0.0 authentication
 redistribute connected subnets
 redistribute static subnets 
 network 192.168.10.0 0.0.0.255 area 0.0.0.0

 

What is the best way, to deny the redistribution of the OoB interface network to OSPF? (my first idea was to use a VRF at the fa0 interface, but this is not supported by this IOS)

Any hints? (Does I have to use route maps? Really??? Can anyone suggest a simpler method?) 

Or is this a bug and fixed in a newer IOS release?

 

Many Thanks in advance!

Christian

11 Replies 11

MHM Cisco World
VIP
VIP

‎08-24-2021 08:47 AM

redistribute connect subent route-map, 

modify the redistribute with route-map can may be solve this issue.

0 Helpful

itiss-cisco-team
Level 1
Level 1
In response to MHM Cisco World

‎08-24-2021 09:49 PM

Ok...  than I have to use route maps. 

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎08-24-2021 09:04 AM

Do you really need to redistribute connected interfaces rather than use OSPF network statements (you do realize OSPF network statements work much like ACLs for matching?) and/or OSPF interface statements to get those interfaces into OSPF?  (I ask for two reasons.  First, if you use network statements and/or OSPF interfaces you could select, and exclude, interfaces of your choice.  Second, redistribution of connected interfaces makes all those routes externals, which means they are advertised differently, within OSPF's LSAs.  I recall [?] as externals, by default, they flood all OSPF areas.)

0 Helpful

itiss-cisco-team
Level 1
Level 1
In response to Joseph W. Doherty

‎08-24-2021 10:09 PM

To redistribute connected interfaces is the easiest way for me to tell some firewalls in the 192.168.10.0/24 subnet all the used interfaces. (These interfaces will be changed quickly, we set up new and delete old VLAN-interfaces every day... - call it a developer environment) And: I do not want to talk OSPF in these (other) subnets. As far as I know, if I using the network statement, the Cat2960 will try to form OSPF adjacencys with neighbor devices in these networks. This is not what I want. The only thing I want, is to tell all the "known Subnets" to some firewalls in the (transfer-)subnet 192.168.10.0.  Thats all...  I Know, OSPF is completly overkill for this use case, but the firewalls we have to use, does not support other routing protocols.   

0 Helpful

Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to itiss-cisco-team

‎08-25-2021 07:58 AM

Well, you can actually match all interface IPs with a single OSPF network statement, much like a default route matches all.  I.e. Just as easy to keep up with rapidly changing interface IPs yet avoids flooding them into OSPF as externals.

Regarding not wanting to form OSPF adjacencies, by default, Paul mentions setting passive as a default.  Further, it takes two to tango, i.e. an adjacent router would have to be properly configured to form an adjacency too.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-24-2021 09:18 AM

Hello @itiss-cisco-team ,

as noted by other colleagues you should use a route-map that invokes a prefix-list to deny the unwanted prefix.

There is nothing that tells the device that fas0 is an out of band link  ( ok there is a description). You can consider this a defect.

 

However, using redistribute connected creates LSA type 5 external type that you cannot control or filter in a granular way.

Using redistribute connected can be seen as a lazy way to advertise connected routes.

Using network ... area command is recommended as in this way instead of creating one LSA type 5 for each prefix, you are simply adding a link to the router LSA and internal routes can be controlled in a granular way in OSPF.

To be noted the network  area command does not need to match a single interface with a single network ... area command you can include multiple interfaces depending on your addressing plan.

 

Hope to help

Giuseppe

 

 

0 Helpful

itiss-cisco-team
Level 1
Level 1
In response to Giuseppe Larosa

‎08-24-2021 10:25 PM

Hello Giuseppe, 

ok, I see, I have to use route maps... 

But: Cisco "sold" the interface FastEthernet0 explicit as an "Out-of-Band" network management interface. Routing to this interface is not possible! I will not understand, why this interface is being redistributed internally... In my point of view, this is not meaningful and a misbehavior. 

And yes, you can call me lazy We change VLANs in this environment very quickly (developer and test environment) so "redistribute connected" would be the easiest way to tell the firewalls in the transfer network (192.168.10.0/24) all the new subnets every day. But the OoB network is a "productive" subnet and should not be visible in this enviromnent at all...

Anyway... Thank you (and all others) for the answers! 

Best Regards,

Christian

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to itiss-cisco-team

‎08-24-2021 11:19 PM

Hello Christian,

>> But: Cisco "sold" the interface FastEthernet0 explicit as an "Out-of-Band" network management interface. Routing to this interface is not possible! I will not understand, why this interface is being redistributed internally... In my point of view, this is not meaningful and a misbehavior. 

 

I do agree on this on other platforms a management VRF is implemented for the OOB interface.

 

I apologize for the unpolite definition of lazy way for redistribute connected.

 

If you have a configuration template for your SVIs you should consider using the other way to make an interface participate in OSPF:

inteface mode:

ip router ospf   <process-id> area <area-id>

as part of the configuration of each SVI.

 

Hope to help

Giuseppe

 

 

 

 

0 Helpful

itiss-cisco-team
Level 1
Level 1
In response to Giuseppe Larosa

‎08-25-2021 12:00 AM

Hello Guiseppe,

This is a good idea! I will try this...

Thank you!

Christian

0 Helpful

paul driver
VIP
VIP

‎08-25-2021 12:43 AM - edited ‎08-25-2021 12:47 AM

Hello

@itiss-cisco-team wrote:

The OoB interface network should never be redistributed to OSPF by

 

What is the best way, to deny the redistribution of the OoB interface network to OSPF? (my first idea was to use a VRF at the fa0 interface, but this is not supported by this IOS)

Any hints? (Does I have to use route maps? Really??? Can anyone suggest a simpler method?) 


And: I do not want to talk OSPF in these (other) subnets. As far as I know, if I using the network statement, the Cat2960 will try to form OSPF adjacencys with neighbor devices in these networks.

FYI - OOB interfaces have no routing function, they are explicitly used for OOB they cannot be included in any routing process
Also to negate unwarranted ospf peering you should by default passive all interfaces by default and then allow just the interfaces you would like to ospf peer, and tbh I would suggest not to redistribute your connected subnets and use the network command to include all your locally connected interfaces, or apply ospf at the interface level (most preffered)

router ospf xx
passive interface default
no passive interface xxx
network 0.0.0.0 0.0.0.0 area x

 

or
router ospf xx
passive interface default
no passive interface xxx

int x/x
ip ospf x area 0


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

itiss-cisco-team
Level 1
Level 1
In response to paul driver

‎08-25-2021 01:28 AM

Hello Paul,

Thank you for yoour answer!

FYI - OOB interfaces have no routing function, they are explicitly used for OOB they cannot be included in any routing process

Oh, yes, I fully agree with you! But the Cisco Catalyst 2960XR does it anyhow! The interface fa0 is an explicit OOB management interface (see datasheet/manual). But the Switch redistribute the fa0-network to OSPF! I am looking for a method to prevent this (mis-)behavoir...

 

Your idea to apply ospf at intf level is an interesting option. Thank you for this! I will try it next days...

Best Regards,

Christian

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card