Solved: route-map permit {match tag}

NAGISWAREN2 · ‎12-29-2013

Hi all,

I have some problem on route filtering.

I have two sites have OSPF neighbor relationship. I would like to filter OSPF route by route tag. I want to only permit only specifi route tag, and deny the rest.

SITE A <--OSPF--> SITE B

SITE B router have redistributed static route into OSPF process with route tag 200. Below is the command i applied in SITE A router.

-----------------------------------------------------

route-map filter permit 10

match tag 200

route-map filter deny 20

router ospf 100

distribute-list route-map filter in

-----------------------------------------------------

But, once i applied the distribute-list command, i lost all routing learned from SITE B router. Before apply the command, i did "sho ip route x.x.x.x" in SITE A(for the matching prefix) , i could see the route tag as "200" . But why it block all the subnets from SITE B router?

I did reverse testing, as below, and it works as suppose. Why its not working the other way ?

-----------------------------------------------------

route-map filter deny 10

match tag 200

route-map filter permit 20

-----------------------------------------------------

Regards,

Nagis

Regards, Nagis

Rolf Fischer · ‎12-29-2013

Nagis,

if my understanding is correct, the router at site B is an ASBR and you want to filter out certain external OSPF routes on the router at site A based on tags.

All the external routes will be in the LSBD, the distribute-list in command just defines which routes will be installed in the local routing table.

In order to install external routes, the ASBR has to be reachable; I suppose that your route-map filters out ASBR connectivity too.

Could you check that (show ip ospf border-routers) and make sure that router A knows how to reach the ASBR (router B)?

HTH

Rolf

View solution in original post

Rolf Fischer · ‎12-29-2013

Ok, I think this is causing the problem:

Forward Address: 192.168.35.254

OSPF is enabled on the corresponding interface on router B and the forwarding address is set to non-zero for path-optimization.

So you could either make sure that this network is reachable from router A (changing the route-map) or, if suitable, you could disable OSPF on this network on router B.

Link: Common Routing Problem with OSPF Forwarding Address

Regards

Rolf

View solution in original post

Rolf Fischer · ‎12-29-2013

Nagis,

if my understanding is correct, the router at site B is an ASBR and you want to filter out certain external OSPF routes on the router at site A based on tags.

All the external routes will be in the LSBD, the distribute-list in command just defines which routes will be installed in the local routing table.

In order to install external routes, the ASBR has to be reachable; I suppose that your route-map filters out ASBR connectivity too.

Could you check that (show ip ospf border-routers) and make sure that router A knows how to reach the ASBR (router B)?

HTH

Rolf

NAGISWAREN2 · ‎12-29-2013

Hi Rolf,

Yes, SITE B router is ASBR. Fyi, both router is connected via GRE tunnel. After applied the command, i still can see route to reach SITE B router, as its directly connected subnet. But still cant see any route from SITE B router. Any other mistakes?

Regards,

Nagis

Regards, Nagis

Rolf Fischer · ‎12-29-2013

Can you see Site B's LSAs in the LSDB of router A (show ip ospf database adv-router )?

NAGISWAREN2 · ‎12-29-2013

Hi Rolf,

Yes. As shown below

----------------------------------------------------------------------------------------------------------

Type-5 AS External Link States

Link ID ADV Router Age Seq# Checksum Tag

192.168.38.0 3.3.3.3 1663 0x8000000A 0x003761 2000

192.168.39.0 3.3.3.3 1663 0x8000000E 0x00246F 2000

Regards,

Nagis

Regards, Nagis

Rolf Fischer · ‎12-29-2013

Nagis,

Link ID ADV Router Age Seq# Checksum Tag

192.168.38.0 3.3.3.3 1663 0x8000000A 0x003761 2000

192.168.39.0 3.3.3.3 1663 0x8000000E 0x00246F 2000

-----------------------------------------------------

route-map filter permit 10

match tag 200

route-map filter deny 20

router ospf 100

distribute-list route-map filter in

-----------------------------------------------------

Looks like the routes are tagged with 2000 but you filter on tag 200?

HTH

Rolf

[EDIT]:

If this was just a typo, could you please post the output of "show ip ospf database external 192.168.38.0"? Perhaps we have a connectivity issue with a non-zero forwarding address.

NAGISWAREN2 · ‎12-29-2013

HI Rolf,

Yes , it was type. Actual Tag is 2000.

---------------------------------------------------------------------

Show command before apply distribute-list

RTR#sho ip ospf database external 192.168.38.0

OSPF Router with ID (10.166.100.2) (Process ID 100)

Type-5 AS External Link States

Routing Bit Set on this LSA in topology Base with MTID 0

LS age: 194

Options: (No TOS-capability, DC, Upward)

LS Type: AS External Link

Link State ID: 192.168.38.0 (External Network Number )

Advertising Router: 3.3.3.3

LS Seq Number: 8000000C

Checksum: 0x56EF

Length: 36

Network Mask: /24

Metric Type: 2 (Larger than any link state path)

MTID: 0

Metric: 100

Forward Address: 192.168.35.254

External Route Tag: 2000

-----------------------------------------------------------------------------------------------

Show command after apply distribute-list

RTR#sho ip ospf database external 192.168.38.0

OSPF Router with ID (10.166.100.2) (Process ID 100)

Type-5 AS External Link States

LS age: 315

Options: (No TOS-capability, DC, Upward)

LS Type: AS External Link

Link State ID: 192.168.38.0 (External Network Number )

Advertising Router: 3.3.3.3

LS Seq Number: 8000000C

Checksum: 0x56EF

Length: 36

Network Mask: /24

Metric Type: 2 (Larger than any link state path)

MTID: 0

Metric: 100

Forward Address: 192.168.35.254

External Route Tag: 2000

--------------------------------------------------------------------------------------------------

Regards,

Nagis

Regards, Nagis

Rolf Fischer · ‎12-29-2013

Ok, I think this is causing the problem:

Forward Address: 192.168.35.254

OSPF is enabled on the corresponding interface on router B and the forwarding address is set to non-zero for path-optimization.

So you could either make sure that this network is reachable from router A (changing the route-map) or, if suitable, you could disable OSPF on this network on router B.

Link: Common Routing Problem with OSPF Forwarding Address

Regards

Rolf

NAGISWAREN2 · ‎12-30-2013

Hi Rolf,

Thank you so much. That works!! Now i understand the reason behind the issue. Thanks again for your time.

Regards,

Nagis

Regards, Nagis

Rolf Fischer · ‎12-30-2013

Nagis,

you're welcome. Thanks for the ratings and marking as answered!

Regards,

Rolf

[EDIT/CORRECTION]:

OSPF is enabled on the corresponding interface on router B and the forwarding address is set to non-zero for path-optimization.

So you could either make sure that this network is reachable from router A (changing the route-map) or, if suitable, you could disable OSPF on this network on router B.

"Disable" could be a misleading term; actually it's sufficient to make the interface OSPF passive or change the network-type (point-to-[multi]point), you can find the details in the linked document:

These conditions set the forwarding address field to a non-zero address:

OSPF is enabled on the ASBR's next hop interface AND
ASBR's next hop interface is non-passive under OSPF AND
ASBR's next hop interface is not point-to-point AND
ASBR's next hop interface is not point-to-multipoint AND
ASBR's next hop interface address falls under the network range specified in the router ospf command.

Any other conditions besides these set the forwarding address to 0.0.0.0.