Solved: Distribute-list with route-map: How to filter routes per interface source.

bernard.reed · ‎08-25-2015

I have the following problem I'm trying to solve using a route-map and distribute-list. Reference attached drawing. On the R2 router of the attached diagram I wish to remove the OSPF route to R1's 172.16.22.0/24 subnet but only when the route is coming via the GRE Tunnel 105. Reaching R1s 172.16.22.0.24 via R2's Gi0/0 interface is OK. Here's my config on R2 summarized:

Hostname: R2

interface gi0/0
ip address 172.16.55.1 255.255.255.252

interface tunnel 105
ip address 10.105.11.2 255.255.0.0
tunnel source gi0/1
tunnel destination 5.5.5.5 !public address on R3's WAN facing interface

router ospf 1
router-id 2.2.2.2
network 10.105.11.2 0.0.0.0 area 0
network 172.16.55.1 0.0.0.0 area 0
distribute-list route-map WAN_DENY in

route-map WAN_DENY deny 1
match interface tunnel 105
match ? ! Here I want to match the R1 subnet 172.16.22.0 subnet

route-map WAN_DENY permit 2

How can I create a route-map and distribute-list to accomplish this? Or is there a better way without the route-map/distribute-list?

Jon Marshall · ‎08-25-2015

It's to do with route map logic ie. a deny route map statement and a deny in your acl means it just moves onto the next route map statement which is a permit any.

A deny statement in your route map with a permit in your acl means it should not be allowed and it won't move on to the next statement.

So can you modify your acl to have just the one entry which should be a permit for the 172.16.22.0/24 subnet.

Jon

View solution in original post

Jon Marshall · ‎08-25-2015

You should able to just use an acl or a prefix list to match the IP subnet.

Are you saying you have tried that and it doesn't work ?

Jon

bernard.reed · ‎08-25-2015

Yes, I tried the access-list as follows:

access-list 2 deny 172.16.22.0 0.0.0.255

access-list 2 permit any

route-map WAN_DENY deny 1

match interface tunnel 105

match ip address 2

What happens as a result of this config is that ALL OSPF routes are removed from the route table.

Jon Marshall · ‎08-25-2015

It's to do with route map logic ie. a deny route map statement and a deny in your acl means it just moves onto the next route map statement which is a permit any.

A deny statement in your route map with a permit in your acl means it should not be allowed and it won't move on to the next statement.

So can you modify your acl to have just the one entry which should be a permit for the 172.16.22.0/24 subnet.

Jon

bernard.reed · ‎08-25-2015

That did it! Thanks for your help. I kept getting the access-list logic wrong.

Jon Marshall · ‎08-25-2015

Just seen your last edit about all routes being removed.

It will because all routes except 172.16.22.0/24 are matched by the permit line in your acl and you are denying them in your route map so they are not allowed ie. they never get to the second entry.

The 172.16.22.0/24 should get to the second route map statement assuming you have one which your original configuration suggests you do so it should be the only one accepted.

As I said your acl should only have one line permitting the 172.16.22.0/24 subnet and then you need a second route map statement as you have in the original configuration.

Jon