Solved: OSPF/EIGRP Redistribution with filtering routes distribute-list

Ahmed Abdi · ‎07-06-2015

Hello,

I would like to know if i missing some configuration for OSPF/EIGRP route filtering using distribute-list,

Left-router-center router running OSPF 1

Right-router-Center router running EIGRP 1

Problem:

I am able to ping from Left-Router to Right router loopback interface unless use the ping 20.20.10.1 source loopback 1

and the same issue from the Right router.

Attached the snapshot

here is the configurations

Center Router --

interface FastEthernet0/0
ip address 192.168.1.5 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.2 255.255.255.252
duplex auto
speed auto
!
router eigrp 1
redistribute ospf 1 metric 100 100 255 1 1500
network 192.168.1.2 0.0.0.0
distribute-list 1 out
no auto-summary
!
router ospf 1
router-id 2.2.2.2
log-adjacency-changes
redistribute eigrp 1 metric 20 subnets
network 192.168.1.5 0.0.0.0 area 0
distribute-list 2 out
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 2 permit 20.20.20.0 0.0.0.255
access-list 2 permit 20.20.10.0 0.0.0.255

Left-Router

interface Loopback0
no ip address
ip ospf network point-to-point
!
interface Loopback1
ip address 10.10.10.1 255.255.255.255
ip ospf network point-to-point
!
interface Loopback2
ip address 10.10.20.1 255.255.255.255
ip ospf network point-to-point
!
interface Loopback3
ip address 10.10.30.1 255.255.255.255
ip ospf network point-to-point
!
interface FastEthernet0/0
ip address 192.168.1.6 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 10.10.0.0 0.0.255.255 area 0
network 192.168.1.6 0.0.0.0 area 0
!

Right Router -

interface Loopback0
ip address 3.3.3.3 255.255.255.255
ip ospf network point-to-point
!
interface Loopback1
ip address 20.20.20.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback2
ip address 20.20.10.1 255.255.255.0
ip ospf network point-to-point
!
interface Loopback3
ip address 20.20.30.1 255.255.255.0
ip ospf network point-to-point
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.252
duplex auto
speed auto
!
router eigrp 1
network 20.20.0.0 0.0.255.255
network 192.168.1.1 0.0.0.0
no auto-summary

s.lachica · ‎07-12-2015

Hi Ahmed,

"I am able to ping from Left-Router to Right router loopback interface unless use the ping 20.20.10.1 source loopback 1" - if what you mean here is that you cannot ping from left-to-right and vice versa, unless you use loopback as source interface, then the distribute lists caused this.

In the distribute-list, you have to include the 192.168.x.x networks, otherwise they will be filtered. Also, please note that for OSPF, when using distribute-list out, this violates ospf's rule of all routers in the area must be synced on all the networks in that area. So issues may arise when using this on OSPF.

CCIE (R&S) #27666 CCSI HP MASE

View solution in original post

Peter Paluch · ‎07-13-2015

Hi Ahmed,

The distribute lists on R2 do not allow it to advertise the 192.168.1.4/30 to R3 and 192.168.1.0/30 to R1. Notice that these networks originally belong to their respective routing protocols: 192.168.1.4/30 belongs to OSPF, 192.168.1.0/30 belongs to EIGRP. If you did not use distribute lists, these directly connected networks would be automatically advertised after redistribution together with other routes from the respective routing protocol, so 192.168.1.4/30 would be advertised from into EIGRP, and 192.168.1.0/30 would be advertised into OSPF. However, because your distribute lists (or more precisely, the ACLs these distribute lists refer to) do not permit these networks to be advertised, they will not be known to the other router.

This is why you cannot ping R3 from R1 unless you force the ping to use the source address from one of its loopbacks permitted in the distribute list. Without forcing a source IP address, the pings will be sourced from the interface through which they are sent out. In your case, when R1 pings R3, the pings are sourced from 192.168.1.6. Because R3 does not know about 192.168.1.4/30 into which IP address belongs, it is unable to respond.

To s.lachica: You write: "when using distribute-list out, this violates ospf's rule of all routers in the area must be synced on all the networks in that area". This is actually not true with distribute-list out in OSPF. The distribute-list out in OSPF applies only to redistributed networks and only on routers performing the redistribution (ASBRs). Routes permitted by the distribute-list out will be advertised as LSA-5/7 (depending on the area type), routes denied by the distribute-list out will not be advertised at all - in fact, no LSA-5/7 will be even created for them in newer IOSes. Thus, there will be no inconsistency in OSPF link-state databases and resulting routing tables across the OSPF domain. Using distribute-list out in OSPF is safe.

What is unsafe is the distribute-list in that, in OSPF, is merely a filter between the SPF computation and the routing table, but it does not filter the link-state database contents. As opposed to distance-vector protocols, distribute-list in in OSPF affects only the local router's routing table. As a result, other routers in the area will still know and see the networks filtered out, and if they forward traffic through the local router toward these networks, bad things can happen - traffic can get blackholed, misrouted, or trapped in a routing loop.

Best regards,
Peter

View solution in original post

Reza Sharifi · ‎07-07-2015

Hi,

Can you post the output of "sh ip route" from both r1 and r2?

s.lachica · ‎07-12-2015

Hi Ahmed,

"I am able to ping from Left-Router to Right router loopback interface unless use the ping 20.20.10.1 source loopback 1" - if what you mean here is that you cannot ping from left-to-right and vice versa, unless you use loopback as source interface, then the distribute lists caused this.

In the distribute-list, you have to include the 192.168.x.x networks, otherwise they will be filtered. Also, please note that for OSPF, when using distribute-list out, this violates ospf's rule of all routers in the area must be synced on all the networks in that area. So issues may arise when using this on OSPF.

CCIE (R&S) #27666 CCSI HP MASE

Peter Paluch · ‎07-13-2015

Hi Ahmed,

The distribute lists on R2 do not allow it to advertise the 192.168.1.4/30 to R3 and 192.168.1.0/30 to R1. Notice that these networks originally belong to their respective routing protocols: 192.168.1.4/30 belongs to OSPF, 192.168.1.0/30 belongs to EIGRP. If you did not use distribute lists, these directly connected networks would be automatically advertised after redistribution together with other routes from the respective routing protocol, so 192.168.1.4/30 would be advertised from into EIGRP, and 192.168.1.0/30 would be advertised into OSPF. However, because your distribute lists (or more precisely, the ACLs these distribute lists refer to) do not permit these networks to be advertised, they will not be known to the other router.

This is why you cannot ping R3 from R1 unless you force the ping to use the source address from one of its loopbacks permitted in the distribute list. Without forcing a source IP address, the pings will be sourced from the interface through which they are sent out. In your case, when R1 pings R3, the pings are sourced from 192.168.1.6. Because R3 does not know about 192.168.1.4/30 into which IP address belongs, it is unable to respond.

To s.lachica: You write: "when using distribute-list out, this violates ospf's rule of all routers in the area must be synced on all the networks in that area". This is actually not true with distribute-list out in OSPF. The distribute-list out in OSPF applies only to redistributed networks and only on routers performing the redistribution (ASBRs). Routes permitted by the distribute-list out will be advertised as LSA-5/7 (depending on the area type), routes denied by the distribute-list out will not be advertised at all - in fact, no LSA-5/7 will be even created for them in newer IOSes. Thus, there will be no inconsistency in OSPF link-state databases and resulting routing tables across the OSPF domain. Using distribute-list out in OSPF is safe.

What is unsafe is the distribute-list in that, in OSPF, is merely a filter between the SPF computation and the routing table, but it does not filter the link-state database contents. As opposed to distance-vector protocols, distribute-list in in OSPF affects only the local router's routing table. As a result, other routers in the area will still know and see the networks filtered out, and if they forward traffic through the local router toward these networks, bad things can happen - traffic can get blackholed, misrouted, or trapped in a routing loop.

Best regards,
Peter