Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2110
Views
5
Helpful
5
Replies

Redistribution with ACL confusion

steven.crutchley
Level 3
Level 3

‎02-20-2013 11:34 AM - edited ‎03-07-2019 11:50 AM

I have the following network. This question is only about redistribution from OSPF into EIGRP on R1.

redist question.png

The redistribution is being done as follows (on R1 only):

router eigrp 2

redistribute ospf 1 route-map OSPFtoEIGRP

network 172.30.14.0 0.0.0.255

network 172.30.15.0 0.0.0.255

default-metric 1500 100 255 1 1500

no auto-summary

The route-map looks like this:

route-map OSPFtoEIGRP permit 10

match ip address 12

set tag 60

ACL 12 looks like this:

access-list 12 permit 192.168.6.0

Currently Router 4 (or 5) can see the 192.168.6.0/24 subnet (as an external EIGRP route). Note that I am not specifying a wildcard mask in the ACL.

However if I add:

access-list 12 permit 10.0.0.0

R4 and R5 cannot see the network between R2 and R7 (10.1.1.4/30)

It is not until I add:

access-list 12 permit 10.0.0.0 0.255.255.255

That R4 and R5 begin to see a route for this network in their routing table (as an external EIGRP route)

Why can I leave out the wildcard mask for the 192.168.6.0/24 network but not for the 10.1.1.4/30 network?

--
Network Engineer
CCIE SP #69245
Labels:
0 Helpful
5 Replies 5

stephen.stack
Level 4
Level 4

‎02-20-2013 01:00 PM

Check out this DOC re standard ACLs

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#standacl

A source/source-wildcard setting of       0.0.0.0/255.255.255.255 can be specified as any. The wildcard       can be omitted if it is all zeros. Therefore, host 10.1.1.2 0.0.0.0 is the same       as host 10.1.1.2.

access-list 10 permit tcp 192.168.1.0 ( will permit traffic just for 192.168.1.0/)

access-list 10 permit tcp 192.168.5.0 0.0.0.255 ( will permit traffic for that subnet)

Not sure that answers the quesiton, but adding in a 10.0.0.0/24 ACL for a .30 subnet maybe not a good idea. Can you reduce the wildacrd mask to 0.0.0.3 and see what happens. It qould be good practice. Unless you know there are many more 10.0.0.0/30's behind this redistirbution point.

Regards

==========================
http://www.rConfig.com 

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to stephen.stack

‎02-20-2013 01:11 PM

Steven

I believe that the difference is that the access list for 192.168.6.0 with no mask matches exactly the class C (/24) network. Since that is what you wanted to redistribute then no mask was required for the redistribution to be successful. When you did the access list for 10.0.0.0 with no mask it would match exactly the class A network 10.0.0.0. But that is not what you wanted to redistribute. You want to redistribute subnets of the network and to match the subnets you need the mask in the access list.

HTH

Rick

HTH

Rick
0 Helpful

steven.crutchley
Level 3
Level 3
In response to Richard Burts

‎02-21-2013 03:39 AM

Hi Richard,

I was thinking that as well, after I made the initial post. But I have just reopenned GNS3 and changed the loopback1 on R6 to be both 192.168.6.1/29 (longer than the /24 classful range) and then to 192.168.6.1/23 (shorter than the classful range).

In both instances R4 and R5's routing tables showed the updated route, without me having to make any changes to the ACL.

To me, this seems to indicate that the access-list 12 permit 192.168.6.0 entry is assuming a 0.0.0.255 wildcard mask.

But why is access-list 12 permit 10.0.0.0 not doing the same?

...WAIT!... I have it....

It's trick that Jeremy taught us in the CBT nuggets. If you go under a loopback interface and set it to ip ospf network point-to-point ospf will advertise the network as 192.168.6.0/24 (or 23 or 29 - whatever the mask is) rather than 192.168.6.1/32.

This means that the network is being advertised as 192.168.6.0. This is an exact host match to access-list 12 permit 192.168.6.0. If I negate the command (no ip ospf network point-to-point) the route will disappear from R4 and R5 and I need to add a willcard mask to get it redistribute. It now appears that 192.168.6.1/32 in their routing tables.

So based on this, I would say that there is no "default to the classful wildcard if the wildcard is left out" behaviour at all. I just looks like there is based on how OSPF is advertising the network.

Does that make sense?

--
Network Engineer
CCIE SP #69245
0 Helpful

Abzal
Level 7
Level 7
In response to steven.crutchley

‎02-21-2013 04:30 AM

Hi Steven,

As Richard said

access-list 1 permit 192.168.6.0

will match to subnet 192.168.6.0 whatever subnet mask it has(/24,/28 etc). It just need to match with subnet ID if it is without wilcard mask as in example above.

Also it's true for 10.1.1.4/30 subnet will not match with 10.0.0.0 without wildcard mask because subnet ID is not 10.0.0.0.

About OSPF loopback

http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#qone

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

Richard Burts
Hall of Fame
Hall of Fame
In response to steven.crutchley

‎02-21-2013 05:15 AM

Steven

This is an interesting observation. I believe that Abzal has a good explanation of the point. So +5 to hin. When no mask is specified the default is to assume  a mask of 0.0.0.0 which is satisfied if the advertisement is for 192.168.6.0 and not for other values.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents