2

I have an Ubuntu 12.10 workstation with the following interfaces:

eth0 : 10.11.1.15/24
lo:1 : 10.90.50.50/32
lo:2 : 10.1.100.100/32
tap0 : 10.5.200.200/24

As you can see, all IPs fit in 10.0.0.0/8 subnet.

Also I have Quagga on it that announces my link states to the other routers via OSPF. Here is my /etc/quagga/ospfd.conf:

router ospf
   passive-interface eth0

   router-id 10.90.50.50

   redistribute kernel route-map MYMAP
   redistribute connected route-map MYMAP
   redistribute static route-map MYMAP

   network 10.0.0.0/8 area 0.0.0.0

   ip prefix-list MYLIST seq 5 deny 10.11.0.0/16 le 32
   ip prefix-list MYLIST seq 10 permit 10.0.0.0/8 le 32
   ip prefix-list MYLIST seq 20 deny any

   route-map MYMAP permit 10
   match ip address prefix-list MYLIST

I'm failing in attempts to prevent Quagga from advertising route 10.11.1.0/24 which is my local subnet.

Neither ip prefix-list MYLIST seq 5 deny 10.11.0.0/16 le 32 nor ip prefix-list MYLIST seq 5 deny 10.11.1.0/24 has no influence on the route advertising. The strangest thing is that Quagga keeps advertising routes even in case I change all prefix-list actions from permit to deny. Do you have any ideas what am I doing wrong?

Fmy Oen
  • 69
  • 1
  • 3
  • 6

2 Answers2

3

It looks like you should be using something like

distribute-list noeth0 out kernel
!
access-list noeth0 deny 10.11.1.0/24
access-list noeth0 permit any

The Quaggga OSPF daemon documentation is a bit vague there, though - you probably would have to tweak this a bit.

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • Is that a good idea to allow everything in the end? – Fmy Oen Jan 16 '13 at 09:19
  • @FmyOen this is not an "access list" in terms of security, it is just a list specifying a rule set to match against - in this case for a distribute-list directive which is doing route filtering based on the rule set. So what it should do is allow distribution of all kernel routes but the ones to 10.11.1.0/24. – the-wabbit Jan 16 '13 at 10:50
0

First of all. Why are you redistributing and then blocking subnets that are picked up in the advertisement/routing statement? I see this time and time again when folks redistribute the kitchen sink and then try to block it later. This is fundamentally unsound. Finally, the link you want to exclude is covered in the routing statement and will be advertised as a stub network despite the passive interface command. Do not redistribute connected routes that are already included.

Those who advertise, redistribute everything, and then try to filter need to learn basic OSPF routing setup.

Get rid of the redistribute connected for starters. Keep the passive interface command and make your statement specific or even better place them on the specific interfaces you want to include.

router ospf 1
network 10.90.50.50 0.0.0.0 area 0
network 10.1.100.100 0.0.0.0 area 0
network 10.5.200.0 0.0.0.255 area 0

or at a specific interface for example (no associated network statement above)

interface lo:1 
ip ospf 1 area 0

and do this for the other links that you want to include

Finally, DO NOT REDISTRIBUTE anything unless you absolutely have to.

sebix
  • 4,175
  • 2
  • 25
  • 45
Tuzo
  • 9
  • 1