I did a few follow-up tests with the distribute-list in OSPF configuration command and stumbled across a few interesting facts (IOS release 12.4(15)T1 on a 3725 platform):
- Although the router allows you to configure distribute-list acl in interface, it does not work. Routes received through that interface (or having the interface as the next-hop) are not filtered.
- When you apply the distribute-list in command, the routing table is not changed. Clearing the IP routing table does not help, you have to clear ALL OSPF processes (including bringing down all OSPF adjacencies) with the clear ip ospf process command for the route filter to take effect.
- The same limitations don't apply in the other direction: when you remove the distribute-list in, SPF is triggered and the routes appear in the IP routing table automatically.
- The somewhat undocumented gateway option of the distribute-list in command works, but not quite as I would expect: the IP next hop, not the router-ID of the router advertising the IP prefix is matched by the prefix-list.
And, last but not least, I've lab-verified my previous claim: applying the distribute-list in on a transit router can result in a black hole, as the LSAs themselves are not filtered.
Posts
6 comments:
As a side note, Cisco introduced an OSPF ABR Type 3 LSA filter between area routers. I have not tested this feature but from the documentation it seems to be workable.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch15/habrt3f.htm
[quote]
Although the router allows you to configure distribute-list acl in interface, it does not work. Routes received through that interface (or having the interface as the next-hop) are not filtered.
[/quote]
The distribute list doesn't work with OSPF because the router is not receiving information about networks, but about link states.
As you have mentioned, if there would be a way to change this behavior (filter the link states) then it could cause routing problems (route hole, etc.). With OSPF every router in the area has to have the same knowledge about links and they have to compute with the SPF algorithm the same path (or tree).
@William: how did you know that the inter-area filters were close to the top of my OSPF to-do list :)
@Jozef: Conceptually we're saying the same thing, I'm just annoyed that the distribute-list interface command is there but does not work at all, while the distribute-list gateway command works (although not the way I would expect it to work, but then you can't be picky with undocumented commands, can you?)
Ivan: I knew you would test the inter-area filters next because you liked to read up on Cisco stuff :-)
@Ivan: I am not so annoyed with the distribute-list command under the OSPF configuration. But yeah, it's pretty useless. More I am annoyed of the lack of an interface level command to add an IP address in this format:
ip address 10.1.1.1 /24
I hope that some future IOS versions will finally implement it :-)
My understanding is that the distribute list in command does work, but not the way you think...Instead, it allows LSA's to be accepted, but it treats the interface that it is applied to as the criteria to filter incoming LSA's against in the next-hop field.
It works this way, if I apply it to my fa0/0 interface, and I have an LSA sent in that specifies fa0/0 as the interface thru which that prefix is reachable, it will prevent that route from being installed into the routing table.
This blog is using JS-Kit comments. You have to enable JavaScript if you want to post a comment.