We have the following requirement:
To filter OSPF routes from placing them into routing table,is needed to indicate not only the prefix, but also a neighbor who is sending an LSA. It’s asking if is any possibility to attach extended ACL?
184.108.40.206/24 OSPF 10 1 D 10.2.2.2 Serial1/0/0
OSPF 10 1 D 10.1.1.1 GigabitEthernet0/0/1
It have two routes in the routing table and it’s needed to filter only one of them
1) check the documentation to see if there is any filter policy for ospf filtering
2)check firmware version compatibility
3) test the solution founded in our lab
We found that it can run the if-match acl command to set a matching rule based on the ACL to match IPv4 prefixes. The if-match acl command can be used only after the route-policy command is used.
For a named ACL, when the rule command is used to configure a filtering rule, the filtering rule is effective only with the source address range that is specified by the source parameter
and with the time period that is specified by the time-range parameter.
Filter-policy ACLs can be used only in the basic type, and not advanced.
In order to filter the next hop, you should use the ip next-hop command from route-policy view.
A routing policy is used to filter routes and set route attributes for the routes that match the routing policy. A routing policy consists of multiple nodes. One node can be configured with
multiple if-match clauses.
So, we have
#route-policy policy1 deny node 10
#route-policy policy1 permit node 20
The first one will deny the next-hop and the network address after them have passed the ACL checking and the second one will permit any others. . Besides if match ip next –hop, you can filter also the network.
You should create 2 ACLs :
acl number 2000
# rule 5 permit source 220.127.116.11 0.0.0.255
acl number 2001
# rule 5 permit source 10.3.3.3 0 ( the wildcard mask should be 0 for matching the exact address)
Create a route-policy with a deny node where you will input the if-match clauses with both acl’s. After the both acl will match , the route-policy will deny the node 10.
[HW] route-policy policy1 deny node 10
[HW-route-policy]if-match acl 2000
[HW-route-policy] if-match ip next-hop acl 2001
Create a route-policy with a permit node 20 without any if-match . The route policy will permit any other , except the node 10.
[HW]route-policy policy1 permit node 20
Also,you should input the filter-policy in ospf .
[HW] ospf 1
[HW-ospf1] filter-policy route-policy policy1 import
After all of this are made the 10.1.1.1 route should be alone in the routing table