No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Ospf filter-policy route

Publication Date:  2017-01-25  |   Views:  944  |   Downloads:  0  |   Author:  f84038637  |   Document ID:  EKB1000478608

Contents

Issue Description



We have the following requirement:

To filter OSPF routes from placing them into routing table,is needed to indicate not only the prefix, but also a neighbor who is sending an LSA.  It’s asking if is any possibility to attach extended ACL?

  1.1.1.0/24 OSPF   10   1          D   10.2.2.2        Serial1/0/0

                 OSPF    10  1           D  10.1.1.1       GigabitEthernet0/0/1


It have two routes in the routing table and it’s needed to filter only one of them



Handling Process



1) check the documentation to see if there is any filter policy for ospf filtering

2)check firmware version compatibility

3) test the solution founded in our lab


We found that it can run the if-match acl command to set a matching rule based on the ACL to match IPv4 prefixes. The if-match acl command can be used only after the route-policy command is used.

For a named ACL, when the rule command is used to configure a filtering rule, the filtering rule is effective only with the source address range that is specified by the source parameter
and with the time period that is specified by the time-range parameter.

Filter-policy ACLs can be used only in the basic type, and not advanced.

In order to filter the next hop, you should use the ip next-hop command from route-policy view.

A routing policy is used to filter routes and set route attributes for the routes that match the routing policy. A routing policy consists of multiple nodes. One node can be configured with
multiple if-match clauses.



Root Cause



So, we have    

#route-policy policy1 deny node 10

and 
 
#route-policy policy1 permit node 20


The first one will deny the next-hop and the network address after them have passed the ACL checking and the second one will permit any others. . Besides if match ip next –hop, you can filter also the network.



 



Solution

You should create 2 ACLs :   

acl number 2000 

# rule 5 permit source 2.2.2.0 0.0.0.255

acl number 2001 

# rule 5 permit source 10.3.3.3  0 ( the wildcard mask should be 0 for matching the exact address)  


Create a route-policy with a deny node where you will input the if-match clauses with both acl’s. After the both acl will match , the route-policy will deny the node 10.


[HW] route-policy policy1 deny node 10

[HW-route-policy]if-match acl 2000

[HW-route-policy] if-match ip next-hop acl 2001


Create a route-policy with a permit node 20 without any if-match . The route policy will permit any other , except the node 10.

[HW]route-policy policy1 permit node 20

 

 Also,you should input the filter-policy in ospf .

[HW] ospf 1

[HW-ospf1] filter-policy route-policy policy1 import

     

After all of this are made the 10.1.1.1 route should be alone in the routing table