OSPF Route filtering

gavinhughesy · November 19, 2015, 1:57pm

Hi,

I have added a distribute list to my OSPF process running on my ASA 5525x to stop learning routes from the same network as my management network, as the management routes are not in the normal routing table, and the OSPF routes were taking precedence. This appears to be working fine for filtering out the full subnet, but we are still getting specific host routes on the management network. I have listed my ospf set up and output showing the host routes. Can you advise how I can achieve this without adding a deny line for every host entry?

router ospf **
router-id 10.0.90.250
network 10.0.90.248 255.255.255.248 area 0
area 0
log-adj-changes
distribute-list OSPF in interface inside

access-list OSPF standard deny host 10.10.0.0
access-list OSPF standard deny host 10.110.0.0
access-list OSPF standard permit any4

sh route 10.10.0.0

% Subnet not in table

sh route 10.10.10.14

Routing entry for 10.10.10.14 255.255.255.254
Known via “ospf **”, distance 110, metric 30, type extern 1
Redistributing via ospf 200
Last update from 10.0.90.253 on inside, 46:06:43 ago
Routing Descriptor Blocks:
* 10.0.90.253, from 1.1.1.6, 46:06:43 ago, via inside
Route metric is 30, traffic share count is 1

sh route | i 10.10
O E1 10.10.2.3 255.255.255.255 [110/40] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.14 255.255.255.254 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.15 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.38 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.44 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.45 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.46 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.51 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.71 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.72 255.255.255.254 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.74 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.75 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.76 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.94 255.255.255.254 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.96 255.255.255.254 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.101 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.102 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.103 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.106 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.107 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.112 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.114 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.131 255.255.255.255 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.132 255.255.255.252 [110/30] via 10.0.90.253, 1d22h, inside
O E1 10.10.10.136 255.255.255.254 [110/30] via 10.0.90.253, 1d22h, inside

ReneMolenaar · November 23, 2015, 5:06pm

Hi Gavin,

How about filtering based on the next hop?

access-list 1 permit 192.168.12.2

route-map FILTER_NEXT_HOP deny 10
match ip next-hop 1

route-map FILTER_NEXT_HOP permit 20

router ospf 1
distribute-list route-map FILTER_NEXT_HOP in

Or perhaps use “ip ospf database-filter all out” on the router that advertises these routes to your ASA?

Rene

gavinhughesy · February 16, 2016, 1:37pm

Thanks for this