Route-Map ACL behavior

stephen · September 1, 2022, 5:21pm

I’ve been reviewing a customer network that uses OSPF as their IGP. I found an interesting typo that I ended up building a demo lab using a different IP scheme in the interest of protecting their AS. I’ve been trying to find documentation on this, but I realized one of their ACL entries that is part of a Route Map has an incorrect wildcard mask. However, it appears that even though there is an incorrect wildcard mask the IOS still matches all the IPs in the subnet range.

The goal of the Route Map is the redistribute static routes into OSPF, and if they match the ACL it is to set the external metric as a Type-1 vs the default Type-2. My thoughts on this incorrect wildcard mask is that the IPs in which do not match in the ACL wildcard would be set to the default Type-2, but they ended up being matched in the ACL/Route Mp as a Type-1.

My question then surrounds the logic of how an ACL matches IP addresses for Route Maps? My assumption here is they are trying to match the entire prefix vs individual addresses. So maybe the IOS auto corrects mistakes in the ACL entry and matches the IP address in the static route? When testing this in lab I even made the ACL wildcard mask to 0.0.0.0 and it would still match all the IPs in the static route subnet range. Any thoughts on this would be great appreciated!

Thanks,

R1

interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
 media-type rj45
!         
interface GigabitEthernet0/1
 ip address 192.168.10.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/2
 ip address 192.168.20.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/3
 ip address 192.168.30.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
router ospf 1
 router-id 1.1.1.1
 redistribute connected subnets
 redistribute static subnets route-map STATIC->OSPF
 network 192.168.10.0 0.0.0.255 area 0
 network 192.168.20.0 0.0.0.255 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 172.16.1.0 255.255.255.0 192.168.30.2
!
ip access-list standard ACL.STATIC.SUB
 permit 172.16.1.0 0.0.0.15 **(wrong wildcard mask)**
!
route-map STATIC->OSPF permit 10
 match ip address ACL.STATIC.SUB **(any IP within the static route range still matches???)**
 set metric-type type-1

R2

#sh ip route 172.16.1.100
Routing entry for 172.16.1.0/24
  Known via "ospf 1", distance 110, metric 21, type extern 1 **(Should be type extern 2???)**
  Last update from 192.168.10.1 on GigabitEthernet0/1, 15:37:10 ago
  Routing Descriptor Blocks:
  * 192.168.10.1, from 1.1.1.1, 15:37:10 ago, via GigabitEthernet0/1
      Route metric is 21, traffic share count is 1

lagapidis · September 4, 2022, 2:22pm

Hello Stephen

The behavior you are seeing is completely normal. By definition, all OSPF routers within an area must have the exact same LSDB, therefore you cannot redistribute/filter routes between OSPF routers in the same area. The ACL and wildcard masks in your configs are correct, but the redistribute command you are issuing is essentially doing nothing. However, you can redistribute between different OSPF areas.

Now having said that, how can you affect OSPF routing tables within an area? Well, instead of filtering routes between routers, you can filter routes from entering the routing tables of particular routers. You can do this using distribute-list filtering, as described in the following lesson:

I hope this has been helpful!

Laz

stephen · September 8, 2022, 3:45pm

Thank you! Yes, that makes perfect sense now. Thanks for the post and help on that!