Multivitamin86
Technical User
Hi, I'm bit of a nomad in IT.
I've been trying in GNS to come up with a configuration to filter out my external links in OSPF to some routers but not others. It's part of the way but the more I think into how this is going to be completed, I'm beginning to see it will be more complicated. So here's what I'm trying to do any help is appreciated.
R1 has two OSPF WAN networks and 1 internet break out. Internet breakout is via the trusted interface, 192.168.100.2
R1
gi 1/0/1
description [OSFP-to-R2-R3]
no sw
ip address 172.16.120.1 255.255.255.224
ip ospf priority 200
no shut
gi 1/0/2
description [OSPF-to-R4-R5]
no sw
ip address 172.16.120.33 255.255.255.224
ip ospf priority 200
no shut
int vlan 2
description [LAN-PCs]
ip address 192.168.100.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.100.2
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
no passive interface gi 1/0/2
network 172.16.120.0 0.0.0.31 area 0
network 172.16.120.32 0.0.0.31 area 0
network 192.168.100.0 0.0.0.255 area 0
default-information originate
R2 has two OSPF WAN networks and 1 internet break out. Internet breakout is via the trusted interface, 192.168.101.2 It needs to use its own internet breakout. Hence the internet breakout.
gi 1/0/1
description [OSFP-to-R1-R3]
no sw
ip address 172.16.120.2 255.255.255.224
ip ospf priority 200
no shut
gi 1/0/2
description [OSPF-to-R4-R5]
no sw
ip address 172.16.120.34 255.255.255.224
ip ospf priority 200
no shut
int vlan 3
description [Aber-LAN-PCs]
ip address 192.168.101.1 255.255.255.0
no shut
access-list 1 deny 0.0.0.0
access-list 1 permit any
ip route 0.0.0.0 0.0.0.0 192.168.101.2
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
no passive interface gi 1/0/2
network 172.16.120.0 0.0.0.31 area 0
network 172.16.120.32 0.0.0.31 area 0
network 192.168.101.0 0.0.0.255 area 0
default-information originate
distribute-list 1 in
R3 Single OSFP WAN link to R1 & R2. R3 needs to use R1's internet breakout. I've configured the firewall trusted interface on the LAN network at R1 to accept traffic from R3 and that's fine but since adding R2 I need to filter the default route from R2 out to R3 and R1.
gi 1/0/1
description [OSFP-to-R1-R2]
no sw
ip address 172.16.120.3 255.255.255.224
ip ospf priority 200
no shut
int vlan 4
description [Inver-LAN-PCs]
ip address 192.168.102.1 255.255.255.0
no shut
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.0 0.0.0.31 area 0
network 192.168.102.0 0.0.0.255 area 0
default-information originate
R4
gi 1/0/1
description [OSFP-to-R1-R2-R5]
no sw
ip address 172.16.120.35 255.255.255.224
ip ospf priority 200
no shut
int vlan 40
description [LAB-LAN-PCs]
ip address 192.168.200.1 255.255.255.0
no shut
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.32 0.0.0.31 area 0
network 192.168.200.0 0.0.0.255 area 0
default-information originate
R5
gi 1/0/1
description [OSFP-to-R1-R2-R5]
no sw
ip address 172.16.120.36 255.255.255.224
ip ospf priority 200
no shut
int vlan 40
description [LAB2-LAN-PCs]
ip address 192.168.201.1 255.255.255.0
no shut
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.32 0.0.0.31 area 0
network 192.168.200.0 0.0.0.255 area 0
default-information originate
I suppose at this point I stopped wanting to filter incoming OSPF external routes and want to stop them being sent out over specific interfaces.
I want R2, R4 and R5 to use R2's internet breakout and R1 and R3 to use R1's internet BO. So on R2 I've stopped the default route coming in with the distribute in command using a fairly basic access-list when connected over gi 1/0/1. In my GNS labs I can the default route changing in the show ip route command on R3. I need this to only be received from R1. I was thinking I would have to need to use a route map on R2 for the networks at R3 and only allow the 2 networks and block the advertising of my default route from the R2. Something like the below.
////To stop the advertising out////
....
access-list 2 permit 172.16.120.0 0.0.0.31
access-list 2 permit 192.168.101.0 0.0.0.255
access-list 2 deny 0.0.0.0
router ospf 10
.....
distribute list 2 out gi 1/0/1
////To allow it out////
access-list 3 permit 172.16.120.0 0.0.0.31
access-list 3 permit 192.168.101.0 0.0.0.255
access-list 3 allow 0.0.0.0
.....
route ospf 10
distribute list 3 out gi 1/0/2
Is this possible or am I coming at it from the wrong angle?
Thanks MV
I've been trying in GNS to come up with a configuration to filter out my external links in OSPF to some routers but not others. It's part of the way but the more I think into how this is going to be completed, I'm beginning to see it will be more complicated. So here's what I'm trying to do any help is appreciated.
R1 has two OSPF WAN networks and 1 internet break out. Internet breakout is via the trusted interface, 192.168.100.2
R1
gi 1/0/1
description [OSFP-to-R2-R3]
no sw
ip address 172.16.120.1 255.255.255.224
ip ospf priority 200
no shut
gi 1/0/2
description [OSPF-to-R4-R5]
no sw
ip address 172.16.120.33 255.255.255.224
ip ospf priority 200
no shut
int vlan 2
description [LAN-PCs]
ip address 192.168.100.1 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.100.2
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
no passive interface gi 1/0/2
network 172.16.120.0 0.0.0.31 area 0
network 172.16.120.32 0.0.0.31 area 0
network 192.168.100.0 0.0.0.255 area 0
default-information originate
R2 has two OSPF WAN networks and 1 internet break out. Internet breakout is via the trusted interface, 192.168.101.2 It needs to use its own internet breakout. Hence the internet breakout.
gi 1/0/1
description [OSFP-to-R1-R3]
no sw
ip address 172.16.120.2 255.255.255.224
ip ospf priority 200
no shut
gi 1/0/2
description [OSPF-to-R4-R5]
no sw
ip address 172.16.120.34 255.255.255.224
ip ospf priority 200
no shut
int vlan 3
description [Aber-LAN-PCs]
ip address 192.168.101.1 255.255.255.0
no shut
access-list 1 deny 0.0.0.0
access-list 1 permit any
ip route 0.0.0.0 0.0.0.0 192.168.101.2
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
no passive interface gi 1/0/2
network 172.16.120.0 0.0.0.31 area 0
network 172.16.120.32 0.0.0.31 area 0
network 192.168.101.0 0.0.0.255 area 0
default-information originate
distribute-list 1 in
R3 Single OSFP WAN link to R1 & R2. R3 needs to use R1's internet breakout. I've configured the firewall trusted interface on the LAN network at R1 to accept traffic from R3 and that's fine but since adding R2 I need to filter the default route from R2 out to R3 and R1.
gi 1/0/1
description [OSFP-to-R1-R2]
no sw
ip address 172.16.120.3 255.255.255.224
ip ospf priority 200
no shut
int vlan 4
description [Inver-LAN-PCs]
ip address 192.168.102.1 255.255.255.0
no shut
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.0 0.0.0.31 area 0
network 192.168.102.0 0.0.0.255 area 0
default-information originate
R4
gi 1/0/1
description [OSFP-to-R1-R2-R5]
no sw
ip address 172.16.120.35 255.255.255.224
ip ospf priority 200
no shut
int vlan 40
description [LAB-LAN-PCs]
ip address 192.168.200.1 255.255.255.0
no shut
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.32 0.0.0.31 area 0
network 192.168.200.0 0.0.0.255 area 0
default-information originate
R5
gi 1/0/1
description [OSFP-to-R1-R2-R5]
no sw
ip address 172.16.120.36 255.255.255.224
ip ospf priority 200
no shut
int vlan 40
description [LAB2-LAN-PCs]
ip address 192.168.201.1 255.255.255.0
no shut
router ospf 10
log-adjacent-changes
passive interface default
no passive interface gi 1/0/1
network 172.16.120.32 0.0.0.31 area 0
network 192.168.200.0 0.0.0.255 area 0
default-information originate
I suppose at this point I stopped wanting to filter incoming OSPF external routes and want to stop them being sent out over specific interfaces.
I want R2, R4 and R5 to use R2's internet breakout and R1 and R3 to use R1's internet BO. So on R2 I've stopped the default route coming in with the distribute in command using a fairly basic access-list when connected over gi 1/0/1. In my GNS labs I can the default route changing in the show ip route command on R3. I need this to only be received from R1. I was thinking I would have to need to use a route map on R2 for the networks at R3 and only allow the 2 networks and block the advertising of my default route from the R2. Something like the below.
////To stop the advertising out////
....
access-list 2 permit 172.16.120.0 0.0.0.31
access-list 2 permit 192.168.101.0 0.0.0.255
access-list 2 deny 0.0.0.0
router ospf 10
.....
distribute list 2 out gi 1/0/1
////To allow it out////
access-list 3 permit 172.16.120.0 0.0.0.31
access-list 3 permit 192.168.101.0 0.0.0.255
access-list 3 allow 0.0.0.0
.....
route ospf 10
distribute list 3 out gi 1/0/2
Is this possible or am I coming at it from the wrong angle?
Thanks MV