Prevent Quagga from a certain subnet advertising
It looks like you should be using something like
distribute-list noeth0 out kernel
!
access-list noeth0 deny 10.11.1.0/24
access-list noeth0 permit any
The Quaggga OSPF daemon documentation is a bit vague there, though - you probably would have to tweak this a bit.
Related videos on Youtube
Fmy Oen
Updated on September 18, 2022Comments
-
Fmy Oen almost 2 years
I have an Ubuntu 12.10 workstation with the following interfaces:
eth0 : 10.11.1.15/24 lo:1 : 10.90.50.50/32 lo:2 : 10.1.100.100/32 tap0 : 10.5.200.200/24
As you can see, all IPs fit in
10.0.0.0/8
subnet.Also I have Quagga on it that announces my link states to the other routers via OSPF. Here is my
/etc/quagga/ospfd.conf
:router ospf passive-interface eth0 router-id 10.90.50.50 redistribute kernel route-map MYMAP redistribute connected route-map MYMAP redistribute static route-map MYMAP network 10.0.0.0/8 area 0.0.0.0 ip prefix-list MYLIST seq 5 deny 10.11.0.0/16 le 32 ip prefix-list MYLIST seq 10 permit 10.0.0.0/8 le 32 ip prefix-list MYLIST seq 20 deny any route-map MYMAP permit 10 match ip address prefix-list MYLIST
I'm failing in attempts to prevent Quagga from advertising route
10.11.1.0/24
which is my local subnet.Neither
ip prefix-list MYLIST seq 5 deny 10.11.0.0/16 le 32
norip prefix-list MYLIST seq 5 deny 10.11.1.0/24
has no influence on the route advertising. The strangest thing is that Quagga keeps advertising routes even in case I change all prefix-list actions from permit to deny. Do you have any ideas what am I doing wrong? -
Fmy Oen over 11 yearsIs that a good idea to allow everything in the end?
-
the-wabbit over 11 years@FmyOen this is not an "access list" in terms of security, it is just a list specifying a rule set to match against - in this case for a distribute-list directive which is doing route filtering based on the rule set. So what it should do is allow distribution of all kernel routes but the ones to 10.11.1.0/24.