Hello,
> I’d check the databases on both sides.
> And flush/reload the config and fibs.
I reloaded and restarted OSPFd on both sides - nothing changes. Then, I
rebooted routers on both sides - nothing changes.
I still can see/ping the whole 10.1.111.0/24 subnet from the far end.
[10.109.3.15]$ ospfctl show database router
Router Link States (Area 0.0.0.0)
LS age: 238
Options: -|-|-|-|-|-|E|-
LS Type: Router
Link State ID: 10.109.3.15
Advertising Router: 10.109.3.15
LS Seq Number: 0x80000016
Checksum: 0x6d0a
Length: 48
Flags: *|*|*|*|*|-|E|-
Number of Links: 2
Link connected to: Stub Network
Link ID (Network ID): 10.1.111.0
Link Data (Network Mask): 255.255.255.0
Metric: 10
Link connected to: Transit Network
Link ID (Designated Router address): 10.109.3.16
Link Data (Router Interface address): 10.109.3.15
Metric: 10
LS age: 239
Options: -|-|-|-|-|-|E|-
LS Type: Router
Link State ID: 10.109.3.16
Advertising Router: 10.109.3.16
LS Seq Number: 0x80000016
Checksum: 0xb058
Length: 36
Flags: *|*|*|*|*|-|E|-
Number of Links: 1
Link connected to: Transit Network
Link ID (Designated Router address): 10.109.3.16
Link Data (Router Interface address): 10.109.3.16
Metric: 10
[10.109.3.16]$ ospfctl show fib
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags Prio Destination Nexthop
*S 8 0.0.0.0/0 10.109.3.254
*O 32 10.1.111.0/24 10.109.3.15
On Sun, 5 Feb 2023 22:20:07 +0100
Diederik Schouten <[email protected]> wrote:
> Hello,
>
> I’d check the databases on both sides.
> And flush/reload the config and fibs.
> Then check again which link state advertisements are in the database.
> To make sure you now get the /32 advertised.
>
> Sent from my iPhone
>
> > On 5 Feb 2023, at 21:15, Radek <[email protected]> wrote:
> >
> > Hello Diederik, hello Tom,
> > this is a simple lab/testing configuration, that's why there is no
> > "passive" and other...
> > The purpose of this configuration is to allow access to certain IP address
> > and restrict access to the rest of the subnet.
> > I can use PF to block/pass what I need... but I'm trying make sure if I can
> > do it by announcing "not more than needed" over OSPF.
> >
> > "redistribute 10.1.111.11/32" seems to be what I need, but probally I
> > missed something, because this option doesn't work for me as expected.
> >
> > $ cat /etc/ospfd.conf
> > router-id 10.109.3.15
> > redistribute 10.1.111.11/32
> >
> > area 0.0.0.0 {
> > interface vr0
> > interface vr3
> > }
> >
> > Then, I can still see/ping other IPs in 10.1.111.0/24 from the far end
> > network.
> >
> > On the far router I can see the whole subnet instead of somthing like " *O
> > 32 10.1.111.11/24 10.109.3.15".
> >
> > $ ospfctl show fib
> > flags: * = valid, O = OSPF, C = Connected, S = Static
> > Flags Prio Destination Nexthop
> > *S 8 0.0.0.0/0 10.109.3.254
> > *O 32 10.1.111.0/24 10.109.3.15
> >
> > Any clues?
> >
> >> On Sat, 4 Feb 2023 23:16:57 +0000
> >> Tom Smyth <[email protected]> wrote:
> >>
> >> Hi Radek,
> >>
> >> it is better practice to add ospf network statements to ospfd.conf
> >> (if you dont want to send / recieve ospf messages on an interface set the
> >> interface to passive in ospfd.conf
> >> avoid redistribute connected
> >> (add the network you want to be added to your ospf network) and leave the
> >> other network ommitted from your ospfd.conf
> >>
> >>
> >> I hope this helps,
> >>
> >>
> >>> On Sat, 4 Feb 2023 at 20:02, Radek <[email protected]> wrote:
> >>>
> >>> Hello,
> >>> is it possible to announce over OSPF only one (or a few specific) IP
> >>> address instead of the whole subnet?
> >>> If yes.. an ospfd.conf example would be appreciated.
> >>>
> >>> $ cat /etc/hostname.vr3
> >>> inet 10.1.111.1 255.255.255.0
> >>>
> >>> $ cat /etc/ospfd.conf
> >>> router-id 10.109.3.15
> >>> redistribute connected
> >>>
> >>> area 0.0.0.0 {
> >>> interface vr0
> >>> interface vr3
> >>> }
> >>>
> >>> Thanks,
> >>> Radek
> >>>
> >>>
> >>
> >> --
> >> Kindest regards,
> >> Tom Smyth.
> >
> >
> > Radek
> >
>
Radek
