Hello,
> I’d check the databases on both sides.
> And flush/reload the config and fibs.
I reloaded and restarted OSPFd on both sides - nothing changes. Then, I 
rebooted routers on both sides - nothing changes.
I still can see/ping the whole 10.1.111.0/24 subnet from the far end.

[10.109.3.15]$ ospfctl show database router

                Router Link States (Area 0.0.0.0)

LS age: 238
Options: -|-|-|-|-|-|E|-
LS Type: Router
Link State ID: 10.109.3.15
Advertising Router: 10.109.3.15
LS Seq Number: 0x80000016
Checksum: 0x6d0a
Length: 48
Flags: *|*|*|*|*|-|E|-
Number of Links: 2

    Link connected to: Stub Network
    Link ID (Network ID): 10.1.111.0
    Link Data (Network Mask): 255.255.255.0
    Metric: 10

    Link connected to: Transit Network
    Link ID (Designated Router address): 10.109.3.16
    Link Data (Router Interface address): 10.109.3.15
    Metric: 10

LS age: 239
Options: -|-|-|-|-|-|E|-
LS Type: Router
Link State ID: 10.109.3.16
Advertising Router: 10.109.3.16
LS Seq Number: 0x80000016
Checksum: 0xb058
Length: 36
Flags: *|*|*|*|*|-|E|-
Number of Links: 1

    Link connected to: Transit Network
    Link ID (Designated Router address): 10.109.3.16
    Link Data (Router Interface address): 10.109.3.16
    Metric: 10


[10.109.3.16]$ ospfctl show fib
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags  Prio Destination          Nexthop
*S        8 0.0.0.0/0            10.109.3.254
*O       32 10.1.111.0/24        10.109.3.15


On Sun, 5 Feb 2023 22:20:07 +0100
Diederik Schouten <[email protected]> wrote:

> Hello,
> 
> I’d check the databases on both sides.
> And flush/reload the config and fibs.
> Then check again which link state advertisements are in the database.
> To make sure you now get the /32 advertised.
> 
> Sent from my iPhone
> 
> > On 5 Feb 2023, at 21:15, Radek <[email protected]> wrote:
> > 
> > Hello Diederik, hello Tom,
> > this is a simple lab/testing configuration, that's why there is no 
> > "passive" and other...
> > The purpose of this configuration is to allow access to certain IP address 
> > and restrict access to the rest of the subnet.
> > I can use PF to block/pass what I need... but I'm trying make sure if I can 
> > do it by announcing "not more than needed" over OSPF.
> > 
> > "redistribute 10.1.111.11/32" seems to be what I need, but probally I 
> > missed something, because this option doesn't work for me as expected.
> > 
> > $ cat /etc/ospfd.conf
> > router-id 10.109.3.15
> > redistribute 10.1.111.11/32
> > 
> > area 0.0.0.0 {
> >        interface vr0
> >        interface vr3
> > }
> > 
> > Then, I can still see/ping other IPs in 10.1.111.0/24 from the far end 
> > network.
> > 
> > On the far router I can see the whole subnet instead of somthing like " *O  
> >      32 10.1.111.11/24        10.109.3.15".
> > 
> > $ ospfctl show fib
> > flags: * = valid, O = OSPF, C = Connected, S = Static
> > Flags  Prio Destination          Nexthop
> > *S        8 0.0.0.0/0            10.109.3.254
> > *O       32 10.1.111.0/24        10.109.3.15
> > 
> > Any clues?
> > 
> >> On Sat, 4 Feb 2023 23:16:57 +0000
> >> Tom Smyth <[email protected]> wrote:
> >> 
> >> Hi Radek,
> >> 
> >> it is better practice to add ospf network statements  to ospfd.conf
> >> (if you dont want to send / recieve ospf messages on an interface set the
> >> interface to passive in ospfd.conf
> >> avoid redistribute connected
> >> (add the network you want to be added to your ospf network) and leave the
> >> other network ommitted from your ospfd.conf
> >> 
> >> 
> >> I hope this helps,
> >> 
> >> 
> >>> On Sat, 4 Feb 2023 at 20:02, Radek <[email protected]> wrote:
> >>> 
> >>> Hello,
> >>> is it possible to announce over OSPF only one (or a few specific) IP
> >>> address instead of the whole subnet?
> >>> If yes.. an ospfd.conf example would be appreciated.
> >>> 
> >>> $ cat /etc/hostname.vr3
> >>> inet 10.1.111.1 255.255.255.0
> >>> 
> >>> $ cat /etc/ospfd.conf
> >>> router-id 10.109.3.15
> >>> redistribute connected
> >>> 
> >>> area 0.0.0.0 {
> >>>        interface vr0
> >>>        interface vr3
> >>> }
> >>> 
> >>> Thanks,
> >>> Radek
> >>> 
> >>> 
> >> 
> >> -- 
> >> Kindest regards,
> >> Tom Smyth.
> > 
> > 
> > Radek
> > 
> 


Radek

Reply via email to