On Jan 3, 2011, at 8:02 PM, Jeff Aitken <[email protected]> wrote:
On Sat, Dec 25, 2010 at 08:52:42AM -0500, ML wrote:
If you're only redistributing 10 prefixes into OSPF? Problem?
I know I'm a little late to this thread, but figured I'd point out one
reason why this can be very dangerous:
In IOS, you use a route-map to control redistribution between
protocols.
For example, if you want to redist just those BGP prefixes tagged
with a
specific community into OSPF, you will probably configure something
that
looks like this:
route-map bgp-to-ospf permit 10
match community $COMMUNITY
!
route-map bgp-to-ospf deny 20
!
router ospf $PID
redistribute bgp $ASN subnets route-map bgp-to-ospf
Now, consider the following failure scenarios:
1. Someone typo's a BGP config elsewhere in your network and attaches
$COMMUNITY to a whole bunch more routes... say, all 350k being sent
by your
upstream provider. *oops*
2. An engineer thinks that there's something wrong with the
redistribution
and decides to temporarily disable it as part of the troubleshooting
process. He types the following:
conf t
router ospf $PID
no redistribute bgp $ASN subnets route-map bgp-to-ospf
*boom*
He just dumped all BGP routes into OSPF, due to the way IOS parses the
command: it removes the route-map but leaves the redistribution
intact.
To be fair, Cisco does provide you with tools to mitigate this risk
(see
the "redistribute maximum-prefix" command) but the point is that
this is
a fairly easy mistake to make.
At the end of the day, the reason that many folks advise against the
redistribution of BGP into an IGP is that it sets the stage for a
seemingly
insignificant mistake to cause a not-so-insignificant outage.
--Jeff
This is an interesting point.
But why cisco *no* command does not remove the redistribute , I think
it should do.
Thanks
