On Sat, Dec 25, 2010 at 08:52:42AM -0500, ML wrote:
If you're only redistributing 10 prefixes into OSPF? Problem?
I know I'm a little late to this thread, but figured I'd point out one reason why this can be very dangerous: In IOS, you use a route-map to control redistribution between protocols. For example, if you want to redist just those BGP prefixes tagged with a specific community into OSPF, you will probably configure something that looks like this: route-map bgp-to-ospf permit 10 match community $COMMUNITY ! route-map bgp-to-ospf deny 20 ! router ospf $PID redistribute bgp $ASN subnets route-map bgp-to-ospf Now, consider the following failure scenarios: 1. Someone typo's a BGP config elsewhere in your network and attaches $COMMUNITY to a whole bunch more routes... say, all 350k being sent by your upstream provider. *oops* 2. An engineer thinks that there's something wrong with the redistribution and decides to temporarily disable it as part of the troubleshooting process. He types the following: conf t router ospf $PID no redistribute bgp $ASN subnets route-map bgp-to-ospf *boom* He just dumped all BGP routes into OSPF, due to the way IOS parses the command: it removes the route-map but leaves the redistribution intact. To be fair, Cisco does provide you with tools to mitigate this risk (see the "redistribute maximum-prefix" command) but the point is that this is a fairly easy mistake to make. At the end of the day, the reason that many folks advise against the redistribution of BGP into an IGP is that it sets the stage for a seemingly insignificant mistake to cause a not-so-insignificant outage. --Jeff