@Frank Kardel, thanks very much for the hint that "distribute-list" and "redistribute" are sub-commands of "router $protocol". I would never have figured that out on my own; I completely missed traces of that relation when trying to understand the code for the Quagga parser. Now rip[ng]d are emitting packets. However, those packets advertise all routes on the host, including the default route, the next-hop's link local address, and the prefix route for the uplink, whereas I'm trying to advertise just the route to a VM on this host, which others need to connect to. Here's output from tcpdump -v with lines refolded; * indicates the wanted route: ``` 21:28:46.097311 IP (tos 0xc0, ttl 1, id 12993, offset 0, flags [DF], proto UDP (17), length 112) xenaeth.cft.ca.us.router > rip2-routers.mcast.net.router: RIPv2, Response, length: 84, routes: 4 or less Auth header: Packet Len 64, Key-ID 1, Auth Data Len 20, SeqNo 1614490126, MBZ 0, MBZ 0 AFI IPv4, 0.0.0.0/0, tag 0x0, metric: 1, next-hop: 192.9.200.193 AFI IPv4, 192.9.200.176/29, tag 0x0000, metric: 1, next-hop: self * Auth trailer: 0x0000: f848 b3d5 929a 8a0f ccfa cd6f 4e8b fe4b 21:28:46.296453 IP6 (class 0xc0, flowlabel 0x58655, hlim 255, next-header UDP (17) payload length: 92) fe80::d237:45ff:febe:5a05.ripng > ff02::9.ripng: ripng-resp 4: 2600:3c01:e000:306::/112 (1) [uplink prefix] 2600:3c01:e000:306::7:0/112 (1) [hosted VM] * fe80::5054:ff:fe09:c8c1/0 (255) [link local addr of default nexthop] ::/0 (1) [default route] ``` Here's the current conf file. This time I've removed most comments, and I split it with separate sections for ripd and ripngd. ``` password redacted#1 enable password redacted#2 log file /var/log/frr/frr.log ip prefix-list xenanet4 permit 192.9.200.176/29 ge 29 ip prefix-list xenanet4 deny any route-map cnmap4 permit 1 # route-map cnmap4 deny 2 -- Making this explicit didn't help. match ip address prefix-list xenanet4 router rip version 2 network 192.9.200.192/26 distribute-list xenanet4 in distribute-list xenanet4 out redistribute kernel redistribute static redistribute connected ip protocol rip route-map cnmap4 ipv6 prefix-list xenanet6 permit 2600:3c01:e000:306::7:0/112 ge 112 ipv6 prefix-list xenanet6 deny any route-map cnmap6 permit 1 match ipv6 address prefix-list xenanet6 route-map cnmap deny 6 # Duplicating the distribute-list and redistribute subcommands for ripng router ripng network 2600:3c01:e000:306::/112 distribute-list xenanet6 in distribute-list xenanet6 out redistribute kernel redistribute static redistribute connected ip protocol ripng route-map cnmap6 # Turn on authentication (RIP v2 only and not for RIPng). key chain CouchNet key 1 key-string 4mGwyf$NWla interface en0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface br0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface rad0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun1 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun9 ip rip authentication mode md5 ip rip authentication key-chain CouchNet ``` Does anyone have any idea why the various filtering lists are not restricting the routes being sent out? -- James F. Carter Email: jimc@jfcarter.net Web: http://www.math.ucla.edu/~jimc (q.v. for PGP key)