OSPF routes not filtered

Alexander Zubkov green at qrator.net
Tue Oct 10 11:58:51 CEST 2017


Hi.

If I understand correctly, import/export filters are not applied to OSPF
internals - LSDB announces, etc. They are applied to prefixes imported into
OSPF protocol from router and exported from it to its table.

On Tue, Oct 10, 2017 at 10:36 AM, Войнович Андрей Александрович <
andreyv at skbkontur.ru> wrote:

>
> Hi all!
>
> I am facing  strange problem with OSPF – my router has 2 Phy links and 4
> VLAN links to two different routers:
> Phy 1 Vlan 1400 internal link to R1
> Phy 1 Vlan 1401 external link to R1
> Phy 2 Vlan 1402 internal link to R2
> Phy 2 Vlan 1403 external link to R2
> R1 and R2 has direct connection and are OSPF neighbors in Area 0.
>
> So I am trying to achieve ECMP load balancing and fault tolerance.
>
> Linux box addresses:
>
> lo
>     inet 99.99.99.99
> enp1s0f0.1402
>     inet 10.16.0.10/30 brd 10.16.0.11
> enp1s0f0.1403
>     inet 10.16.0.14/30 brd 10.16.0.15
> enp1s0f1.1400
>     inet 10.16.0.2/30 brd 10.16.0.3
> enp1s0f1.1401
>     inet 10.16.0.6/30 brd 10.16.0.7
>
> Linux box BIRD cfg:
>
>
> router id 99.99.99.99;
>
> filter deny_default {
> if net = 0.0.0.0/0 then reject;
> else accept;
> }
>
> filter permit_white {
> if net ~ [
> 99.99.99.99/32
> ]
> then accept;
> else reject;
> }
>
> filter change_src {
> if net = 0.0.0.0/0
> then {
> krt_prefsrc = 99.99.99.99;
> accept;
> }
> else accept;
> }
>
> filter deny_all {
> reject;
> }
>
> protocol kernel {
> scan time 20;
> import all;
> export filter change_src;
> }
>
> protocol device {
> scan time 10; # Scan interfaces every 10 seconds
> }
>
> protocol direct {
>         interface "enp1s0f1.1400, enp1s0f0.1402, enp1s0f1.1401,
> enp1s0f0.1403", "lo";
> }
>
> protocol ospf Internal {
> rfc1583compat yes;
> import filter deny_default;
> export filter deny_all;
> area 0.0.0.20 {
> interface "enp1s0f1.1400" {
> type pointopoint;
> };
> interface "enp1s0f0.1402" {
> type pointopoint;
> };
> };
> }
>
> protocol ospf External {
> rfc1583compat yes;
> import all;
> export filter permit_white;
> area 100.0.0.0 {
> interface "enp1s0f1.1401" {
> type pointopoint;
> };
> interface "enp1s0f0.1403" {
> type pointopoint;
> };
> };
> }
>
> When I enable only one Phy link, everything works fine and as expected:
>
> R1# sh ip ro next-hop 10.16.0.2
> 10.16.0.2/32, ubest/mbest: 1/0, attached
>     *via 10.16.0.2, Vlan1400, [250/0], 01:09:29, am
> 10.16.0.8/30, ubest/mbest: 1/0
>     *via 10.16.0.2, Vlan1400, [110/1010], 00:10:43, ospf-10, intra
>
> R2# sh ip ro next-hop 10.16.0.10
> <nothing, as expected, link disabled>
>
> But when I enable second Phy link, I see following:
>
> R1# sh ip ro next-hop 10.16.0.2
> 0.0.0.0/0, ubest/mbest: 1/0
>      via 10.16.0.2, Vlan1400, [110/1], 0.000000, ospf-10, type-2
> 10.1.1.44/30, ubest/mbest: 1/0
>     *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra
> 10.1.1.224/30, ubest/mbest: 1/0
>     *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra
> 10.16.0.2/32, ubest/mbest: 1/0, attached
>     *via 10.16.0.2, Vlan1400, [250/0], 01:09:31, am
> 10.16.0.8/30, ubest/mbest: 1/0
>     *via 10.16.0.2, Vlan1400, [110/1010], 00:10:45, ospf-10, intra
>
> R2# sh ip ro next-hop 10.16.0.10
>
> 0.0.0.0/0, ubest/mbest: 1/0
>      via 10.16.0.10, Vlan1402, [110/1], 00:00:05, ospf-10, type-2
> 10.1.1.60/30, ubest/mbest: 1/0
>     *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra
> 10.1.1.216/30, ubest/mbest: 1/0
>     *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra
> 10.16.0.0/30, ubest/mbest: 1/0
>     *via 10.16.0.10, Vlan1402, [110/1010], 00:00:05, ospf-10, intra
> 10.16.0.10/32, ubest/mbest: 1/0, attached
>     *via 10.16.0.10, Vlan1402, [250/0], 00:00:13, am
>
>
> So on linux box intafaces vlan1400 and vlan 1402 are in the same area and
> it is expected that they will have idaentical lsdbs and will send all the
> LSA they receive via all interfaces in the same area, so saying simply -
> whey will interchange routes. But in BIRD cfg I apply filters to avoid
> doing it, however routes are not filtered, and even default route received
> Am I missing something?
> Thanks.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20171010/ccf19846/attachment.html>


More information about the Bird-users mailing list