OSPF routes not filtered

Войнович Андрей Александрович andreyv at skbkontur.ru
Tue Oct 10 12:17:03 CEST 2017


Hi,

I thought about it too, so one option is to split two internal legs into two different “protocols” inside BIRD cfg and filters will work as expected?

------------------------------------------
Служба поддержки серверов
Группа сетевого администрирования
ДПП.УТП.СПС
АО «ПФ «СКБ-Контур»,
dc-noc at skbkontur.ru<mailto:dc-noc at skbkontur.ru>
Тел. +7 (343) 344-11-50 доб. 75352

From: green at highloadlab.com [mailto:green at highloadlab.com] On Behalf Of Alexander Zubkov
Sent: Tuesday, October 10, 2017 2:59 PM
To: Войнович Андрей Александрович <andreyv at skbkontur.ru>
Cc: bird-users at network.cz
Subject: Re: OSPF routes not filtered

Hi.
If I understand correctly, import/export filters are not applied to OSPF internals - LSDB announces, etc. They are applied to prefixes imported into OSPF protocol from router and exported from it to its table.

On Tue, Oct 10, 2017 at 10:36 AM, Войнович Андрей Александрович <andreyv at skbkontur.ru<mailto:andreyv at skbkontur.ru>> wrote:

Hi all!

I am facing  strange problem with OSPF – my router has 2 Phy links and 4 VLAN links to two different routers:
Phy 1 Vlan 1400 internal link to R1
Phy 1 Vlan 1401 external link to R1
Phy 2 Vlan 1402 internal link to R2
Phy 2 Vlan 1403 external link to R2
R1 and R2 has direct connection and are OSPF neighbors in Area 0.

So I am trying to achieve ECMP load balancing and fault tolerance.

Linux box addresses:

lo
    inet 99.99.99.99
enp1s0f0.1402
    inet 10.16.0.10/30<http://10.16.0.10/30> brd 10.16.0.11
enp1s0f0.1403
    inet 10.16.0.14/30<http://10.16.0.14/30> brd 10.16.0.15
enp1s0f1.1400
    inet 10.16.0.2/30<http://10.16.0.2/30> brd 10.16.0.3
enp1s0f1.1401
    inet 10.16.0.6/30<http://10.16.0.6/30> brd 10.16.0.7

Linux box BIRD cfg:


router id 99.99.99.99;

filter deny_default {
if net = 0.0.0.0/0<http://0.0.0.0/0> then reject;
else accept;
}

filter permit_white {
if net ~ [
99.99.99.99/32<http://99.99.99.99/32>
]
then accept;
else reject;
}

filter change_src {
if net = 0.0.0.0/0<http://0.0.0.0/0>
then {
krt_prefsrc = 99.99.99.99;
accept;
}
else accept;
}

filter deny_all {
reject;
}

protocol kernel {
scan time 20;
import all;
export filter change_src;
}

protocol device {
scan time 10; # Scan interfaces every 10 seconds
}

protocol direct {
        interface "enp1s0f1.1400, enp1s0f0.1402, enp1s0f1.1401, enp1s0f0.1403", "lo";
}

protocol ospf Internal {
rfc1583compat yes;
import filter deny_default;
export filter deny_all;
area 0.0.0.20 {
interface "enp1s0f1.1400" {
type pointopoint;
};
interface "enp1s0f0.1402" {
type pointopoint;
};
};
}

protocol ospf External {
rfc1583compat yes;
import all;
export filter permit_white;
area 100.0.0.0 {
interface "enp1s0f1.1401" {
type pointopoint;
};
interface "enp1s0f0.1403" {
type pointopoint;
};
};
}

When I enable only one Phy link, everything works fine and as expected:

R1# sh ip ro next-hop 10.16.0.2
10.16.0.2/32<http://10.16.0.2/32>, ubest/mbest: 1/0, attached
    *via 10.16.0.2, Vlan1400, [250/0], 01:09:29, am
10.16.0.8/30<http://10.16.0.8/30>, ubest/mbest: 1/0
    *via 10.16.0.2, Vlan1400, [110/1010], 00:10:43, ospf-10, intra

R2# sh ip ro next-hop 10.16.0.10
<nothing, as expected, link disabled>

But when I enable second Phy link, I see following:

R1# sh ip ro next-hop 10.16.0.2
0.0.0.0/0<http://0.0.0.0/0>, ubest/mbest: 1/0
     via 10.16.0.2, Vlan1400, [110/1], 0.000000, ospf-10, type-2
10.1.1.44/30<http://10.1.1.44/30>, ubest/mbest: 1/0
    *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra
10.1.1.224/30<http://10.1.1.224/30>, ubest/mbest: 1/0
    *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra
10.16.0.2/32<http://10.16.0.2/32>, ubest/mbest: 1/0, attached
    *via 10.16.0.2, Vlan1400, [250/0], 01:09:31, am
10.16.0.8/30<http://10.16.0.8/30>, ubest/mbest: 1/0
    *via 10.16.0.2, Vlan1400, [110/1010], 00:10:45, ospf-10, intra

R2# sh ip ro next-hop 10.16.0.10

0.0.0.0/0<http://0.0.0.0/0>, ubest/mbest: 1/0
     via 10.16.0.10, Vlan1402, [110/1], 00:00:05, ospf-10, type-2
10.1.1.60/30<http://10.1.1.60/30>, ubest/mbest: 1/0
    *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra
10.1.1.216/30<http://10.1.1.216/30>, ubest/mbest: 1/0
    *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra
10.16.0.0/30<http://10.16.0.0/30>, ubest/mbest: 1/0
    *via 10.16.0.10, Vlan1402, [110/1010], 00:00:05, ospf-10, intra
10.16.0.10/32<http://10.16.0.10/32>, ubest/mbest: 1/0, attached
    *via 10.16.0.10, Vlan1402, [250/0], 00:00:13, am


So on linux box intafaces vlan1400 and vlan 1402 are in the same area and it is expected that they will have idaentical lsdbs and will send all the LSA they receive via all interfaces in the same area, so saying simply - whey will interchange routes. But in BIRD cfg I apply filters to avoid doing it, however routes are not filtered, and even default route received
Am I missing something?
Thanks.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20171010/6318ebaf/attachment.html>


More information about the Bird-users mailing list