OSPF routes not filtered

Alexander Zubkov green at qrator.net
Tue Oct 10 13:38:20 CEST 2017


I think you could use areas for this purpose or mark the router as stub -
as far as I understand it should do exactly what you want.

On Tue, Oct 10, 2017 at 12:41 PM, Войнович Андрей Александрович <
andreyv at skbkontur.ru> wrote:

> Yes, absolutely right, I want linux box to be available when any but one
>  of its two Phy intarfeces  would fail, but not route any traffic over
> himself.
>
>
>
> ------------------------------------------
>
> Служба поддержки серверов
>
> Группа сетевого администрирования
>
> ДПП.УТП.СПС
>
> АО «ПФ «СКБ-Контур»,
>
> dc-noc at skbkontur.ru
>
> Тел. +7 (343) 344-11-50 доб. 75352
>
>
>
> *From:* green at highloadlab.com [mailto:green at highloadlab.com] *On Behalf
> Of *Alexander Zubkov
> *Sent:* Tuesday, October 10, 2017 3:36 PM
>
> *To:* Войнович Андрей Александрович <andreyv at skbkontur.ru>
> *Cc:* bird-users at network.cz
> *Subject:* Re: OSPF routes not filtered
>
>
>
> And what is you big idea? You do not want you bird router to route traffic
> between external R1 and external R2 for examle?
>
>
>
> On Tue, Oct 10, 2017 at 12:30 PM, Alexander Zubkov <green at qrator.net>
> wrote:
>
> Hi,
>
> Yes, that should work. But it will be separate OSPF clouds if this matter.
>
>
>
> On Tue, Oct 10, 2017 at 12:17 PM, Войнович Андрей Александрович <
> andreyv at skbkontur.ru> wrote:
>
> Hi,
>
>
>
> I thought about it too, so one option is to split two internal legs into
> two different “protocols” inside BIRD cfg and filters will work as expected?
>
>
>
> ------------------------------------------
>
> Служба поддержки серверов
>
> Группа сетевого администрирования
>
> ДПП.УТП.СПС
>
> АО «ПФ «СКБ-Контур»,
>
> dc-noc at skbkontur.ru
>
> Тел. +7 (343) 344-11-50 доб. 75352
>
>
>
> *From:* green at highloadlab.com [mailto:green at highloadlab.com] *On Behalf
> Of *Alexander Zubkov
> *Sent:* Tuesday, October 10, 2017 2:59 PM
> *To:* Войнович Андрей Александрович <andreyv at skbkontur.ru>
> *Cc:* bird-users at network.cz
> *Subject:* Re: OSPF routes not filtered
>
>
>
> Hi.
>
> If I understand correctly, import/export filters are not applied to OSPF
> internals - LSDB announces, etc. They are applied to prefixes imported into
> OSPF protocol from router and exported from it to its table.
>
>
>
> On Tue, Oct 10, 2017 at 10:36 AM, Войнович Андрей Александрович <
> andreyv at skbkontur.ru> wrote:
>
>
>
> Hi all!
>
>
>
> I am facing  strange problem with OSPF – my router has 2 Phy links and 4
> VLAN links to two different routers:
>
> Phy 1 Vlan 1400 internal link to R1
>
> Phy 1 Vlan 1401 external link to R1
>
> Phy 2 Vlan 1402 internal link to R2
>
> Phy 2 Vlan 1403 external link to R2
>
> R1 and R2 has direct connection and are OSPF neighbors in Area 0.
>
>
>
> So I am trying to achieve ECMP load balancing and fault tolerance.
>
>
>
> Linux box addresses:
>
>
>
> lo
>
>     inet 99.99.99.99
>
> enp1s0f0.1402
>
>     inet 10.16.0.10/30 brd 10.16.0.11
>
> enp1s0f0.1403
>
>     inet 10.16.0.14/30 brd 10.16.0.15
>
> enp1s0f1.1400
>
>     inet 10.16.0.2/30 brd 10.16.0.3
>
> enp1s0f1.1401
>
>     inet 10.16.0.6/30 brd 10.16.0.7
>
>
>
> Linux box BIRD cfg:
>
>
>
>
>
> router id 99.99.99.99;
>
>
>
> filter deny_default {
>
> if net = 0.0.0.0/0 then reject;
>
> else accept;
>
> }
>
>
>
> filter permit_white {
>
> if net ~ [
>
> 99.99.99.99/32
>
> ]
>
> then accept;
>
> else reject;
>
> }
>
>
>
> filter change_src {
>
> if net = 0.0.0.0/0
>
> then {
>
> krt_prefsrc = 99.99.99.99;
>
> accept;
>
> }
>
> else accept;
>
> }
>
>
>
> filter deny_all {
>
> reject;
>
> }
>
>
>
> protocol kernel {
>
> scan time 20;
>
> import all;
>
> export filter change_src;
>
> }
>
>
>
> protocol device {
>
> scan time 10; # Scan interfaces every 10 seconds
>
> }
>
>
>
> protocol direct {
>
>         interface "enp1s0f1.1400, enp1s0f0.1402, enp1s0f1.1401,
> enp1s0f0.1403", "lo";
>
> }
>
>
>
> protocol ospf Internal {
>
> rfc1583compat yes;
>
> import filter deny_default;
>
> export filter deny_all;
>
> area 0.0.0.20 {
>
> interface "enp1s0f1.1400" {
>
> type pointopoint;
>
> };
>
> interface "enp1s0f0.1402" {
>
> type pointopoint;
>
> };
>
> };
>
> }
>
>
>
> protocol ospf External {
>
> rfc1583compat yes;
>
> import all;
>
> export filter permit_white;
>
> area 100.0.0.0 {
>
> interface "enp1s0f1.1401" {
>
> type pointopoint;
>
> };
>
> interface "enp1s0f0.1403" {
>
> type pointopoint;
>
> };
>
> };
>
> }
>
>
>
> When I enable only one Phy link, everything works fine and as expected:
>
>
>
> R1# sh ip ro next-hop 10.16.0.2
>
> 10.16.0.2/32, ubest/mbest: 1/0, attached
>
>     *via 10.16.0.2, Vlan1400, [250/0], 01:09:29, am
>
> 10.16.0.8/30, ubest/mbest: 1/0
>
>     *via 10.16.0.2, Vlan1400, [110/1010], 00:10:43, ospf-10, intra
>
>
>
> R2# sh ip ro next-hop 10.16.0.10
>
> <nothing, as expected, link disabled>
>
>
>
> But when I enable second Phy link, I see following:
>
>
>
> R1# sh ip ro next-hop 10.16.0.2
>
> 0.0.0.0/0, ubest/mbest: 1/0
>
>      via 10.16.0.2, Vlan1400, [110/1], 0.000000, ospf-10, type-2
>
> 10.1.1.44/30, ubest/mbest: 1/0
>
>     *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra
>
> 10.1.1.224/30, ubest/mbest: 1/0
>
>     *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra
>
> 10.16.0.2/32, ubest/mbest: 1/0, attached
>
>     *via 10.16.0.2, Vlan1400, [250/0], 01:09:31, am
>
> 10.16.0.8/30, ubest/mbest: 1/0
>
>     *via 10.16.0.2, Vlan1400, [110/1010], 00:10:45, ospf-10, intra
>
>
>
> R2# sh ip ro next-hop 10.16.0.10
>
>
>
> 0.0.0.0/0, ubest/mbest: 1/0
>
>      via 10.16.0.10, Vlan1402, [110/1], 00:00:05, ospf-10, type-2
>
> 10.1.1.60/30, ubest/mbest: 1/0
>
>     *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra
>
> 10.1.1.216/30, ubest/mbest: 1/0
>
>     *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra
>
> 10.16.0.0/30, ubest/mbest: 1/0
>
>     *via 10.16.0.10, Vlan1402, [110/1010], 00:00:05, ospf-10, intra
>
> 10.16.0.10/32, ubest/mbest: 1/0, attached
>
>     *via 10.16.0.10, Vlan1402, [250/0], 00:00:13, am
>
>
>
>
>
> So on linux box intafaces vlan1400 and vlan 1402 are in the same area and
> it is expected that they will have idaentical lsdbs and will send all the
> LSA they receive via all interfaces in the same area, so saying simply -
> whey will interchange routes. But in BIRD cfg I apply filters to avoid
> doing it, however routes are not filtered, and even default route received
>
> Am I missing something?
>
> Thanks.
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20171010/8b2003fb/attachment.html>


More information about the Bird-users mailing list