OSPF routes not filtered

Tue Oct 10 12:35:52 CEST 2017

And what is you big idea? You do not want you bird router to route traffic
between external R1 and external R2 for examle?

On Tue, Oct 10, 2017 at 12:30 PM, Alexander Zubkov <green at qrator.net> wrote:

> Hi,
>
> Yes, that should work. But it will be separate OSPF clouds if this matter.
>
> On Tue, Oct 10, 2017 at 12:17 PM, Войнович Андрей Александрович <
> andreyv at skbkontur.ru> wrote:
>
>> Hi,
>>
>>
>>
>> I thought about it too, so one option is to split two internal legs into
>> two different “protocols” inside BIRD cfg and filters will work as expected?
>>
>>
>>
>> ------------------------------------------
>>
>> Служба поддержки серверов
>>
>> Группа сетевого администрирования
>>
>> ДПП.УТП.СПС
>>
>> АО «ПФ «СКБ-Контур»,
>>
>> dc-noc at skbkontur.ru
>>
>> Тел. +7 (343) 344-11-50 доб. 75352
>>
>>
>>
>> *From:* green at highloadlab.com [mailto:green at highloadlab.com] *On Behalf
>> Of *Alexander Zubkov
>> *Sent:* Tuesday, October 10, 2017 2:59 PM
>> *To:* Войнович Андрей Александрович <andreyv at skbkontur.ru>
>> *Cc:* bird-users at network.cz
>> *Subject:* Re: OSPF routes not filtered
>>
>>
>>
>> Hi.
>>
>> If I understand correctly, import/export filters are not applied to OSPF
>> internals - LSDB announces, etc. They are applied to prefixes imported into
>> OSPF protocol from router and exported from it to its table.
>>
>>
>>
>> On Tue, Oct 10, 2017 at 10:36 AM, Войнович Андрей Александрович <
>> andreyv at skbkontur.ru> wrote:
>>
>>
>>
>> Hi all!
>>
>>
>>
>> I am facing  strange problem with OSPF – my router has 2 Phy links and 4
>> VLAN links to two different routers:
>>
>> Phy 1 Vlan 1400 internal link to R1
>>
>> Phy 1 Vlan 1401 external link to R1
>>
>> Phy 2 Vlan 1402 internal link to R2
>>
>> Phy 2 Vlan 1403 external link to R2
>>
>> R1 and R2 has direct connection and are OSPF neighbors in Area 0.
>>
>>
>>
>> So I am trying to achieve ECMP load balancing and fault tolerance.
>>
>>
>>
>> Linux box addresses:
>>
>>
>>
>> lo
>>
>>     inet 99.99.99.99
>>
>> enp1s0f0.1402
>>
>>     inet 10.16.0.10/30 brd 10.16.0.11
>>
>> enp1s0f0.1403
>>
>>     inet 10.16.0.14/30 brd 10.16.0.15
>>
>> enp1s0f1.1400
>>
>>     inet 10.16.0.2/30 brd 10.16.0.3
>>
>> enp1s0f1.1401
>>
>>     inet 10.16.0.6/30 brd 10.16.0.7
>>
>>
>>
>> Linux box BIRD cfg:
>>
>>
>>
>>
>>
>> router id 99.99.99.99;
>>
>>
>>
>> filter deny_default {
>>
>> if net = 0.0.0.0/0 then reject;
>>
>> else accept;
>>
>> }
>>
>>
>>
>> filter permit_white {
>>
>> if net ~ [
>>
>> 99.99.99.99/32
>>
>> ]
>>
>> then accept;
>>
>> else reject;
>>
>> }
>>
>>
>>
>> filter change_src {
>>
>> if net = 0.0.0.0/0
>>
>> then {
>>
>> krt_prefsrc = 99.99.99.99;
>>
>> accept;
>>
>> }
>>
>> else accept;
>>
>> }
>>
>>
>>
>> filter deny_all {
>>
>> reject;
>>
>> }
>>
>>
>>
>> protocol kernel {
>>
>> scan time 20;
>>
>> import all;
>>
>> export filter change_src;
>>
>> }
>>
>>
>>
>> protocol device {
>>
>> scan time 10; # Scan interfaces every 10 seconds
>>
>> }
>>
>>
>>
>> protocol direct {
>>
>>         interface "enp1s0f1.1400, enp1s0f0.1402, enp1s0f1.1401,
>> enp1s0f0.1403", "lo";
>>
>> }
>>
>>
>>
>> protocol ospf Internal {
>>
>> rfc1583compat yes;
>>
>> import filter deny_default;
>>
>> export filter deny_all;
>>
>> area 0.0.0.20 {
>>
>> interface "enp1s0f1.1400" {
>>
>> type pointopoint;
>>
>> };
>>
>> interface "enp1s0f0.1402" {
>>
>> type pointopoint;
>>
>> };
>>
>> };
>>
>> }
>>
>>
>>
>> protocol ospf External {
>>
>> rfc1583compat yes;
>>
>> import all;
>>
>> export filter permit_white;
>>
>> area 100.0.0.0 {
>>
>> interface "enp1s0f1.1401" {
>>
>> type pointopoint;
>>
>> };
>>
>> interface "enp1s0f0.1403" {
>>
>> type pointopoint;
>>
>> };
>>
>> };
>>
>> }
>>
>>
>>
>> When I enable only one Phy link, everything works fine and as expected:
>>
>>
>>
>> R1# sh ip ro next-hop 10.16.0.2
>>
>> 10.16.0.2/32, ubest/mbest: 1/0, attached
>>
>>     *via 10.16.0.2, Vlan1400, [250/0], 01:09:29, am
>>
>> 10.16.0.8/30, ubest/mbest: 1/0
>>
>>     *via 10.16.0.2, Vlan1400, [110/1010], 00:10:43, ospf-10, intra
>>
>>
>>
>> R2# sh ip ro next-hop 10.16.0.10
>>
>> <nothing, as expected, link disabled>
>>
>>
>>
>> But when I enable second Phy link, I see following:
>>
>>
>>
>> R1# sh ip ro next-hop 10.16.0.2
>>
>> 0.0.0.0/0, ubest/mbest: 1/0
>>
>>      via 10.16.0.2, Vlan1400, [110/1], 0.000000, ospf-10, type-2
>>
>> 10.1.1.44/30, ubest/mbest: 1/0
>>
>>     *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra
>>
>> 10.1.1.224/30, ubest/mbest: 1/0
>>
>>     *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra
>>
>> 10.16.0.2/32, ubest/mbest: 1/0, attached
>>
>>     *via 10.16.0.2, Vlan1400, [250/0], 01:09:31, am
>>
>> 10.16.0.8/30, ubest/mbest: 1/0
>>
>>     *via 10.16.0.2, Vlan1400, [110/1010], 00:10:45, ospf-10, intra
>>
>>
>>
>> R2# sh ip ro next-hop 10.16.0.10
>>
>>
>>
>> 0.0.0.0/0, ubest/mbest: 1/0
>>
>>      via 10.16.0.10, Vlan1402, [110/1], 00:00:05, ospf-10, type-2
>>
>> 10.1.1.60/30, ubest/mbest: 1/0
>>
>>     *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra
>>
>> 10.1.1.216/30, ubest/mbest: 1/0
>>
>>     *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra
>>
>> 10.16.0.0/30, ubest/mbest: 1/0
>>
>>     *via 10.16.0.10, Vlan1402, [110/1010], 00:00:05, ospf-10, intra
>>
>> 10.16.0.10/32, ubest/mbest: 1/0, attached
>>
>>     *via 10.16.0.10, Vlan1402, [250/0], 00:00:13, am
>>
>>
>>
>>
>>
>> So on linux box intafaces vlan1400 and vlan 1402 are in the same area and
>> it is expected that they will have idaentical lsdbs and will send all the
>> LSA they receive via all interfaces in the same area, so saying simply -
>> whey will interchange routes. But in BIRD cfg I apply filters to avoid
>> doing it, however routes are not filtered, and even default route received
>>
>> Am I missing something?
>>
>> Thanks.
>>
>>
>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20171010/14f151b5/attachment.html>