<div dir="ltr"><div>Hi.<br><br></div>If I understand correctly, import/export filters are not applied to OSPF internals - LSDB announces, etc. They are applied to prefixes imported into OSPF protocol from router and exported from it to its table.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 10, 2017 at 10:36 AM, Войнович Андрей Александрович <span dir="ltr"><<a href="mailto:andreyv@skbkontur.ru" target="_blank">andreyv@skbkontur.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" style="font-size:12pt;color:#000000;background-color:#ffffff;font-family:Calibri,Arial,Helvetica,sans-serif">
<div class="m_-4234417711702196457WordSection1">
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<div>Hi all!</div>
<div> </div>
<div>I am facing strange problem with OSPF – my router has 2 Phy links and 4 VLAN links to two different routers:</div>
<div><span style="font-family:"Courier New",monospace">Phy 1 Vlan 1400 internal link to R1</span></div>
<div><span style="font-family:"Courier New",monospace">Phy 1 Vlan 1401 external link to R1</span></div>
<div><span style="font-family:"Courier New",monospace">Phy 2 Vlan 1402 internal link to R2</span></div>
<div><span style="font-family:"Courier New",monospace">Phy 2 Vlan 1403 external link to R2</span></div>
<div>R1 and R2 has direct connection and are OSPF neighbors in Area 0.</div>
<div> </div>
<div>So I am trying to achieve ECMP load balancing and fault tolerance.</div>
<div> </div>
<div>Linux box addresses:</div>
<div> </div>
<div><span style="font-family:"Courier New",monospace">lo</span></div>
<div><span style="font-family:"Courier New",monospace"> inet 99.99.99.99</span></div>
<div><span style="font-family:"Courier New",monospace">enp1s0f0.1402</span></div>
<div><span style="font-family:"Courier New",monospace"> inet <a href="http://10.16.0.10/30" target="_blank">10.16.0.10/30</a> brd 10.16.0.11</span></div>
<div><span style="font-family:"Courier New",monospace">enp1s0f0.1403</span></div>
<div><span style="font-family:"Courier New",monospace"> inet <a href="http://10.16.0.14/30" target="_blank">10.16.0.14/30</a> brd 10.16.0.15</span></div>
<div><span style="font-family:"Courier New",monospace">enp1s0f1.1400</span></div>
<div><span style="font-family:"Courier New",monospace"> inet <a href="http://10.16.0.2/30" target="_blank">10.16.0.2/30</a> brd 10.16.0.3</span></div>
<div><span style="font-family:"Courier New",monospace">enp1s0f1.1401</span></div>
<div><span style="font-family:"Courier New",monospace"> inet <a href="http://10.16.0.6/30" target="_blank">10.16.0.6/30</a> brd 10.16.0.7</span></div>
<div><br>
</div>
<div>Linux box BIRD cfg:</div>
<div><br>
</div>
<div><br>
</div>
<div><span style="font-family:"Courier New",monospace">router id 99.99.99.99;</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">filter deny_default {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">if net = <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> then reject;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">else accept;</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">filter permit_white {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">if net ~
</span><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">[</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace"></span><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace"><a href="http://99.99.99.99/32" target="_blank">99.99.99.99/32</a></span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">] </span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">then accept;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">else reject;</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">filter change_src {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">if net = <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">then {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">krt_prefsrc = 99.99.99.99;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">accept;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">}</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">else accept;</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">filter deny_all {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">reject;</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">protocol kernel {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">scan time 20;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">import all;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">export filter change_src;</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">protocol device {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">scan time 10;</span><span style="white-space:pre-wrap;font-family:"Courier New",monospace">
</span><span style="font-family:"Courier New",monospace"># Scan interfaces every 10 seconds</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">protocol direct {</span></div>
<div><span style="font-family:"Courier New",monospace"> interface "enp1s0f1.1400, enp1s0f0.1402, enp1s0f1.1401, enp1s0f0.1403", "lo";</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">protocol ospf Internal {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">rfc1583compat yes;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">import filter deny_default;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">export filter deny_all;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">area 0.0.0.20 {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">interface "enp1s0f1.1400" {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">type pointopoint;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">};</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">interface "enp1s0f0.1402" {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">type pointopoint;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">};</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">};</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">protocol ospf External {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">rfc1583compat yes;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">import all;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">export filter permit_white;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">area 100.0.0.0 {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">interface "enp1s0f1.1401" {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">type pointopoint;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">};</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">interface "enp1s0f0.1403" {</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">type pointopoint;</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">};</span></div>
<div><span style="white-space:pre-wrap;font-family:"Courier New",monospace"></span><span style="font-family:"Courier New",monospace">};</span></div>
<div><span style="font-family:"Courier New",monospace">}</span></div>
<div><br>
</div>
<div>When I enable only one Phy link, everything works fine and as expected:</div>
<div><br>
</div>
<div><span style="font-family:"Courier New",monospace">R1# sh ip ro next-hop 10.16.0.2</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.16.0.2/32" target="_blank">10.16.0.2/32</a>, ubest/mbest: 1/0, attached</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.2, Vlan1400, [250/0], 01:09:29, am</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.16.0.8/30" target="_blank">10.16.0.8/30</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.2, Vlan1400, [110/1010], 00:10:43, ospf-10, intra</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">R2# sh ip ro next-hop 10.16.0.10</span></div>
<div><span style="font-family:"Courier New",monospace"><nothing, as expected, link disabled></span></div>
<div><br>
</div>
<div>But when I enable second Phy link, I see following:</div>
<div><br>
</div>
<div><span style="font-family:"Courier New",monospace">R1# sh ip ro next-hop 10.16.0.2</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> via 10.16.0.2, Vlan1400, [110/1], 0.000000, ospf-10, type-2</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.1.1.44/30" target="_blank">10.1.1.44/30</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.1.1.224/30" target="_blank">10.1.1.224/30</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.2, Vlan1400, [110/2010], 0.000000, ospf-10, intra</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.16.0.2/32" target="_blank">10.16.0.2/32</a>, ubest/mbest: 1/0, attached</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.2, Vlan1400, [250/0], 01:09:31, am</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.16.0.8/30" target="_blank">10.16.0.8/30</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.2, Vlan1400, [110/1010], 00:10:45, ospf-10, intra</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace">R2# sh ip ro next-hop 10.16.0.10</span></div>
<div><br style="font-family:"Courier New",monospace">
</div>
<div><span style="font-family:"Courier New",monospace"><a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> via 10.16.0.10, Vlan1402, [110/1], 00:00:05, ospf-10, type-2</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.1.1.60/30" target="_blank">10.1.1.60/30</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.1.1.216/30" target="_blank">10.1.1.216/30</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.10, Vlan1402, [110/2010], 00:00:05, ospf-10, intra</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.16.0.0/30" target="_blank">10.16.0.0/30</a>, ubest/mbest: 1/0</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.10, Vlan1402, [110/1010], 00:00:05, ospf-10, intra</span></div>
<div><span style="font-family:"Courier New",monospace"><a href="http://10.16.0.10/32" target="_blank">10.16.0.10/32</a>, ubest/mbest: 1/0, attached</span></div>
<div><span style="font-family:"Courier New",monospace"> *via 10.16.0.10, Vlan1402, [250/0], 00:00:13, am</span></div>
<div><br>
</div>
<div><br>
</div>
<div>So on linux box intafaces vlan1400 and vlan 1402 are in the same area and it is expected that they will have idaentical lsdbs and will send all the LSA they receive via all interfaces in the same area, so saying simply - whey will interchange routes. But
in BIRD cfg I apply filters to avoid doing it, however routes are not filtered, and even default route received <br>
</div>
<div>Am I missing something?</div>
<div>Thanks.<br>
</div>
<p class="MsoNormal"><span lang="EN-US"> </span></p>
<span></span>
<p class="MsoNormal"> </p>
</div>
</div>
</blockquote></div><br></div>