Mailing List Archive: ospf route-map

ospf route-map

mark at tux-edo

Nov 1, 2017, 4:59 AM

Post #1 of 14 (2262 views)

Hi Guys

quagga 1.1.1-3+deb9u1

kernel 4.9.0-3-amd64

OK i have a working ospf setup between multiple routers including some
mikrotiks. OSPF works fine but now I have been trying to create an
access list to block a quagga router from advertising a ospf learned
subnet and for some reason I cant seem to get this right....

so I have router A with a local subnet of 192.168.60.0/24 that is
connected to router B which in turn is connected to router C, I am
trying to get router B to stop advertising 192.168.60.0/24 to router C

Router B quagga config

router ospf
redistribute connected route-map RIP_INTF
redistribute rip route-map RIP_INTF
!
ip prefix-list DROPADDR seq 5 deny 192.168.60.0/24
ip prefix-list DROPADDR seq 10 permit any
!
route-map RIP_INTF permit 5
match ip address prefix-list DROPADDR
!

with this in place I still see 192.168.60.0/24 distributed to router C

I have tried a few different variations of different access-lists and
they dont seem to work... any ideas

--
Thank you,

Mark Adrian Coetser
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

quagga-users at alexis

Nov 1, 2017, 5:18 AM

Post #2 of 14 (2262 views)

On Nov 1, 2017, at 7:59 AM, Mark Coetser <mark@tux-edo.co.za> wrote:
> OK i have a working ospf setup between multiple routers including some mikrotiks. OSPF works fine but now I have been trying to create an access list to block a quagga router from advertising a ospf learned subnet and for some reason I cant seem to get this right....
>
> so I have router A with a local subnet of 192.168.60.0/24 that is connected to router B which in turn is connected to router C, I am trying to get router B to stop advertising 192.168.60.0/24 to router C
>
> Router B quagga config
>
> router ospf
> redistribute connected route-map RIP_INTF
> redistribute rip route-map RIP_INTF
> !
> ip prefix-list DROPADDR seq 5 deny 192.168.60.0/24
> ip prefix-list DROPADDR seq 10 permit any
> !
> route-map RIP_INTF permit 5
> match ip address prefix-list DROPADDR
> !
>
> with this in place I still see 192.168.60.0/24 distributed to router C

What makes you think that that route is in OSPF due to redistribution? If it's the subnet that routers A and B are using to speak OSPF to each other, it's going to be in OSPF even if you don't redistribute it from anywhere.

/a
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

mark at tux-edo

Nov 1, 2017, 5:34 AM

Post #3 of 14 (2262 views)

On 01/11/2017 14:18, Alexis Rosen wrote:
> On Nov 1, 2017, at 7:59 AM, Mark Coetser <mark@tux-edo.co.za> wrote:
>> OK i have a working ospf setup between multiple routers including some mikrotiks. OSPF works fine but now I have been trying to create an access list to block a quagga router from advertising a ospf learned subnet and for some reason I cant seem to get this right....
>>
>> so I have router A with a local subnet of 192.168.60.0/24 that is connected to router B which in turn is connected to router C, I am trying to get router B to stop advertising 192.168.60.0/24 to router C
>>
>> Router B quagga config
>>
>> router ospf
>> redistribute connected route-map RIP_INTF
>> redistribute rip route-map RIP_INTF
>> !
>> ip prefix-list DROPADDR seq 5 deny 192.168.60.0/24
>> ip prefix-list DROPADDR seq 10 permit any
>> !
>> route-map RIP_INTF permit 5
>> match ip address prefix-list DROPADDR
>> !
>>
>> with this in place I still see 192.168.60.0/24 distributed to router C
>
> What makes you think that that route is in OSPF due to redistribution? If it's the subnet that routers A and B are using to speak OSPF to each other, it's going to be in OSPF even if you don't redistribute it from anywhere.
>
> /a
>
Hi Alexis

the 192.168.60.0/24 subnet is the LAN side network of router A, there is
a GRE tunnel between router A and router B on a 192.168.170.8/30 subnet.

router B

sh ip ospf route

N IA 192.168.60.0/24 [30] area: 0.0.0.0
via 192.168.170.10, las-gal-fib

router C

sh ip ospf route

N IA 192.168.60.0/24 [40] area: 0.0.0.0
via 172.31.33.252, vlan2

Thank you,

Mark Adrian Coetser
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

Nov 1, 2017, 6:16 AM

Post #4 of 14 (2262 views)

On Wed, Nov 1, 2017 at 7:59 AM, Mark Coetser <mark@tux-edo.co.za> wrote:

> OK i have a working ospf setup between multiple routers including some
> mikrotiks. OSPF works fine but now I have been trying to create an access
> list to block a quagga router from advertising a ospf learned subnet and
> for some reason I cant seem to get this right....
>
> so I have router A with a local subnet of 192.168.60.0/24 that is
> connected to router B which in turn is connected to router C, I am trying
> to get router B to stop advertising 192.168.60.0/24 to router C
>

Hi Mark,

If I understand what you're asking (I might not) then OSPF doesn't work
that way. Filtering routes only works on the router first introducing
("redistributing") the route in to OSPF. That's router A in your example.
Once in OSPF the route can't be conditionally removed somewhere else with
any configuration.

You can filter the route if you redistribute it from OSPF to some other
protocol such as BGP. But you can't filter it within OSPF.

Regards,
Bill Herrin

> Router B quagga config
>
> router ospf
> redistribute connected route-map RIP_INTF
> redistribute rip route-map RIP_INTF
> !
> ip prefix-list DROPADDR seq 5 deny 192.168.60.0/24
> ip prefix-list DROPADDR seq 10 permit any
> !
> route-map RIP_INTF permit 5
> match ip address prefix-list DROPADDR
> !
>
>
> with this in place I still see 192.168.60.0/24 distributed to router C
>

--
William Herrin ................ herrin@dirtside.com bill@herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>

Re: ospf route-map [ In reply to ]

mark at tux-edo

Nov 1, 2017, 6:26 AM

Post #5 of 14 (2262 views)

On 01/11/2017 15:16, William Herrin wrote:
> On Wed, Nov 1, 2017 at 7:59 AM, Mark Coetser <mark@tux-edo.co.za
> <mailto:mark@tux-edo.co.za>> wrote:
>
> OK i have a working ospf setup between multiple routers including
> some mikrotiks. OSPF works fine but now I have been trying to create
> an access list to block a quagga router from advertising a ospf
> learned subnet and for some reason I cant seem to get this right....
>
> so I have router A with a local subnet of 192.168.60.0/24
> <http://192.168.60.0/24> that is connected to router B which in turn
> is connected to router C, I am trying to get router B to stop
> advertising 192.168.60.0/24 <http://192.168.60.0/24> to router C
>
>
> Hi Mark,
>
> If I understand what you're asking (I might not) then OSPF doesn't work
> that way. Filtering routes only works on the router first introducing
> ("redistributing") the route in to OSPF. That's router A in your
> example. Once in OSPF the route can't be conditionally removed somewhere
> else with any configuration.
>
> You can filter the route if you redistribute it from OSPF to some other
> protocol such as BGP. But you can't filter it within OSPF.

Hi Bill

OK that sort of makes sense, now I just need to figure out how to
accomplish what I am trying to achieve......

The thing is router B still need to access the 192.168.60.0/24 network
but router C shouldnt have that route and I need OSPF because there are
multiple connections between each of the routers via different ISPs and
I am running GRE tunnels across each of the different links.

Thank you,

Mark Adrian Coetser
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

quagga-users at alexis

Nov 1, 2017, 6:32 AM

Post #6 of 14 (2262 views)

On Nov 1, 2017, at 8:34 AM, Mark Coetser <mark@tux-edo.co.za> wrote:
> On 01/11/2017 14:18, Alexis Rosen wrote:
>> On Nov 1, 2017, at 7:59 AM, Mark Coetser <mark@tux-edo.co.za> wrote:
>>> OK i have a working ospf setup between multiple routers including some mikrotiks. OSPF works fine but now I have been trying to create an access list to block a quagga router from advertising a ospf learned subnet and for some reason I cant seem to get this right....
>>>
>>> so I have router A with a local subnet of 192.168.60.0/24 that is connected to router B which in turn is connected to router C, I am trying to get router B to stop advertising 192.168.60.0/24 to router C
>>>
>>> Router B quagga config
>>>
>>> router ospf
>>> redistribute connected route-map RIP_INTF
>>> redistribute rip route-map RIP_INTF
>>> !
>>> ip prefix-list DROPADDR seq 5 deny 192.168.60.0/24
>>> ip prefix-list DROPADDR seq 10 permit any
>>> !
>>> route-map RIP_INTF permit 5
>>> match ip address prefix-list DROPADDR
>>> !
>>>
>>> with this in place I still see 192.168.60.0/24 distributed to router C
>> What makes you think that that route is in OSPF due to redistribution? If it's the subnet that routers A and B are using to speak OSPF to each other, it's going to be in OSPF even if you don't redistribute it from anywhere.
>> /a
> Hi Alexis
>
> the 192.168.60.0/24 subnet is the LAN side network of router A, there is a GRE tunnel between router A and router B on a 192.168.170.8/30 subnet.
>
> router B
>
> sh ip ospf route
>
> N IA 192.168.60.0/24 [30] area: 0.0.0.0
> via 192.168.170.10, las-gal-fib
>
>
> router C
>
> sh ip ospf route
>
> N IA 192.168.60.0/24 [40] area: 0.0.0.0
> via 172.31.33.252, vlan2

OK, but are you using that interface for OSPF or not? If you are, then the redistribution isn't responsible.

Put another way, if the route goes away when you remove the redistribute statements (and restart ospf), then that looks like a bug. Otherwise not. Dumping the OSPF database entry for that route should also tell you.

/a
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

quagga-users at alexis

Nov 1, 2017, 6:40 AM

Post #7 of 14 (2262 views)

On Nov 1, 2017, at 9:26 AM, Mark Coetser <mark@tux-edo.co.za> wrote:
> On 01/11/2017 15:16, William Herrin wrote:
>> On Wed, Nov 1, 2017 at 7:59 AM, Mark Coetser <mark@tux-edo.co.za <mailto:mark@tux-edo.co.za>> wrote:
>> OK i have a working ospf setup between multiple routers including
>> some mikrotiks. OSPF works fine but now I have been trying to create
>> an access list to block a quagga router from advertising a ospf
>> learned subnet and for some reason I cant seem to get this right....
>> so I have router A with a local subnet of 192.168.60.0/24
>> <http://192.168.60.0/24> that is connected to router B which in turn
>> is connected to router C, I am trying to get router B to stop
>> advertising 192.168.60.0/24 <http://192.168.60.0/24> to router C
>> Hi Mark,
>> If I understand what you're asking (I might not) then OSPF doesn't work that way. Filtering routes only works on the router first introducing ("redistributing") the route in to OSPF. That's router A in your example. Once in OSPF the route can't be conditionally removed somewhere else with any configuration.
>> You can filter the route if you redistribute it from OSPF to some other protocol such as BGP. But you can't filter it within OSPF.
>
> OK that sort of makes sense, now I just need to figure out how to accomplish what I am trying to achieve......
>
> The thing is router B still need to access the 192.168.60.0/24 network but router C shouldnt have that route and I need OSPF because there are multiple connections between each of the routers via different ISPs and I am running GRE tunnels across each of the different links.

Huh. I read your question very differently, but OK.

As Bill says, you can't remove it from OSPF (that would break SPF calculations), but you can prevent the route from getting from OSPF into your local FIB. (At least, you can on Ciscos. I think Quagga can too.)

If you're just dealing with this one route, that's probably the way to go, assuming it works. But if there are more routes or routers, it pays to architect things properly. Use OSPF areas, use BGP with fast timers (possibly a different BGP instance than the one you're using for external connectivity), use multiple OSPFs (on Ciscos, not on Quagga), use OSPF + IS-IS or OSPF + BGP, etc. The best solution will depend on details of your deployment.

/a
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

mark at tux-edo

Nov 1, 2017, 6:43 AM

Post #8 of 14 (2262 views)

On 01/11/2017 15:40, Alexis Rosen wrote:
> On Nov 1, 2017, at 9:26 AM, Mark Coetser <mark@tux-edo.co.za> wrote:
>> On 01/11/2017 15:16, William Herrin wrote:
>>> On Wed, Nov 1, 2017 at 7:59 AM, Mark Coetser <mark@tux-edo.co.za <mailto:mark@tux-edo.co.za>> wrote:
>>> OK i have a working ospf setup between multiple routers including
>>> some mikrotiks. OSPF works fine but now I have been trying to create
>>> an access list to block a quagga router from advertising a ospf
>>> learned subnet and for some reason I cant seem to get this right....
>>> so I have router A with a local subnet of 192.168.60.0/24
>>> <http://192.168.60.0/24> that is connected to router B which in turn
>>> is connected to router C, I am trying to get router B to stop
>>> advertising 192.168.60.0/24 <http://192.168.60.0/24> to router C
>>> Hi Mark,
>>> If I understand what you're asking (I might not) then OSPF doesn't work that way. Filtering routes only works on the router first introducing ("redistributing") the route in to OSPF. That's router A in your example. Once in OSPF the route can't be conditionally removed somewhere else with any configuration.
>>> You can filter the route if you redistribute it from OSPF to some other protocol such as BGP. But you can't filter it within OSPF.
>>
>> OK that sort of makes sense, now I just need to figure out how to accomplish what I am trying to achieve......
>>
>> The thing is router B still need to access the 192.168.60.0/24 network but router C shouldnt have that route and I need OSPF because there are multiple connections between each of the routers via different ISPs and I am running GRE tunnels across each of the different links.
>
> Huh. I read your question very differently, but OK.
>
> As Bill says, you can't remove it from OSPF (that would break SPF calculations), but you can prevent the route from getting from OSPF into your local FIB. (At least, you can on Ciscos. I think Quagga can too.)
>
> If you're just dealing with this one route, that's probably the way to go, assuming it works. But if there are more routes or routers, it pays to architect things properly. Use OSPF areas, use BGP with fast timers (possibly a different BGP instance than the one you're using for external connectivity), use multiple OSPFs (on Ciscos, not on Quagga), use OSPF + IS-IS or OSPF + BGP, etc. The best solution will depend on details of your deployment.
>
> /a
>

Thanks for the help...

Thank you,

Mark Adrian Coetser
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

mark at tux-edo

Nov 1, 2017, 7:06 AM

Post #9 of 14 (2262 views)

On 01/11/2017 15:40, Alexis Rosen wrote:
> but you can prevent the route from getting from OSPF into your local FIB. (At least, you can on Ciscos. I think Quagga can too.)

How would I go about doing this?

Thank you,

Mark Adrian Coetser
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

Nov 1, 2017, 8:07 AM

Post #10 of 14 (2262 views)

On Wed, Nov 1, 2017 at 9:26 AM, Mark Coetser <mark@tux-edo.co.za> wrote:

> OK that sort of makes sense, now I just need to figure out how to
> accomplish what I am trying to achieve......
>
> The thing is router B still need to access the 192.168.60.0/24 network
> but router C shouldnt have that route and I need OSPF because there are
> multiple connections between each of the routers via different ISPs and I
> am running GRE tunnels across each of the different links.

Hi Mark,

If you would, back up for me for a moment. Why don't you want router C to
know about router A's connected subnet? What's the use case?

Regards,
Bill Herrin

--
William Herrin ................ herrin@dirtside.com bill@herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>

Re: ospf route-map [ In reply to ]

mark at tux-edo

Nov 1, 2017, 8:17 AM

Post #11 of 14 (2262 views)

On 01/11/2017 17:07, William Herrin wrote:
>
>
> On Wed, Nov 1, 2017 at 9:26 AM, Mark Coetser <mark@tux-edo.co.za
> <mailto:mark@tux-edo.co.za>> wrote:
>
> OK that sort of makes sense, now I just need to figure out how to
> accomplish what I am trying to achieve......
>
> The thing is router B still need to access the 192.168.60.0/24
> <http://192.168.60.0/24> network but router C shouldnt have that
> route and I need OSPF because there are multiple connections between
> each of the routers via different ISPs and I am running GRE tunnels
> across each of the different links.
>
>
> Hi Mark,
>
> If you would, back up for me for a moment. Why don't you want router C
> to know about router A's connected subnet? What's the use case?
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin ................ herrin@dirtside.com
> <mailto:herrin@dirtside.com> bill@herrin.us <mailto:bill@herrin.us>
> Dirtside Systems ......... Web: <http://www.dirtside.com/>

Its complicated to explain, it was site that was shared by 2 clients who
shared a physical network but have since split networks (still on the
same premises) they share certain services but now have separate routers
and breakout links which they dont want each others traffic to flow
across but still want to provide access to other services/networks NOT
connected to router A.

I know I could achieve this with firewall rules etc it just seemed a
better solution just to not advertise the routes not needed on each
respective router...

there are more devices than just routers A B C, wish I was good at asci
art I could create a small diagram.

Thank you,

Mark Adrian Coetser

_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

Nov 1, 2017, 8:41 AM

Post #12 of 14 (2262 views)

On Wed, Nov 1, 2017 at 11:17 AM, Mark Coetser <mark@tux-edo.co.za> wrote:

> Its complicated to explain, it was site that was shared by 2 clients who
> shared a physical network but have since split networks (still on the same
> premises) they share certain services but now have separate routers and
> breakout links which they dont want each others traffic to flow across but
> still want to provide access to other services/networks NOT connected to
> router A.
>
> I know I could achieve this with firewall rules etc it just seemed a
> better solution just to not advertise the routes not needed on each
> respective router...
>
> there are more devices than just routers A B C, wish I was good at asci
> art I could create a small diagram.

Hi Mark,

I figured something like this was the case. Here's the key thing to
understand about OSPF: it's strictly an interior gateway protocol. It does
not have the functionality you need to cross administrative or security
domain boundaries. To cross domain boundaries you should use an exterior
gateway protocol, such as BGP.

So, don't extend OSPF to the routers which have the customer-only routes.
Use BGP there with the 65000-series private AS numbers. Control your
filtering at the OSPF/BGP border and pick borders such that the filtering
you need can happen.

Regards,
Bill Herrin

--
William Herrin ................ herrin@dirtside.com bill@herrin.us
Dirtside Systems ......... Web: <http://www.dirtside.com/>

Re: ospf route-map [ In reply to ]

mark at tux-edo

Nov 1, 2017, 8:46 AM

Post #13 of 14 (2262 views)

On 01/11/2017 17:41, William Herrin wrote:
>
> Hi Mark,
>
> I figured something like this was the case. Here's the key thing to
> understand about OSPF: it's strictly an interior gateway protocol. It
> does not have the functionality you need to cross administrative or
> security domain boundaries. To cross domain boundaries you should use an
> exterior gateway protocol, such as BGP.
>
> So, don't extend OSPF to the routers which have the customer-only
> routes. Use BGP there with the 65000-series private AS numbers. Control
> your filtering at the OSPF/BGP border and pick borders such that the
> filtering you need can happen.

Hi Bill

logically that makes sense, the only real need for the OSPF is due to
the multiple links between the routers and using OSPF to create a type
of auto failover solution. If I use BGP between Router B and C then I
loose the failover/shortest path feature.

Thank you,

Mark Adrian Coetser
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users

Re: ospf route-map [ In reply to ]

Nov 1, 2017, 2:04 PM

Post #14 of 14 (2262 views)

On 01/11/2017 15:46, Mark Coetser wrote:
> logically that makes sense, the only real need for the OSPF is due to
> the multiple links between the routers and using OSPF to create a type
> of auto failover solution. If I use BGP between Router B and C then I
> loose the failover/shortest path feature.

BGP might be easier than you think.

I've done more BGP internally recently and I've been wondering whether I
should get rid of OSPF completely.

I don't have many routers. And my case has been to work around interop
issues and bugs in OSPF for IPv6.

There's also a way to do unnumbered BGP links in FRR. Takes some
getting your head around but might be worth looking at.

Tim
_______________________________________________
Quagga-users mailing list
Quagga-users@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-users