Filtering OSPF originated links

pwuk · November 10, 2017, 12:29pm

I have a typical router with multiple networks on
192.168.1.0/25
192.168.1.128/26
192.168.1.192/28
192.168.1.255/32
etc.

This leads to a dozen or so routes advertised by OSPF, and this makes a messy routing table when there are 5 or 6 of these routers connected together.

If I add a static route for the whole /24 to the loopback interface, using “ip route add dst-address=192.168.1.0/24 gateway=bridge-loopback”, and use redistribute-static in OSPF to distribute, this allows me to filter at the OSPF/BGP boundry using routing filter to only distribute prefix length of /24 and nothing smaller.

However I would ideally like just the /24 to be advertised on OSPF too. In theory using an ospf-out routing filter would work, but doesn’t seem to apply to directly connected networks, which I suspect is related to “and internal (intra-area) OSPF filtering is not supported yet” in the manual.

I can filter these out on the ospf-in, but is there another way to effectively apply ospf-out to the directly connected routes - or another way to do what I want (only advertise the /24 by OSPF)

Anumrak · November 10, 2017, 2:01pm

It is btter advertise connected networks as it is and summarise them on abr.

bbs2web · November 10, 2017, 2:34pm

As Anumrak suggests, OSPF ABR (area boundary routers) were designed to do precisely this.

Configure the upstream router as follows:

/routing ospf area
  add area-id=0.0.0.1 default-cost=1 inject-summary-lsas=no name=SiteA type=stub
/routing ospf area range
  add area=SiteA range=192.168.1.0/24
/routing ospf network
  add area=SiteA network=10.0.0.0/30

Configure the router at SiteA to have an Area ID of ‘1’ (aka 0.0.0.1). This will result in SiteA receiving a default gateway from the ABR and anything within 192.168.1.0/24 being summarised.

pwuk · November 10, 2017, 5:01pm

The entire network looks like

With Box 1 / 2 / 3 being able to plug into either Edge 1 or Edge 2 depending on the day (but not into both locations at the same time). Edge 1 or Edge 2 then advertises the box into the core.

Edge1 advertises via BGP:

192.168.1.0/24
192.168.11.0/24
192.168.12.0/24

A route filter stops 192.168.0.0/24 from being advertises by BGP (otherwise the network would be advertised from both Edge1 and Edge2, and that’s wrong)

If Box2 is removed, Edge1 no longer advertises 192.168.12.0/24. If Box2 is plugged into Edge2, then Edge2 advertises 192.168.12.0/24 instead. (Box2 can’t be plugged into both as they are miles away from each other)

As OSPF is p2mp, Edge1 also advertises 192.168.0.11/32 and 192.168.0.12/32, which is good for traceroute and pingability. However Edge1’s address (192.168.0.1/32) isn’t advertised itself (and I block the 192.168.0.0/24 network from being advertised)

Each of the OSPF areas is independent, so in any system there’s just one - area 0. I use BGP between the Core and the Edge, so multi areas and summarisation doesn’t really work.

Would I be right in thinking that would mean a private area for each box - that never leaves that box - containing the local network, and summarising into the area - making each box/edge an ABR in itself?

One more question: to have 192.168.0.1/32 advertised into BGP from Edge1, I’m unsure which is best

Add a second /ip address line to the OSPF interface
ip address add address=192.168.0.1/24 interface=ether_ospf
ip address add address=192.168.0.1/32 interface=ether_ospf
Add a blackhole route and redistrubute statics into bgp
ip route add dst-address=192.168.0.1/32 type=blackhole
Add a static route to the OSPF interface and redistrubute statics into bgp
ip route add dst-address=192.168.0.1/32 gateway=ether_ospf

bbs2web · November 14, 2017, 6:06pm

I prefer originating BGP prefixes via static routes as it provides a single control point to:

Apply BGP communities
Blackhole traffic to suppress ping pongs
Avoid having to manage BGP ‘networks’

Sample:

/ip route add bgp-communities=\
    64512:500,64512:900,64512:4000 \
    dst-address=50.50.20.0/20 bgp-origin=igp \
    type=blackhole comment="originate via BGP:"

You can then write routing filter rules to:

Accept and blackhole on iBGP sessions (when community contains 64512:900)
Set outgoing MED, prepend or apply upstream BGP community to manipulate local preference (64512:4000 could designate Router 1, 64512:4010 Router 2, etc)
Accept outgoing advertisements on eBGP sessions (filtering on 64512:500 for your own subnets, you could mark down steam customers with another and peers individually or again by location (preferably both))

I do not redistribute anything in to OSPF, purely defining networks covering loopbacks and point-to-point links. MPLS LDP and OSPF timers are reduced to 1s hellos and 10s hold time. iBGP peering sessions have ‘nexthop-choice=force-self update-source=lo’ set.
We accept primarily a default route from our upstream BGP provider and set OSPF to ‘distribute-default=if-installed-as-type-1’.
We peer each provider edge router with redundant route reflectors, but you don’t need to concern yourself with that if you have 2 routers, as they will be meshed. BGP instances have ‘redistribute-connected=yes redistribute-static=yes’ set.

PS: The following route filter can be used to selectively avoid redistribution to BGP (simply add ‘origin=egp’ to selective static routes):

/routing filter
  add action=discard bgp-origin=egp chain=\        
    iBGP-out comment="Do not distribute where \ 
    static and BGP origin=egp:" protocol=\       
    static