Community discussions

 
User avatar
metron6
newbie
Topic Author
Posts: 36
Joined: Sat Nov 16, 2013 3:41 pm

filtering ospf routes..

Thu Oct 12, 2017 8:58 pm

hello all,

i'm trying to implement ospf in a network with one Mt vpn server and several Mr routers connected to this..

i run ospf on all routers with these settings:
/routing ospf instance
set [ find default=yes ] metric-bgp=20 metric-other-ospf=10 redistribute-connected=as-type-1 router-id=10.122.2.1
/routing ospf area range
add area=backbone range=10.0.0.0/8
/routing ospf interface
add authentication=simple authentication-key=password network-type=broadcast
/routing ospf network
add area=backbone network=10.0.0.0/8
i want to create a filter and distribute only 10.0.0.0/8 routes, right now its working but it distributes also 192.168.0.0/16, etc..

can anyone help me ?
Mikro-tickling since 2003...
http://twmn.net
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: filtering ospf routes..

Thu Oct 12, 2017 9:06 pm

Turn off redistribute connected.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
metron6
newbie
Topic Author
Posts: 36
Joined: Sat Nov 16, 2013 3:41 pm

Re: filtering ospf routes..

Thu Oct 12, 2017 9:45 pm

only this ?
and what if a router has another router "behind" him ?
Mikro-tickling since 2003...
http://twmn.net
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: filtering ospf routes..

Fri Oct 13, 2017 1:26 am

Then the router behind this one will be responsible for originating its own prefixes.

There are only a few real ways to filter OSPF routes:

1) Don't allow them into the database to begin with
2) aggregating routes at area borders (only works for interior routes - not external (redistributed) routes)
3) using stub / NSSA area types to limit the amount of routing information that can get into an area from the rest of your network

1 can be accomplished in two general ways:
- only originate specific networks : use network=x.x.x.x/m in very specific prefixes so that only certain interfaces get added to OSPF
- if redistributing routes into OSPF, then filters will work. The typical use case is to redistribute an aggregated prefix e.g. 172.16.0.0/16 and then discarding all sub-prefixes e.g. 172.16.17.0/24... note that this will NOT filter out the subprefixes which are learned in OSPF from some other router - it can ONLY filter what the router will itself inject into OSPF via redistribution.

The reason you want to avoid redistributing connected routes is that redistributed routes (External-1 and External-2 type routes) don't get filtered at area borders or anywhere else except for stub/nssa areas, and they are chosen by different means than internal OSPF routes are chosen.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: filtering ospf routes..

Fri Oct 13, 2017 2:18 am

Upon some reflection, I think I see what your problem might be, so let's see if I have this right:

There is a set of "on-site" routers which connect to a central router at a central site.
You want each on-site router to advertise whatever 10.x.x.x subnet(s) are attached to the on-site router, and nothing else.
The on-site routers may be attached to other internal routers at the site, which have other prefixes in their tables and its these other internal prefixes which you do not want propagating up into the core site's table.

Is this essentially the issue?

If so, then what you need to do is use two OSPF instances on your on-site VPN routers. Instance1 is configured to form adjacencies with the site's other routers and learn everything about the site's routing topology. Instance1 will make the VPN router able to reach everything there properly. Instance2 will be the VPN instance. You should redistribute Instance1 into Instance2 and use a filter on Instance2 which allows 10.0.0.0/8 prefix-length=8-32 and discards everything else. You could also originate 10.0.0.0/8 into Instance1 via a static black-hole route on each on-site VPN router, where instance1 should have redistribute static as type2 (but not other OSPF)

The reason this is necessary is because OSPF is an interior gateway protocol - meaning that it considers every router to be a part of the same team - so every prefix is passed along to all neighbors. OSPF doesn't do granular policy routing with per-prefix filtering as BGP does. BGP is designed to consider its neighbors as "outside" the local network, and as such, it is designed to give very intricate policy functionality as to which routes are sent / received and what metrics to apply to those prefixes.

Other options:
use BGP instead of OSPF
Inject each site's prefix into the central VPN router using information on their PPP profiles instead of learning it via OSPF with the on-site routers.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 4 guests