Escenario de filtrado del OSPF en
multiarea
Fecha: 28 de agosto del 2014
Escenario
En este escenario se intentan filtrar las actualizaciones provenientes de un area para que se propaguen
sólo algunas rutas determinadas en la otra.
La idea final del escenario es filtrar ciertas rutas para que no participen en la tabla de enrutamiento, esta
meta, al momento, aún la pudimos alcanzar.
Este escenario lo hice con equipos reales y en colaboración con Pablito Marinozzi (futuro CCNA R&S).
Verificación de la convergencia normal:
Mendoza#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
O IA 10.0.0.0 [110/2] via
10.0.0.5, 00:01:18, Serial0
(area 5)
C 10.0.0.4 is directly connected, Serial0 (area 0)
O IA 192.168.2.0/24 [110/12] via 10.0.0.5, 00:01:18, Serial0 (area 5)
C 192.168.3.0/24 is directly connected,
Ethernet0 (area 0)
Mendoza#
Rosario#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.0.0/30 is directly connected, Serial0/0/0 (area 5)
L 10.0.0.1/32 is directly connected, Serial0/0/0
C 10.0.0.4/30 is directly connected, Serial0/0/1 (area 0)
L 10.0.0.5/32 is directly connected, Serial0/0/1
O 192.168.2.0/24 [110/11] via 10.0.0.2, 00:07:53, Serial0/0/0 (area 5)
O 192.168.3.0/24 [110/11] via 10.0.0.6, 00:09:02, Serial0/0/1 (area 0)
Rosario#
Cordoba#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
C 10.0.0.0 is directly connected, Serial0/0 (area 5)
O IA 10.0.0.4 [110/782] via 10.0.0.1, 00:04:21,
Serial0/0 (area 0)
C 192.168.2.0/24 is directly connected, Ethernet0/0 (area 5)
O IA 192.168.3.0/24 [110/792] via 10.0.0.1, 00:04:21, Serial0/0 (area 0)
Cordoba#
Implementación del filtrado:
Rosario(config)#ip prefix-list Area5toArea0 deny 192.168.2.0/24 (filtra esta red a modo de ejemplo)
Rosario(config)#ip prefix-list Area5toArea0 permit 10.0.0.0/30 (permite el resto, al igual que una ACL,
Rosario(config)# existe un deny any al final de la misma)
Rosario(config)#ip prefix-list Area0toArea5 permit 10.0.0.4/30 (similar en sentido opuesto)
Rosario(config)#ip prefix-list Area0toArea5 deny 192.168.3.0/24
Rosario(config)#router ospf 1
Rosario(config-router)#area 5 filter-list prefix Area5toArea0 ? (verificamos opciones)
in Filter networks sent to this area
out Filter networks sent from this area
Rosario(config-router)#area 5 filter-list prefix Area5toArea0 out (se aplica de forma similar a una ACL)
Rosario(config-router)#area 5 filter-list prefix Area0toArea5 in (filtra la red 192.168.3.0 hacia el
area 5)
Verificación post filtrado:
Mendoza#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
O IA 10.0.0.0 [110/2] via
10.0.0.5, 00:00:17, Serial0 (la red 192.168.2.0/24 está filrada)
C 10.0.0.4 is directly connected, Serial0
C 192.168.3.0/24 is directly connected, Ethernet0
Mendoza#
Cordoba#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
C 10.0.0.0 is directly connected, Serial0/0
O IA 10.0.0.4 [110/782] via
10.0.0.1, 00:10:12, Serial0/0
(la red 192.168.3.0/24 está filrada)
C 192.168.2.0/24 is directly connected, Ethernet0/0
Cordoba#
Rosario#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Null0
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.0.0/30 is directly connected, Serial0/0/0
L 10.0.0.1/32 is directly connected, Serial0/0/0
C 10.0.0.4/30 is directly connected, Serial0/0/1
L 10.0.0.5/32 is directly connected, Serial0/0/1
O
192.168.2.0/24 [110/11] via 10.0.0.2, 00:09:12, Serial0/0/0 (no cambia, el próximo objetivo es
lograr
O
192.168.3.0/24 [110/11] via 10.0.0.6, 00:09:12, Serial0/0/1 que no participen
en la tabla)
Rosario#
Rosario#sh ip prefix-list (similar a una ACL)
ip prefix-list Area0toArea5: 2 entries
seq 5 permit 10.0.0.4/30
seq 10 deny 192.168.3.0/24
ip prefix-list Area5toArea0: 2 entries
seq 5 deny 192.168.2.0/24
seq 10 permit 10.0.0.0/30
Rosario#sh ip prefix-list detail
Prefix-list with the last deletion/insertion: Area5toArea0
ip prefix-list Area0toArea5:
count: 2, range entries: 0, sequences: 5 - 10, refcount: 2
seq 5 permit 10.0.0.4/30 (hit count: 2, refcount: 1)
seq 10 deny
192.168.3.0/24 (hit count: 2, refcount:
1)
ip prefix-list Area5toArea0:
count: 2, range entries: 0, sequences: 5 - 10, refcount: 3
seq 5 deny 192.168.2.0/24 (hit count: 1, refcount: 1)
seq 10 permit 10.0.0.0/30 (hit count: 1, refcount: 1)
Rosario#
Una curiosidad mientras configuraba:
Rosario(config-router)#? (buscaba opciones dentro del OSPF y se reinicia el router)
Router configuration commands:
address-family Enter Address Family command mode
area OSPF area parameters
auto-cost Calculate OSPF interface cost according to bandwidth
bfd BFD configuration commands
capability Enable specific OSPF feature
compatible OSPF compatibility list
default Set a command to its defaults
default-information Control distribution of default information
defau lt-metric Set metric of redistributed routes
Aug 28 22:00:02.219: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command. ( …? )
System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2010 by cisco Systems, Inc.
Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO1941/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 64/-1(On-board/DIMM0) bit mode with ECC disabled
Readonly ROMMON initialized
program load complete, entry point: 0x80803000, size: 0x1b340
program load complete, entry point: 0x80803000, size: 0x1b340
IOS Image Load Test
Digitally Signed Release Software
program load complete, entry point: 0x81000000, size: 0x2bb3990
Self decompressing the image : ####################################################
############################################################################
############################################################################
######################################################################### [OK]
Configuración de equipos
Mendoza#sh runn (en negrita lo mas relevante)
Building configuration...
Current configuration:
!
version 11.3 (jurasic park)
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Mendoza
!
interface Ethernet0
ip
address 192.168.3.1 255.255.255.0
!
interface Serial0
ip
address 10.0.0.6 255.255.255.252
ip ospf cost 1
clockrate 125000
!
router ospf 1
passive-interface
Ethernet0
network
10.0.0.4 0.0.0.3 area 0
network
192.168.3.0 0.0.0.255 area 0
!
ip classless
!
!
line con 0
line vty 0 4
login
!
end
Mendoza#
Rosario#sh runn (en negrita lo mas relevante)
Building configuration...
Current configuration : 2119 bytes
!
! Last configuration change at 01:36:05 UTC Fri Aug 29 2014
! NVRAM config last updated at 01:36:07 UTC Fri Aug 29 2014
!
version 15.0 (vamos mejorando)
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rosario
!
interface GigabitEthernet0/0
no ip address
shutdown
!
interface GigabitEthernet0/1
no ip address
shutdown
!
interface Serial0/0/0
ip
address 10.0.0.1 255.255.255.252
ip ospf cost 1
!
interface Serial0/0/1
ip
address 10.0.0.5 255.255.255.252
ip ospf cost 1
!
router ospf 1
log-adjacency-changes
area 5
filter-list prefix Area0toArea5 in (ACL de filtrado OSPF entre areas)
area 5
filter-list prefix Area5toArea0 out
network
10.0.0.0 0.0.0.3 area 5
network
10.0.0.4 0.0.0.3 area 0
!
ip forward-protocol nd
!
ip prefix-list Area0toArea5 seq 5 permit 10.0.0.4/30 (las ACL en cuestión)
ip prefix-list Area0toArea5 seq 10 deny 192.168.3.0/24
!
ip prefix-list Area5toArea0 seq 5 deny 192.168.2.0/24
ip prefix-list Area5toArea0 seq 10 permit 10.0.0.0/30
!
kron occurrence RELOAD at 22:00 recurring (el causante del reinicio, quedó de un laboratorio
anterior,
policy-list RELOAD
ver www.vilarrasa.com.ar/cisco_kron.htm)
!
kron policy-list RELOAD
cli
reload
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
end
Rosario#
Cordoba#sh runn (en negrita lo mas relevante)
Building configuration...
Current configuration : 652 bytes
!
version 12.2 (volvimos a envejecer)
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Cordoba
!
interface Ethernet0/0
ip
address 192.168.2.1 255.255.255.0
!
interface Serial0/0
ip
address 10.0.0.2 255.255.255.252
no fair-queue
clockrate 128000
!
router ospf 1
log-adjacency-changes
passive-interface
Ethernet0/0
network
10.0.0.0 0.0.0.3 area 5
network
192.168.2.0 0.0.0.255 area 5
!
ip classless
!
line con 0
line aux 0
line vty 0 4
login
!
end
Cordoba#
(2014) In the eye of the packet storm
Rosario, Argentina