Escenario de filtrado del OSPF en multiarea

Fecha: 28 de agosto del 2014

 

Escenario

 

 

En este escenario se intentan filtrar las actualizaciones provenientes de un area para que se propaguen

sólo algunas rutas determinadas en la otra.

La idea final del escenario es filtrar ciertas rutas para que no participen en la tabla de enrutamiento, esta

meta, al momento,  aún la pudimos alcanzar.

 

Este escenario lo hice con equipos reales y en colaboración con Pablito Marinozzi (futuro CCNA R&S).

 

Verificación de la convergencia normal:

 

Mendoza#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

       U - per-user static route, o - ODR

 

Gateway of last resort is not set

 

     10.0.0.0/30 is subnetted, 2 subnets

O IA    10.0.0.0 [110/2] via 10.0.0.5, 00:01:18, Serial0 (area 5)

C       10.0.0.4 is directly connected, Serial0 (area 0)

O IA 192.168.2.0/24 [110/12] via 10.0.0.5, 00:01:18, Serial0 (area 5)

C    192.168.3.0/24 is directly connected, Ethernet0 (area 0)

Mendoza#

 

Rosario#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

 

Gateway of last resort is not set

 

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C        10.0.0.0/30 is directly connected, Serial0/0/0 (area 5)

L        10.0.0.1/32 is directly connected, Serial0/0/0

C        10.0.0.4/30 is directly connected, Serial0/0/1 (area 0)

L        10.0.0.5/32 is directly connected, Serial0/0/1

O     192.168.2.0/24 [110/11] via 10.0.0.2, 00:07:53, Serial0/0/0 (area 5)

O     192.168.3.0/24 [110/11] via 10.0.0.6, 00:09:02, Serial0/0/1 (area 0)

Rosario#

 

Cordoba#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is not set

 

     10.0.0.0/30 is subnetted, 2 subnets

C       10.0.0.0 is directly connected, Serial0/0 (area 5)

O IA    10.0.0.4 [110/782] via 10.0.0.1, 00:04:21, Serial0/0 (area 0)

C    192.168.2.0/24 is directly connected, Ethernet0/0 (area 5)

O IA 192.168.3.0/24 [110/792] via 10.0.0.1, 00:04:21, Serial0/0 (area 0)

Cordoba#

 

Implementación del filtrado:

 

Rosario(config)#ip prefix-list Area5toArea0 deny 192.168.2.0/24 (filtra esta red a modo de ejemplo)

Rosario(config)#ip prefix-list Area5toArea0 permit 10.0.0.0/30 (permite el resto, al igual que una ACL,

Rosario(config)#                                                                                      existe un deny any al final de la misma)

Rosario(config)#ip prefix-list Area0toArea5 permit 10.0.0.4/30 (similar en sentido opuesto)

Rosario(config)#ip prefix-list Area0toArea5 deny 192.168.3.0/24

Rosario(config)#router ospf 1

Rosario(config-router)#area 5 filter-list prefix Area5toArea0 ? (verificamos opciones)

  in   Filter networks sent to this area

  out  Filter networks sent from this area

 

Rosario(config-router)#area 5 filter-list prefix Area5toArea0 out  (se aplica de forma similar a una ACL)

Rosario(config-router)#area 5 filter-list prefix Area0toArea5 in (filtra la red 192.168.3.0 hacia el area 5)

                       

Verificación post filtrado:

 

Mendoza#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default

       U - per-user static route, o - ODR

 

Gateway of last resort is not set

 

     10.0.0.0/30 is subnetted, 2 subnets

O IA    10.0.0.0 [110/2] via 10.0.0.5, 00:00:17, Serial0  (la red 192.168.2.0/24 está filrada)

C       10.0.0.4 is directly connected, Serial0

C    192.168.3.0/24 is directly connected, Ethernet0

Mendoza#

 

Cordoba#sh ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

 

Gateway of last resort is not set

 

     10.0.0.0/30 is subnetted, 2 subnets

C       10.0.0.0 is directly connected, Serial0/0

O IA    10.0.0.4 [110/782] via 10.0.0.1, 00:10:12, Serial0/0 (la red 192.168.3.0/24 está filrada)

C    192.168.2.0/24 is directly connected, Ethernet0/0

Cordoba#

 

Rosario#sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, + - replicated route

 

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

 

S*    0.0.0.0/0 is directly connected, Null0

      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C        10.0.0.0/30 is directly connected, Serial0/0/0

L        10.0.0.1/32 is directly connected, Serial0/0/0

C        10.0.0.4/30 is directly connected, Serial0/0/1

L        10.0.0.5/32 is directly connected, Serial0/0/1

O     192.168.2.0/24 [110/11] via 10.0.0.2, 00:09:12, Serial0/0/0 (no cambia, el próximo objetivo es lograr

O     192.168.3.0/24 [110/11] via 10.0.0.6, 00:09:12, Serial0/0/1                       que no participen en la tabla)

Rosario#

 

Rosario#sh ip prefix-list (similar a una ACL)

ip prefix-list Area0toArea5: 2 entries

   seq 5 permit 10.0.0.4/30

   seq 10 deny 192.168.3.0/24

ip prefix-list Area5toArea0: 2 entries

   seq 5 deny 192.168.2.0/24

   seq 10 permit 10.0.0.0/30

Rosario#sh ip prefix-list detail

Prefix-list with the last deletion/insertion: Area5toArea0

ip prefix-list Area0toArea5:

   count: 2, range entries: 0, sequences: 5 - 10, refcount: 2

   seq 5 permit 10.0.0.4/30 (hit count: 2, refcount: 1)

   seq 10 deny 192.168.3.0/24 (hit count: 2, refcount: 1)

ip prefix-list Area5toArea0:

   count: 2, range entries: 0, sequences: 5 - 10, refcount: 3

   seq 5 deny 192.168.2.0/24 (hit count: 1, refcount: 1)

   seq 10 permit 10.0.0.0/30 (hit count: 1, refcount: 1)

Rosario#

 

Una curiosidad mientras configuraba:

 

Rosario(config-router)#? (buscaba opciones dentro del OSPF y se reinicia el router)

Router configuration commands:

  address-family         Enter Address Family command mode

  area                   OSPF area parameters

  auto-cost              Calculate OSPF interface cost according to bandwidth

  bfd                    BFD configuration commands

  capability             Enable specific OSPF feature

  compatible             OSPF compatibility list

  default                Set a command to its defaults

  default-information    Control distribution of default information

  defau lt-metric         Set metric of redistributed routes

Aug 28 22:00:02.219: %SYS-5-RELOAD: Reload requested  by console. Reload Reason: Reload Command. ( …? )

 

System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 2010 by cisco Systems, Inc.

 

Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB

CISCO1941/K9 platform with 524288 Kbytes of main memory

Main memory is configured to 64/-1(On-board/DIMM0) bit mode with ECC disabled

 

Readonly ROMMON initialized

program load complete, entry point: 0x80803000, size: 0x1b340

program load complete, entry point: 0x80803000, size: 0x1b340

 

IOS Image Load Test

 

Digitally Signed Release Software

program load complete, entry point: 0x81000000, size: 0x2bb3990

Self decompressing the image : ####################################################

############################################################################

############################################################################

######################################################################### [OK]

 

Configuración de equipos

 

Mendoza#sh runn  (en negrita lo mas relevante)

Building configuration...

 

Current configuration:

!

version 11.3 (jurasic park)

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Mendoza

!

interface Ethernet0

 ip address 192.168.3.1 255.255.255.0

!

interface Serial0

 ip address 10.0.0.6 255.255.255.252

 ip ospf cost 1

 clockrate 125000

!

router ospf 1

 passive-interface Ethernet0

 network 10.0.0.4 0.0.0.3 area 0

 network 192.168.3.0 0.0.0.255 area 0

!

ip classless

!

!

line con 0

line vty 0 4

 login

!

end

 

Mendoza#

 

Rosario#sh runn (en negrita lo mas relevante)

Building configuration...

 

Current configuration : 2119 bytes

!

! Last configuration change at 01:36:05 UTC Fri Aug 29 2014

! NVRAM config last updated at 01:36:07 UTC Fri Aug 29 2014

!

version 15.0 (vamos mejorando)

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Rosario

!

interface GigabitEthernet0/0

no ip address

shutdown

!

interface GigabitEthernet0/1

 no ip address

 shutdown

!

interface Serial0/0/0

 ip address 10.0.0.1 255.255.255.252

 ip ospf cost 1

!

interface Serial0/0/1

 ip address 10.0.0.5 255.255.255.252

 ip ospf cost 1

!

router ospf 1

 log-adjacency-changes

 area 5 filter-list prefix Area0toArea5 in (ACL de filtrado OSPF entre areas)

 area 5 filter-list prefix Area5toArea0 out

 network 10.0.0.0 0.0.0.3 area 5

 network 10.0.0.4 0.0.0.3 area 0

!

ip forward-protocol nd

!

ip prefix-list Area0toArea5 seq 5 permit 10.0.0.4/30 (las ACL en cuestión)

ip prefix-list Area0toArea5 seq 10 deny 192.168.3.0/24

!

ip prefix-list Area5toArea0 seq 5 deny 192.168.2.0/24

ip prefix-list Area5toArea0 seq 10 permit 10.0.0.0/30

!

kron occurrence RELOAD at 22:00 recurring (el causante del reinicio, quedó de un laboratorio anterior,

 policy-list RELOAD                                                                         ver www.vilarrasa.com.ar/cisco_kron.htm)

!

kron policy-list RELOAD

 cli reload

!

line con 0

line aux 0

line vty 0 4

 password cisco

 login

!

end

 

Rosario#

 

Cordoba#sh runn (en negrita lo mas relevante)

Building configuration...

 

Current configuration : 652 bytes

!

version 12.2 (volvimos a envejecer)

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Cordoba

!

interface Ethernet0/0

 ip address 192.168.2.1 255.255.255.0

!

interface Serial0/0

 ip address 10.0.0.2 255.255.255.252

 no fair-queue

 clockrate 128000

!

router ospf 1

 log-adjacency-changes

  passive-interface Ethernet0/0

 network 10.0.0.0 0.0.0.3 area 5

 network 192.168.2.0 0.0.0.255 area 5

!

ip classless

!

line con 0

line aux 0

line vty 0 4

 login

!

end

 

Cordoba#

 

(2014) In the eye of the packet storm

Rosario, Argentina