Escenario OSPF con pérdida de conectividad dentro de la propia red local

Fecha: 16 de Octubre del 2013

 

Este escenario intenta demostrar la pérdida de conectividad en una LAN por agregar una ruta estática de respaldo en

la casa central y las causas que la desencadena.

Esta maqueta está basada en hechos reales, por confidencialidad se reemplazaron ciertos detalles, está simulada en

Packet Tracer con los mismos resultados.

 

Escenario

 

Rosario y Córdoba tienen como red local las direcciones 172.16.0.0/22 y 172.16.124.0/22 respectivamente,

históricamente los administradores de infraestructura interpretaron que la red Córdoba era /24, pudiéndose

apreciar en los ipconfig de los equipos finales.

 

La red Córdoba, a nivel networking sigue trabajando como /22 por una cuestión de estandarización.

Se agregará una ruta estática a modo de respaldo, vía el ISP_2 –que no soporta OSPF- con una distancia administrativa

mayor al OSPF para trabajar como ruta flotante en caso de que este colapse (o al menos esa era la idea).

 

Test de conectividad inicial para verificar conectividad normal

 

Cordoba#sh ip route (verificación)

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

     10.0.0.0/24 is subnetted, 1 subnets

O E2    10.10.10.0 [110/20] via 192.168.1.5, 00:02:43, FastEthernet0/0

     172.16.0.0/22 is subnetted, 2 subnets

O       172.16.0.0 [110/3] via 192.168.1.5, 00:02:09, FastEthernet0/0

C       172.16.124.0 is directly connected, FastEthernet0/1

     192.168.1.0/30 is subnetted, 3 subnets

O       192.168.1.0 [110/2] via 192.168.1.5, 00:02:09, FastEthernet0/0

C       192.168.1.4 is directly connected, FastEthernet0/0

C       192.168.1.12 is directly connected, Ethernet0/0/0

Cordoba#

Cordoba#ping 172.16.124.2 (verificación)

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.124.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/15 ms

Cordoba#

 

Cordoba#sh arp (verificación)

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  172.16.124.1            -   0004.9A58.0377  ARPA   FastEthernet0/1

Internet  172.16.124.2            1   00D0.BAA3.60A3  ARPA   FastEthernet0/1

Internet  192.168.1.5             8   00E0.F704.2C38  ARPA   FastEthernet0/0

Internet  192.168.1.6             -   00E0.F991.43A6  ARPA   FastEthernet0/0

Internet  192.168.1.14            -   0001.C95B.CB6A  ARPA   Ethernet0/0/0

Cordoba#

 

Test de la red local antes de los cambios

 

PC>ping -t 172.16.124.3 (verificación desde el PC con IP 172.16.124.2)

 

Pinging 172.16.124.3 with 32 bytes of data:

 

Reply from 172.16.124.3: bytes=32 time=0ms TTL=128

Reply from 172.16.124.3: bytes=32 time=0ms TTL=128

Reply from 172.16.124.3: bytes=32 time=15ms TTL=128

Reply from 172.16.124.3: bytes=32 time=0ms TTL=128

 

Ping statistics for 172.16.124.3:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 15ms, Average = 3ms

Control-C

^C

PC>

 

Rosario#sh ip route (verificación desde Rosario)

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

     172.16.0.0/22 is subnetted, 2 subnets

C       172.16.0.0 is directly connected, FastEthernet0/0

O       172.16.124.0 [110/3] via 192.168.1.1, 00:11:51, FastEthernet0/1

     192.168.1.0/30 is subnetted, 3 subnets

C       192.168.1.0 is directly connected, FastEthernet0/1

O       192.168.1.4 [110/2] via 192.168.1.1, 00:11:51, FastEthernet0/1

C       192.168.1.8 is directly connected, Ethernet0/0/0

Rosario#

 

Cambios aplicados el 16/10

 

Rosario#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Rosario(config)#ip route 172.16.124.0 255.255.255.0 192.168.1.10 200 (se agrega ruta de respaldo)

Rosario(config)#

 

Reporte de la pérdida de conectividad local en Córdoba

 

Verificación desde el gateway de la red

 

Rosario#telnet 192.168.1.6 (ingresamos al router, la conectividad WAN funciona)

Trying 192.168.1.6 ...Open

 

User Access Verification

 

Password: ******

Cordoba>ping 172.16.124.2 (verificación de la red local a un host)

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.124.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

 

Cordoba>sh arp (verificación de la red local)

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  172.16.124.1            -    0004.9A58.0377  ARPA   FastEthernet0/1 (Fa0/1)

Internet  172.16.124.2            7   00D0.BAA3.60A3  ARPA   FastEthernet0/1 (tráfico local)

Internet  192.168.1.5             14  00E0.F704.2C38  ARPA   FastEthernet0/0 (ISP_1)

Internet  192.168.1.6             -     00E0.F991.43A6  ARPA   FastEthernet0/0 (WAN a ISP_1)

Internet  192.168.1.14            -   0001.C95B.CB6A  ARPA   Ethernet0/0/0 (WAN a ISP_2)

Cordoba>

 

Verificación desde un PC de la red

 

PC>ipconfig (verificación de rutina)

 

FastEthernet0 Connection:(default port)

Link-local IPv6 Address.........: FE80::2D0:BAFF:FEA3:60A3

IP Address......................: 172.16.124.2

Subnet Mask.....................: 255.255.255.0 (ver que es /24)

Default Gateway.................: 172.16.124.1

 

PC>ping 172.16.124.3 (verificación de la red local de un PC a otro)

 

Pinging 172.16.124.3 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 172.16.124.3:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

PC>

 

Verificación desde el gateway de la red

 

Cordoba>sh ip int bri  (verificación de capa 2 y 3)

Interface              IP-Address      OK? Method Status                Protocol

 

FastEthernet0/0    192.168.1.6     YES manual up                    up

FastEthernet0/1    172.16.124.1   YES manual up                   up

Ethernet0/0/0        192.168.1.14   YES manual up                    up

Vlan1                        unassigned       YES unset  administratively down down

 

Cordoba#conf t (creamos ACL para monitorear tráfico desde y hacia el router)

Enter configuration commands, one per line.  End with CNTL/Z.

Cordoba(config)#access-list 100 permit ip any any (tráfico entrante)

Cordoba(config)#access-list 101 permit ip any any (tráfico saliente)

Cordoba(config)#interface FastEthernet0/1

Cordoba(config-if)#ip access-group 100 in

Cordoba(config-if)#ip access-group 101 out

Cordoba(config-if)#^Z

Cordoba#

 

PC>ipconfig (prueba para verificar ACL)

 

FastEthernet0 Connection:(default port)

Link-local IPv6 Address.........: FE80::2D0:BAFF:FEA3:60A3

IP Address...........................: 172.16.124.2

Subnet Mask.......................: 255.255.255.0

Default Gateway.................: 172.16.124.1

 

PC>ping 172.16.124.1 (generamos tráfico al router para verificar la ACL)

 

Pinging 172.16.124.1 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 172.16.124.1:

    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

 

PC>arp -a (verificación de comunicación de capa 2, el ARP llega al router y este contesta)

  Internet Address      Physical Address      Type

  172.16.124.1          0004.9a58.0377        dynamic

PC>

 

Cordoba#sh access-list (verificamos tráfico)

Extended IP access list 100

    permit ip any any (29 match(es)) (verificamos que el tráfico ingresa)

Extended IP access list 101

    permit ip any any  (no hay matchs, verificamos que el tráfico no egresa)

Cordoba#

 

Cordoba#sh ip route 172.16.124.0 (verificamos la dirección de red local y detectamos el problema)

Routing entry for 172.16.124.0/24

Known via "ospf 1", distance 110, metric 20, type intra area (donde debería ser  “connected”)

  Last update from 192.168.1.5 on FastEthernet0/0, 00:01:57 ago

  Routing Descriptor Blocks:

  * 192.168.1.5, from 192.168.1.9, 00:01:57 ago, via FastEthernet0/0

      Route metric is 20, traffic share count is 1

Cordoba#

 

Cordoba#sh ip route (verificamos el problema)

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

     10.0.0.0/24 is subnetted, 1 subnets

O E2    10.10.10.0 [110/20] via 192.168.1.5, 00:02:43, FastEthernet0/0

     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

O       172.16.0.0/22 [110/3] via 192.168.1.5, 00:06:03, FastEthernet0/0

C       172.16.124.0/22 is directly connected, FastEthernet0/1

O E2    172.16.124.0/24 [110/20] via 192.168.1.5, 00:00:58, FastEthernet0/0 (ruta más específica, misma

     192.168.1.0/30 is subnetted, 3 subnets                                                                   AD por lo tanto es válida)

O       192.168.1.0 [110/2] via 192.168.1.5, 00:06:03, FastEthernet0/0

C       192.168.1.4 is directly connected, FastEthernet0/0

C       192.168.1.12 is directly connected, Ethernet0/0/0

Cordoba#

 

Rosario#conf t (solucionamos el problema)

Rosario(config)#no ip route 172.16.124.0 255.255.255.0 192.168.1.10 200

Rosario(config)#ip route 172.16.124.0 255.255.252.0 192.168.1.10 200 (máscara correcta)

Rosario(config)#^Z

Cordoba#

 

Rosario# sh ip route (verificación)

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

     10.0.0.0/24 is subnetted, 1 subnets

S       10.10.10.0 [1/0] via 192.168.1.10

     172.16.0.0/22 is subnetted, 2 subnets

C       172.16.0.0 is directly connected, FastEthernet0/0

O       172.16.124.0 [110/3] via 192.168.1.1, 00:00:41, FastEthernet0/1 (nuevamente la ruta original)

     192.168.1.0/30 is subnetted, 3 subnets

C       192.168.1.0 is directly connected, FastEthernet0/1

O       192.168.1.4 [110/2] via 192.168.1.1, 00:00:41, FastEthernet0/1

C       192.168.1.8 is directly connected, Ethernet0/0/0

Rosario#

 

PC>ping -t 172.16.124.3 (verificación)

 

Pinging 172.16.124.3 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Reply from 172.16.124.3: bytes=32 time=15ms TTL=128 (se modifica la ruta estática en Rosario)

Reply from 172.16.124.3: bytes=32 time=0ms TTL=128

Reply from 172.16.124.3: bytes=32 time=0ms TTL=128

Reply from 172.16.124.3: bytes=32 time=15ms TTL=128

 

Cambios aplicados antes del 16/10 (y raíz del problema)

 

Rosario(config)#ip route 10.10.10.0 255.255.255.0 192.168.1.10 (ruta específica de una aplicación)

Rosario(config)#router ospf 1

Rosario(config-router)#redistribute static subnets  (para que sea visible vía OSPF)

Rosario(config-router)#

 

Otra prueba con la ruta /24 (sabiendo el problema)

 

PC>ping -t 172.16.124.3 (verificación local fallida)

 

Pinging 172.16.124.3 with 32 bytes of data:

 

Request timed out.

Request timed out.

Request timed out.

Request timed out.

 

Ping statistics for 172.16.124.3:

    Packets: Sent = 4, Received = 0, Lost = 3 (100% loss),

 

Control-C

^C

 

PC>ping -t 172.16.124.1 (verificación local fallida)

 

Pinging 172.16.124.1 with 32 bytes of data:

 

Request timed out.

Request timed out.

---resumido---

Ping statistics for 172.16.124.1:

    Packets: Sent =21, Received = 0, Lost = 1 (100% loss),

Control-C

^C

PC>arp -a (verificación de layer 2)

  Internet Address      Physical Address      Type

  172.16.124.1          0004.9a58.0377        dynamic

  172.16.124.3          0004.9a58.0377        dynamic (mismas MAC, por lo tanto trabaja como proxy-arp)

 

PC>

 

Cordoba#configure terminal (desactivamos el proxy-arp)

Enter configuration commands, one per line.  End with CNTL/Z.

Cordoba(config)#interface FastEthernet0/1

Cordoba(config-if)#no ip proxy-arp

Cordoba(config-if)#^Z

Cordoba#

 

Cordoba#sh ip route (verificamos)

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

     10.0.0.0/24 is subnetted, 1 subnets

O E2    10.10.10.0 [110/20] via 192.168.1.5, 00:06:16, FastEthernet0/0

     172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks

O       172.16.0.0/22 [110/3] via 192.168.1.5, 00:06:16, FastEthernet0/0

C       172.16.124.0/22 is directly connected, FastEthernet0/1

O E2    172.16.124.0/24 [110/20] via 192.168.1.5, 00:04:45, FastEthernet0/0 (verificamos)

     192.168.1.0/30 is subnetted, 3 subnets

O       192.168.1.0 [110/2] via 192.168.1.5, 00:06:16, FastEthernet0/0

C       192.168.1.4 is directly connected, FastEthernet0/0

C       192.168.1.12 is directly connected, Ethernet0/0/0

Cordoba#

 

PC>arp -d (borramos tabla ARP en el PC)

PC>ping -t 172.16.124.3 (verificamos nuevamente)

 

Pinging 172.16.124.3 with 32 bytes of data:

 

Reply from 172.16.124.3: bytes=32 time=0ms TTL=128

Reply from 172.16.124.3: bytes=32 time=0ms TTL=128

Reply from 172.16.124.3: bytes=32 time=0ms TTL=128

 

Ping statistics for 172.16.124.3:

    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

 

Control-C

^C

PC>arp –a  (verificamos layer 2)

  Internet Address      Physical Address      Type

  172.16.124.3          00e0.b008.4982        dynamic (MAC correcta)

 

PC>

 

Prueba de la (famosa) ruta flotante

 

Para que el OSPF actúe de forma natural con LS update desde ISP_1 y manteniendo la interface

Fa0/1 en estado UP, se elimina el segmento ISP_1 – Córdoba.

 

Rosario#sh ip route (verificación antes del cambio)

 

Gateway of last resort is not set

 

     10.0.0.0/24 is subnetted, 1 subnets

S       10.10.10.0 [1/0] via 192.168.1.10

     172.16.0.0/22 is subnetted, 2 subnets

C       172.16.0.0 is directly connected, FastEthernet0/0

O       172.16.124.0 [110/3] via 192.168.1.1, 00:00:41, FastEthernet0/1 (ruta original)

     192.168.1.0/30 is subnetted, 3 subnets

C       192.168.1.0 is directly connected, FastEthernet0/1

O       192.168.1.4 [110/2] via 192.168.1.1, 00:00:41, FastEthernet0/1

C       192.168.1.8 is directly connected, Ethernet0/0/0

Rosario#

 

 

Rosario#debug ip routing (monitoreamos eventos de enrutamiento)

IP routing debugging is on

Rosario#

 

RT: del 192.168.1.4 via 192.168.1.1, ospf metric [110/2] (segmento ISP_1 - Córdoba)

RT: delete network route to 192.168.1.4

RT: NET-RED 192.168.1.4/30

RT: del 172.16.124.0 via 192.168.1.1, ospf metric [110/3] (red local Córdoba)

RT: delete network route to 172.16.124.0

RT: NET-RED 172.16.124.0/22

RT: SET_LAST_RDB for 172.16.124.0/22

    NEW rdb: via 192.168.1.10

 

RT: add 172.16.124.0/22 via 192.168.1.10, static metric [200/0] (ruta alternativa)

RT: NET-RED 172.16.124.0/22

 

Rosario#sh ip route (verificación después del cambio)

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

 

Gateway of last resort is not set

 

     10.0.0.0/24 is subnetted, 1 subnets

S       10.10.10.0 [1/0] via 192.168.1.10

     172.16.0.0/22 is subnetted, 2 subnets

C       172.16.0.0 is directly connected, FastEthernet0/0

S       172.16.124.0 [200/0] via 192.168.1.10 (al fin…)

     192.168.1.0/30 is subnetted, 2 subnets

C       192.168.1.0 is directly connected, FastEthernet0/1

C       192.168.1.8 is directly connected, Ethernet0/0/0

Rosario#

 

Otra forma de mitigar este problema, pero no soportada por Packet Tracer es crear un route-map para

seleccionar la redistribución de rutas en el OSPF.

 

Con esto seleccionamos cuales rutas redistribuir y cuales no, mediante una ACL:

 

router ospf 1

  redistribute static subnets route-map REDISTRIBUYE (redistribuye vía OSPF sólo la ruta conveniente)

  exit

ip access-list standard REDISTRIBUYE (especifica las redes a redistribuír)

  permit 10.10.10.0 0.0.0.255

  exit

route-map REDISTRIBUYE permit 10

 match ip address REDISTRIBUYE (matcheo de las rutas mediante la ACL)

 set metric-type type-1 (configura la redistribución con tipo 1 y no 2 (que mantiene la métrica), así se  le

                                            suman los costos OSPF hasta cada sitio, de lo contrario por default las tipo 2

                                            mantiene la métrica en 1 como se ve en el ejemplo)

 

Rosario#sh ip route (verificación antes del cambio)

---resumido---

     10.0.0.0/24 is subnetted, 1 subnets

O E1    10.10.10.0 [110/23] via 192.168.1.5, 00:06:16, FastEthernet0/0 (23 en lugar de 20)

     172.16.0.0/16 is variably subnetted, 2 subnets, 1 masks

O       172.16.0.0/22 [110/3] via 192.168.1.5, 00:06:16, FastEthernet0/0

C       172.16.124.0/22 is directly connected, FastEthernet0/1

     192.168.1.0/30 is subnetted, 3 subnets

O       192.168.1.0 [110/2] via 192.168.1.5, 00:06:16, FastEthernet0/0

C       192.168.1.4 is directly connected, FastEthernet0/0

C       192.168.1.12 is directly connected, Ethernet0/0/0

Cordoba#

 

Una vez que sabemos la causa, es fácil llegar al resultado y encontrar varias soluciones.

El downtime real de una red no es un momento alegre.

Estemos preparados para capear la tormenta.

 

 

(2013) Networking cause premature aging

Rosario, Argentina