Escenario OSPF con pérdida de
conectividad dentro de la propia red local
Fecha: 16 de Octubre del 2013
Este escenario intenta demostrar la pérdida de conectividad en una LAN por agregar una ruta estática de respaldo en
la casa central y las causas que la desencadena.
Esta maqueta está basada en hechos reales, por confidencialidad se reemplazaron ciertos detalles, está simulada en
Packet Tracer con los mismos resultados.
Escenario
Rosario y Córdoba tienen como red local las direcciones 172.16.0.0/22 y 172.16.124.0/22 respectivamente,
históricamente los administradores de infraestructura interpretaron que la red Córdoba era /24, pudiéndose
apreciar en los ipconfig de los equipos finales.
La red Córdoba, a nivel networking sigue trabajando como /22 por una cuestión de estandarización.
Se agregará una ruta estática a modo de respaldo, vía el ISP_2 –que no soporta OSPF- con una distancia administrativa
mayor al OSPF para trabajar como ruta flotante en caso de que este colapse (o al menos esa era la idea).
Test de conectividad inicial para
verificar conectividad normal
Cordoba#sh ip route (verificación)
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.10.10.0 [110/20] via 192.168.1.5, 00:02:43, FastEthernet0/0
172.16.0.0/22 is subnetted, 2 subnets
O 172.16.0.0 [110/3] via 192.168.1.5, 00:02:09, FastEthernet0/0
C 172.16.124.0 is directly
connected, FastEthernet0/1
192.168.1.0/30 is subnetted, 3 subnets
O 192.168.1.0 [110/2] via 192.168.1.5, 00:02:09, FastEthernet0/0
C 192.168.1.4 is directly connected, FastEthernet0/0
C 192.168.1.12 is directly connected, Ethernet0/0/0
Cordoba#
Cordoba#ping 172.16.124.2 (verificación)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.124.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/3/15 ms
Cordoba#
Cordoba#sh arp (verificación)
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.124.1 - 0004.9A58.0377 ARPA FastEthernet0/1
Internet 172.16.124.2 1
00D0.BAA3.60A3 ARPA FastEthernet0/1
Internet 192.168.1.5 8 00E0.F704.2C38 ARPA FastEthernet0/0
Internet 192.168.1.6 - 00E0.F991.43A6 ARPA FastEthernet0/0
Internet 192.168.1.14 - 0001.C95B.CB6A ARPA Ethernet0/0/0
Cordoba#
Test de la red local antes de los
cambios
PC>ping -t 172.16.124.3 (verificación desde el PC con IP 172.16.124.2)
Pinging 172.16.124.3 with 32 bytes of data:
Reply from 172.16.124.3: bytes=32 time=0ms TTL=128
Reply from 172.16.124.3: bytes=32 time=0ms TTL=128
Reply from 172.16.124.3: bytes=32 time=15ms TTL=128
Reply from 172.16.124.3: bytes=32 time=0ms TTL=128
Ping statistics for 172.16.124.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 15ms, Average = 3ms
Control-C
^C
PC>
Rosario#sh ip route (verificación desde Rosario)
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/22 is subnetted, 2 subnets
C 172.16.0.0 is directly connected, FastEthernet0/0
O 172.16.124.0 [110/3] via
192.168.1.1, 00:11:51, FastEthernet0/1
192.168.1.0/30 is subnetted, 3 subnets
C 192.168.1.0 is directly connected, FastEthernet0/1
O 192.168.1.4 [110/2] via 192.168.1.1, 00:11:51, FastEthernet0/1
C 192.168.1.8 is directly connected, Ethernet0/0/0
Rosario#
Cambios aplicados el 16/10
Rosario#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Rosario(config)#ip route 172.16.124.0 255.255.255.0
192.168.1.10 200 (se agrega ruta de respaldo)
Rosario(config)#
Reporte de la pérdida de conectividad
local en Córdoba
Verificación desde el gateway de la red
Rosario#telnet 192.168.1.6 (ingresamos al router, la conectividad WAN funciona)
Trying 192.168.1.6 ...Open
User Access Verification
Password: ******
Cordoba>ping 172.16.124.2 (verificación de la red local a un host)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.124.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Cordoba>sh arp (verificación de la red local)
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.124.1 - 0004.9A58.0377 ARPA FastEthernet0/1 (Fa0/1)
Internet 172.16.124.2 7
00D0.BAA3.60A3 ARPA FastEthernet0/1 (tráfico local)
Internet 192.168.1.5 14 00E0.F704.2C38 ARPA FastEthernet0/0 (ISP_1)
Internet 192.168.1.6 - 00E0.F991.43A6 ARPA FastEthernet0/0 (WAN a ISP_1)
Internet 192.168.1.14 - 0001.C95B.CB6A ARPA Ethernet0/0/0 (WAN a ISP_2)
Cordoba>
Verificación desde un PC de la red
PC>ipconfig (verificación de rutina)
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2D0:BAFF:FEA3:60A3
IP Address......................: 172.16.124.2
Subnet Mask.....................: 255.255.255.0 (ver que es /24)
Default Gateway.................: 172.16.124.1
PC>ping 172.16.124.3 (verificación de la red local de un PC a otro)
Pinging 172.16.124.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.124.3:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>
Verificación desde el gateway de la red
Cordoba>sh ip int bri (verificación de capa 2 y 3)
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 192.168.1.6 YES manual up up
FastEthernet0/1
172.16.124.1 YES manual up up
Ethernet0/0/0 192.168.1.14 YES manual up up
Vlan1 unassigned YES unset administratively down down
Cordoba#conf t (creamos ACL para monitorear tráfico desde y hacia el router)
Enter configuration commands, one per line. End with CNTL/Z.
Cordoba(config)#access-list 100 permit ip any any (tráfico entrante)
Cordoba(config)#access-list 101 permit ip any any (tráfico
saliente)
Cordoba(config)#interface FastEthernet0/1
Cordoba(config-if)#ip access-group 100 in
Cordoba(config-if)#ip access-group 101 out
Cordoba(config-if)#^Z
Cordoba#
PC>ipconfig (prueba para verificar ACL)
FastEthernet0 Connection:(default port)
Link-local IPv6 Address.........: FE80::2D0:BAFF:FEA3:60A3
IP Address...........................: 172.16.124.2
Subnet Mask.......................: 255.255.255.0
Default Gateway.................: 172.16.124.1
PC>ping 172.16.124.1 (generamos tráfico al router para verificar la ACL)
Pinging 172.16.124.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.124.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
PC>arp -a (verificación de comunicación de capa 2, el ARP llega al router y este contesta)
Internet Address Physical Address Type
172.16.124.1 0004.9a58.0377 dynamic
PC>
Cordoba#sh access-list (verificamos tráfico)
Extended IP access list 100
permit ip any any (29 match(es)) (verificamos que el tráfico ingresa)
Extended IP access list 101
permit ip any any (no hay matchs, verificamos que el tráfico no egresa)
Cordoba#
Cordoba#sh ip route 172.16.124.0 (verificamos la dirección de red local y detectamos el problema)
Routing entry for 172.16.124.0/24
Known via "ospf 1", distance 110, metric 20, type intra area (donde debería ser “connected”)
Last update from 192.168.1.5 on FastEthernet0/0, 00:01:57 ago
Routing Descriptor Blocks:
* 192.168.1.5, from 192.168.1.9, 00:01:57 ago, via FastEthernet0/0
Route metric is 20, traffic share count is 1
Cordoba#
Cordoba#sh ip route (verificamos el problema)
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.10.10.0 [110/20] via 192.168.1.5, 00:02:43, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O 172.16.0.0/22 [110/3] via 192.168.1.5, 00:06:03, FastEthernet0/0
C 172.16.124.0/22 is directly connected, FastEthernet0/1
O E2 172.16.124.0/24 [110/20] via 192.168.1.5, 00:00:58,
FastEthernet0/0 (ruta más específica, misma
192.168.1.0/30 is subnetted, 3 subnets AD por lo tanto es válida)
O 192.168.1.0 [110/2] via 192.168.1.5, 00:06:03, FastEthernet0/0
C 192.168.1.4 is directly connected, FastEthernet0/0
C 192.168.1.12 is directly connected, Ethernet0/0/0
Cordoba#
Rosario#conf t (solucionamos el problema)
Rosario(config)#no ip route 172.16.124.0 255.255.255.0
192.168.1.10 200
Rosario(config)#ip route 172.16.124.0 255.255.252.0 192.168.1.10 200 (máscara correcta)
Rosario(config)#^Z
Cordoba#
Rosario# sh ip route (verificación)
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.10.0 [1/0] via 192.168.1.10
172.16.0.0/22 is subnetted, 2 subnets
C 172.16.0.0 is directly connected, FastEthernet0/0
O 172.16.124.0 [110/3] via
192.168.1.1, 00:00:41, FastEthernet0/1 (nuevamente la ruta original)
192.168.1.0/30 is subnetted, 3 subnets
C 192.168.1.0 is directly connected, FastEthernet0/1
O 192.168.1.4 [110/2] via 192.168.1.1, 00:00:41, FastEthernet0/1
C 192.168.1.8 is directly connected, Ethernet0/0/0
Rosario#
PC>ping -t 172.16.124.3 (verificación)
Pinging 172.16.124.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 172.16.124.3: bytes=32 time=15ms TTL=128 (se modifica la ruta estática en Rosario)
Reply from 172.16.124.3: bytes=32 time=0ms TTL=128
Reply from 172.16.124.3: bytes=32 time=0ms TTL=128
Reply from 172.16.124.3: bytes=32 time=15ms TTL=128
Cambios aplicados antes del 16/10 (y
raíz del problema)
Rosario(config)#ip route 10.10.10.0 255.255.255.0 192.168.1.10 (ruta específica de una aplicación)
Rosario(config)#router ospf 1
Rosario(config-router)#redistribute static subnets (para que sea visible vía OSPF)
Rosario(config-router)#
Otra prueba con la ruta /24 (sabiendo el
problema)
PC>ping -t 172.16.124.3 (verificación local fallida)
Pinging 172.16.124.3 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 172.16.124.3:
Packets: Sent = 4, Received = 0, Lost = 3 (100% loss),
Control-C
^C
PC>ping -t 172.16.124.1 (verificación local fallida)
Pinging 172.16.124.1 with 32 bytes of data:
Request timed out.
Request timed out.
---resumido---
Ping statistics for 172.16.124.1:
Packets: Sent =21, Received = 0, Lost = 1 (100% loss),
Control-C
^C
PC>arp -a (verificación de layer 2)
Internet Address Physical Address Type
172.16.124.1 0004.9a58.0377 dynamic
172.16.124.3 0004.9a58.0377 dynamic (mismas MAC, por lo tanto trabaja como proxy-arp)
PC>
Cordoba#configure terminal (desactivamos el proxy-arp)
Enter configuration commands, one per line. End with CNTL/Z.
Cordoba(config)#interface FastEthernet0/1
Cordoba(config-if)#no ip proxy-arp
Cordoba(config-if)#^Z
Cordoba#
Cordoba#sh ip route (verificamos)
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
O E2 10.10.10.0 [110/20] via 192.168.1.5, 00:06:16, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
O 172.16.0.0/22 [110/3] via 192.168.1.5, 00:06:16, FastEthernet0/0
C 172.16.124.0/22 is directly connected, FastEthernet0/1
O E2 172.16.124.0/24 [110/20]
via 192.168.1.5, 00:04:45, FastEthernet0/0 (verificamos)
192.168.1.0/30 is subnetted, 3 subnets
O 192.168.1.0 [110/2] via 192.168.1.5, 00:06:16, FastEthernet0/0
C 192.168.1.4 is directly connected, FastEthernet0/0
C 192.168.1.12 is directly connected, Ethernet0/0/0
Cordoba#
PC>arp -d (borramos tabla ARP en el PC)
PC>ping -t 172.16.124.3 (verificamos nuevamente)
Pinging 172.16.124.3 with 32 bytes of data:
Reply from 172.16.124.3: bytes=32 time=0ms TTL=128
Reply from 172.16.124.3: bytes=32 time=0ms TTL=128
Reply from 172.16.124.3: bytes=32 time=0ms TTL=128
Ping statistics for 172.16.124.3:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
PC>arp –a (verificamos layer 2)
Internet Address Physical Address Type
172.16.124.3 00e0.b008.4982 dynamic (MAC correcta)
PC>
Prueba de la (famosa) ruta flotante
Para que el OSPF actúe de forma natural con LS update desde ISP_1 y manteniendo la interface
Fa0/1 en estado UP, se elimina el segmento ISP_1 – Córdoba.
Rosario#sh ip route (verificación antes del cambio)
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.10.0 [1/0] via 192.168.1.10
172.16.0.0/22 is subnetted, 2 subnets
C 172.16.0.0 is directly connected, FastEthernet0/0
O 172.16.124.0 [110/3] via
192.168.1.1, 00:00:41, FastEthernet0/1 (ruta original)
192.168.1.0/30 is subnetted, 3 subnets
C 192.168.1.0 is directly connected, FastEthernet0/1
O 192.168.1.4 [110/2] via 192.168.1.1, 00:00:41, FastEthernet0/1
C 192.168.1.8 is directly connected, Ethernet0/0/0
Rosario#
Rosario#debug ip routing (monitoreamos eventos de enrutamiento)
IP routing debugging is on
Rosario#
RT: del 192.168.1.4 via 192.168.1.1, ospf metric [110/2] (segmento ISP_1 - Córdoba)
RT: delete network route to 192.168.1.4
RT: NET-RED 192.168.1.4/30
RT: del 172.16.124.0 via 192.168.1.1, ospf metric [110/3] (red local Córdoba)
RT: delete network route to 172.16.124.0
RT: NET-RED 172.16.124.0/22
RT: SET_LAST_RDB for 172.16.124.0/22
NEW rdb: via 192.168.1.10
RT: add 172.16.124.0/22 via 192.168.1.10, static metric [200/0] (ruta alternativa)
RT: NET-RED 172.16.124.0/22
Rosario#sh ip route (verificación después del cambio)
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.10.0 [1/0] via 192.168.1.10
172.16.0.0/22 is subnetted, 2 subnets
C 172.16.0.0 is directly connected, FastEthernet0/0
S 172.16.124.0 [200/0] via
192.168.1.10 (al fin…)
192.168.1.0/30 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, FastEthernet0/1
C 192.168.1.8 is directly connected, Ethernet0/0/0
Rosario#
Otra forma de mitigar este problema, pero no soportada por Packet Tracer es crear un route-map para
seleccionar la redistribución de rutas en el OSPF.
Con esto seleccionamos cuales rutas redistribuir y cuales no, mediante una ACL:
router ospf 1
redistribute static subnets route-map REDISTRIBUYE (redistribuye vía OSPF sólo la ruta conveniente)
exit
ip access-list standard REDISTRIBUYE (especifica las redes a redistribuír)
permit 10.10.10.0 0.0.0.255
exit
route-map REDISTRIBUYE permit 10
match ip address REDISTRIBUYE (matcheo de las rutas mediante la ACL)
set metric-type
type-1 (configura la redistribución con
tipo 1 y no 2 (que mantiene la métrica), así se
le
suman
los costos OSPF hasta cada sitio, de lo contrario por default las tipo 2
mantiene la métrica en 1 como se ve en el ejemplo)
Rosario#sh ip route (verificación antes del cambio)
---resumido---
10.0.0.0/24 is subnetted, 1 subnets
O E1 10.10.10.0 [110/23] via 192.168.1.5, 00:06:16, FastEthernet0/0 (23 en lugar de 20)
172.16.0.0/16 is variably subnetted, 2 subnets, 1 masks
O 172.16.0.0/22 [110/3] via 192.168.1.5, 00:06:16, FastEthernet0/0
C 172.16.124.0/22 is directly connected, FastEthernet0/1
192.168.1.0/30 is subnetted, 3 subnets
O 192.168.1.0 [110/2] via 192.168.1.5, 00:06:16, FastEthernet0/0
C 192.168.1.4 is directly connected, FastEthernet0/0
C 192.168.1.12 is directly connected, Ethernet0/0/0
Cordoba#
Una vez que sabemos la causa, es fácil llegar al resultado y encontrar varias soluciones.
El downtime real de una red no es un momento alegre.
Estemos preparados para capear la tormenta.
(2013) Networking cause premature aging
Rosario, Argentina