No RIP packets, rejecting distribute-list and redistribute
Version: frr-7.5-3.3.x86_64 from OpenSuSE Tubleweed. This is probably a near duplicate of bug 1279 (2017-10-02) https://github.com/FRRouting/frr/issues/1279 except the OP omidit was trying to use BGP while I have RIP[ng]. I'm pointing the finger of blame at a documentation issue; in other words, almost certainly my frr.conf file (appended with comments) lacks some prerequisite which would resurrect the redistribute and distribute-list commands. Presenting symptoms: ripd and ripngd never emit any RIP[ng] packets, even though the sub-router has a route to the subnet that I want the local LAN to be able to reach. Plus: when I specify "redistribute" and "distribute-list", frr -C complains: ``` line 56: % Unknown command[4]: distribute-list xenanet in line 57: % Unknown command[4]: distribute-list xenanet out line 61: % Unknown command[4]: redistribute kernel line 63: % Unknown command[4]: redistribute static line 65: % Unknown command[4]: redistribute connected ``` Back in 1987 I could just start rpc.ripd on SunOS-3 (no authentication in RIPv1), but 34 years later, Quagga looked like it gave a lot of people a lot of trouble to configure it, so I thought to reinvent the wheel. But for political and national security reasons I think it would be a real good idea to have open source routing used more widely, and so I decided to give Quagga my best try. It succumbed to the same issue complained about here, attributed to an unfixed bug by many OP's, and I dug through the source code but was not able to find the "bug". But I also hit references to FRR and tried it in the hope of a fix. No such luck. Currently I'm guessing that the problem is not in the code but in the documentation, so I've missed some important setup aspect. I'm planning to write up my experiences and of course it will include the conf file. In the appended instance I've retained comments, and if you spot any misconceptions among them I would appreciate corrections, so errors don't propagate. ``` # /etc/frr/frr.conf # This file contains plaintext passwords and needs permission 640 frr:frr # Revision history: # 2021-02-17 jimc Becomes FRR (Free Range Routing) unified config file. # 2021-02-04 jimc Initial setup for Quagga / rip[ng]d, abandoned. # hostname itsname # Default is the system's 1-component name per uname -n. # Without a password, vtysh will not connect; the enable password enables # interactive reconfiguration. But it uses PAM; password not needed for root. # Warning, security is not robust; turn this off in production. password redacted#1 enable password redacted#2 # Log file for all daemons log file /var/log/frr/frr.log # /etc/frr/daemons controls which protocol daemons to start, but you also have # to enable them. Not needed for staticd or zebra. router rip #rejected: version 2 # Do not receive v1 (which can't do authentication) router ripng # "vtysh -C [-f other_file.conf]" will check the configuration file; default # is /etc/frr/frr.conf. It would appear that if no protocol is enabled (e.g. # by "router rip") for which a particular command (e.g. "network") is relevant, # the command is reported as "Unknown command[4]: network 192.9.200.0/24", not # considering the parameters (e.g. with "router ripng", the IPv4 version is # not unknown). # Interfaces with an IP address in this range may send and receive protocol # packets. You can also enable named interfaces e.g. en0. network 192.9.200.0/24 network 2600:3c01:e000:306::/64 # We're only going to include these subnet(s) in incoming + outgoing packets. # In Quagga you could also use an access-list. ip prefix-list xenanet permit 192.9.200.176/29 ip prefix-list xenanet deny any # Syntax: 'route-map' its_name permit|deny line_number; matches etc. follow. # A number is a valid identifier and you confusingly see this in tutorials. route-map cnmap permit 1 match ip address prefix-list xenanet route-map cnmap deny 2 # Zebra can filter incoming routes per protocol or for any protocol. It just # ignores non-permitted routes. Looks like the default is to deny everything. ip protocol any route-map cnmap # In incoming and outgoing packets, only the specified subnets are included. distribute-list xenanet in distribute-list xenanet out # Daemons send routes that they learned from these sources. # kernel = set in system routing table by non-FRR, e.g. "ip route add..." redistribute kernel # static = configured in a FRR conf file. (CouchNet has none.) redistribute static # connected = seen in protocol packets from neighboring routers. redistribute connected # Turn on authentication (RIP v2 only). Mode md5 (hiss, boo!) makes a HMAC # over the packet with a pre-shared key prepended; the sender and receiver must # use the same key. It's OK to turn on auth for interfaces that don't exist. key chain CouchNet key 1 key-string redacted#3 interface en0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface br0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface rad0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun1 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun9 ip rip authentication mode md5 ip rip authentication key-chain CouchNet # Default timer values are used. # update 30sec, send a gratuitous RIP packet this often. # timeout 180sec, a route absent from "learn from" sources (e.g. # neighbors) for this long is redistributed as expired. # garbage 120sec, after this long, expired routes are no longer announced. ``` -- James F. Carter Email: jimc@jfcarter.net Web: http://www.math.ucla.edu/~jimc (q.v. for PGP key)
"distribute-list" and "redistribute" are sub commands of "router rip" and "router ripng". Thus they must appear after a "router ..." line and before any non "router ..." sub command. vtysh command completion will help you with the legal syntax. Usually I configure frr/quagga via vtysh and persist the configuration with the "write" command. Frank On 02/26/21 01:53, jimc wrote:
Version: frr-7.5-3.3.x86_64 from OpenSuSE Tubleweed. This is probably a near duplicate of bug 1279 (2017-10-02) https://github.com/FRRouting/frr/issues/1279 except the OP omidit was trying to use BGP while I have RIP[ng]. I'm pointing the finger of blame at a documentation issue; in other words, almost certainly my frr.conf file (appended with comments) lacks some prerequisite which would resurrect the redistribute and distribute-list commands.
Presenting symptoms: ripd and ripngd never emit any RIP[ng] packets, even though the sub-router has a route to the subnet that I want the local LAN to be able to reach. Plus: when I specify "redistribute" and "distribute-list", frr -C complains:
``` line 56: % Unknown command[4]: distribute-list xenanet in line 57: % Unknown command[4]: distribute-list xenanet out line 61: % Unknown command[4]: redistribute kernel line 63: % Unknown command[4]: redistribute static line 65: % Unknown command[4]: redistribute connected ```
Back in 1987 I could just start rpc.ripd on SunOS-3 (no authentication in RIPv1), but 34 years later, Quagga looked like it gave a lot of people a lot of trouble to configure it, so I thought to reinvent the wheel. But for political and national security reasons I think it would be a real good idea to have open source routing used more widely, and so I decided to give Quagga my best try. It succumbed to the same issue complained about here, attributed to an unfixed bug by many OP's, and I dug through the source code but was not able to find the "bug". But I also hit references to FRR and tried it in the hope of a fix. No such luck. Currently I'm guessing that the problem is not in the code but in the documentation, so I've missed some important setup aspect. I'm planning to write up my experiences and of course it will include the conf file. In the appended instance I've retained comments, and if you spot any misconceptions among them I would appreciate corrections, so errors don't propagate.
``` # /etc/frr/frr.conf # This file contains plaintext passwords and needs permission 640 frr:frr # Revision history: # 2021-02-17 jimc Becomes FRR (Free Range Routing) unified config file. # 2021-02-04 jimc Initial setup for Quagga / rip[ng]d, abandoned.
# hostname itsname # Default is the system's 1-component name per uname -n.
# Without a password, vtysh will not connect; the enable password enables # interactive reconfiguration. But it uses PAM; password not needed for root. # Warning, security is not robust; turn this off in production. password redacted#1 enable password redacted#2
# Log file for all daemons log file /var/log/frr/frr.log
# /etc/frr/daemons controls which protocol daemons to start, but you also have # to enable them. Not needed for staticd or zebra. router rip #rejected: version 2 # Do not receive v1 (which can't do authentication) router ripng
# "vtysh -C [-f other_file.conf]" will check the configuration file; default # is /etc/frr/frr.conf. It would appear that if no protocol is enabled (e.g. # by "router rip") for which a particular command (e.g. "network") is relevant, # the command is reported as "Unknown command[4]: network 192.9.200.0/24", not # considering the parameters (e.g. with "router ripng", the IPv4 version is # not unknown).
# Interfaces with an IP address in this range may send and receive protocol # packets. You can also enable named interfaces e.g. en0. network 192.9.200.0/24 network 2600:3c01:e000:306::/64
# We're only going to include these subnet(s) in incoming + outgoing packets. # In Quagga you could also use an access-list. ip prefix-list xenanet permit 192.9.200.176/29 ip prefix-list xenanet deny any
# Syntax: 'route-map' its_name permit|deny line_number; matches etc. follow. # A number is a valid identifier and you confusingly see this in tutorials. route-map cnmap permit 1 match ip address prefix-list xenanet route-map cnmap deny 2
# Zebra can filter incoming routes per protocol or for any protocol. It just # ignores non-permitted routes. Looks like the default is to deny everything. ip protocol any route-map cnmap
# In incoming and outgoing packets, only the specified subnets are included. distribute-list xenanet in distribute-list xenanet out
# Daemons send routes that they learned from these sources. # kernel = set in system routing table by non-FRR, e.g. "ip route add..." redistribute kernel # static = configured in a FRR conf file. (CouchNet has none.) redistribute static # connected = seen in protocol packets from neighboring routers. redistribute connected
# Turn on authentication (RIP v2 only). Mode md5 (hiss, boo!) makes a HMAC # over the packet with a pre-shared key prepended; the sender and receiver must # use the same key. It's OK to turn on auth for interfaces that don't exist. key chain CouchNet key 1 key-string redacted#3 interface en0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface br0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface rad0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun0 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun1 ip rip authentication mode md5 ip rip authentication key-chain CouchNet interface tun9 ip rip authentication mode md5 ip rip authentication key-chain CouchNet
# Default timer values are used. # update 30sec, send a gratuitous RIP packet this often. # timeout 180sec, a route absent from "learn from" sources (e.g. # neighbors) for this long is redistributed as expired. # garbage 120sec, after this long, expired routes are no longer announced. ```
_______________________________________________ frog mailing list frog@lists.frrouting.org https://lists.frrouting.org/listinfo/frog
participants (2)
-
Frank Kardel -
jimc