Re: [FROG] Configuring OSPF routing with not propagating docker routes
Hi Taavi, I’m not sure what you are asking. If you want to form OSPF adjacencies on a network. the connecting interface cannot be passive as this solely advertises interface prefix in the Router-LSA - OSPF isn’t active on the interface. You can override the “default passive-interface” on an individual interface with the “no ip ospf passive” command on that interface. For example: interface r3-eth0 ip address 10.1.5.3/24 ip ospf dead-interval 30 ip ospf hello-interval 1 no ip ospf passive exit ! interface r3-eth1 ip address 10.1.6.3/24 ip ospf dead-interval 30 ip ospf hello-interval 1 no ip ospf passive exit ! interface r1-eth0 no ip ospf passive exit ! router ospf ospf router-id 3.3.3.3 passive-interface default network 10.1.5.0/24 area 0 network 10.1.6.0/24 area 1 distance 20 exit r3# show ip ospf neighbor Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL 2.2.2.2 1 Full/Backup 3m34s 29.414s 10.1.5.2 r3-eth0:10.1.5.3 0 0 0 2.2.2.2 1 Full/Backup 3m26s 29.414s 10.1.6.2 r3-eth1:10.1.6.3 0 0 0 Hope this helps, Acee
On May 22, 2024, at 04:18, Taavi Ansper via frog <frog@lists.frrouting.org> wrote:
From: Taavi Ansper <taavi.ansper@cyber.ee> Subject: Configuring OSPF routing with not propagating docker routes Date: May 22, 2024 at 04:18:15 EDT To: frog@lists.frrouting.org
Hi
(I also posted in the slack channel, sorry for cross-posting, don't know which one would be more active...)
I am having a problem, where I have a core network, where I have a bunch of servers, but this network has two gateways, one for outbound connections on the same site and the second for an ipsec tunnel to another site, so if the local connection fails, it will route through the ipsec tunnel via the remote site.I have a problem with docker networks in this routing. As some of the hosts propagate these routes to other hosts and so If there is communication between a docker container and the host networking it tries to route through the network. This is the |frr.conf| file that is injected to the hosts. The RIP is legacy conf, as we moved from RIP to OSPF. As you can see we only have a single area, as we have a router on a stick topology, so we don't really need many areas. Currently the gitlab-test host cannot connect to the ospf network, because of the |passive-interface default| option, if I remove it, then it connects to the ospf area and now the docker routing also comes from other hosts.
# Ansible managed # default to using syslog. /etc/rsyslog.d/45-frr.conf places the log in # /var/log/frr/frr.log # # Note: # FRR's configuration shell, vtysh, dynamically edits the live, in-memory # configuration while FRR is running. When instructed, vtysh will persist the # live configuration to this file, overwriting its contents. If you want to # avoid this, you can edit this file manually before starting FRR, or instruct # vtysh to write configuration to a different file. log syslog informational hostname gitlab-test password REDACTED enable password REDACTED # Router RIP configuration router rip distance 66 network 0.0.0.0/0 passive-interface default ! # Router OSPF configuration router ospf network 0.0.0.0/0 area 0.0.0.0 passive-interface default ospf router-id 10.0.8.43 ! # Network where this configuration is used. network enX0 ! # Interface options for interface found by ansible. interface enX0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 REDACTED ip ospf priority 0 !
Can the host actually join the OSPF area if the passive-interface default is enabled?
For example these routings are present that I do not want if I remove the passive-interface default and restart the frr.service:
O 172.17.0.0/16 [110/10] is directly connected, docker0, weight 1, 00:01:06 O 172.18.0.0/16 [110/10] is directly connected, br-236817c46761, weight 1, 00:01:06 O>* 172.18.0.0/24 [110/20] via 192.168.2.25, enX0, weight 1, 00:00:46 O>* 172.19.0.0/16 [110/20] via 192.168.2.17, enX0, weight 1, 00:00:46 * via 192.168.2.44, enX0, weight 1, 00:00:46 Best regards
-- ---- Taavi Ansper taavi.ansper@cyber.ee
_______________________________________________ frog mailing list frog@lists.frrouting.org https://lists.frrouting.org/listinfo/frog
Hi Thanks for the answer. # Router OSPF configuration router ospf network 0.0.0.0/0 area 0.0.0.0 area 0.0.0.0 range 172.16.0.0/12 not-advertise distribute-list docker-filter out passive-interface default ospf router-id A.B.C.D ! # Network where this configuration is used. network enX0 ! # Interface options for interface found by ansible. interface enX0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 REDACTED ip ospf priority 0 no ip ospf passive ! # Access List options. access-list docker-filter deny 172.16.0.0/12 I have the following options set, but it still seems to propagate the docker routings... I will try it again later on all the faulty hosts. ---- Taavi Ansper taavi.ansper@cyber.ee On 22.05.24 14:25, Acee Lindem wrote:
Hi Taavi,
I’m not sure what you are asking. If you want to form OSPF adjacencies on a network. the connecting interface cannot be passive as this solely advertises interface prefix in the Router-LSA - OSPF isn’t active on the interface. You can override the “default passive-interface” on an individual interface with the “no ip ospf passive” command on that interface.
For example:
interface r3-eth0 ip address 10.1.5.3/24 ip ospf dead-interval 30 ip ospf hello-interval 1 no ip ospf passive exit ! interface r3-eth1 ip address 10.1.6.3/24 ip ospf dead-interval 30 ip ospf hello-interval 1 no ip ospf passive exit ! interface r1-eth0 no ip ospf passive exit ! router ospf ospf router-id 3.3.3.3 passive-interface default network 10.1.5.0/24 area 0 network 10.1.6.0/24 area 1 distance 20 exit
r3# show ip ospf neighbor
Neighbor ID Pri State Up Time Dead Time Address Interface RXmtL RqstL DBsmL 2.2.2.2 1 Full/Backup 3m34s 29.414s 10.1.5.2 r3-eth0:10.1.5.3 0 0 0 2.2.2.2 1 Full/Backup 3m26s 29.414s 10.1.6.2 r3-eth1:10.1.6.3 0 0 0
Hope this helps, Acee
On May 22, 2024, at 04:18, Taavi Ansper via frog <frog@lists.frrouting.org> wrote:
*From: *Taavi Ansper <taavi.ansper@cyber.ee> *Subject: **Configuring OSPF routing with not propagating docker routes* *Date: *May 22, 2024 at 04:18:15 EDT *To: *frog@lists.frrouting.org
Hi
(I also posted in the slack channel, sorry for cross-posting, don't know which one would be more active...)
I am having a problem, where I have a core network, where I have a bunch of servers, but this network has two gateways, one for outbound connections on the same site and the second for an ipsec tunnel to another site, so if the local connection fails, it will route through the ipsec tunnel via the remote site.I have a problem with docker networks in this routing. As some of the hosts propagate these routes to other hosts and so If there is communication between a docker container and the host networking it tries to route through the network. This is the |frr.conf| file that is injected to the hosts. The RIP is legacy conf, as we moved from RIP to OSPF. As you can see we only have a single area, as we have a router on a stick topology, so we don't really need many areas. Currently the gitlab-test host cannot connect to the ospf network, because of the |passive-interface default| option, if I remove it, then it connects to the ospf area and now the docker routing also comes from other hosts.
# Ansible managed # default to using syslog. /etc/rsyslog.d/45-frr.conf places the log in # /var/log/frr/frr.log # # Note: # FRR's configuration shell, vtysh, dynamically edits the live, in-memory # configuration while FRR is running. When instructed, vtysh will persist the # live configuration to this file, overwriting its contents. If you want to # avoid this, you can edit this file manually before starting FRR, or instruct # vtysh to write configuration to a different file. log syslog informational hostname gitlab-test password REDACTED enable password REDACTED # Router RIP configuration router rip distance 66 network 0.0.0.0/0 passive-interface default ! # Router OSPF configuration router ospf network 0.0.0.0/0 area 0.0.0.0 passive-interface default ospf router-id 10.0.8.43 ! # Network where this configuration is used. network enX0 ! # Interface options for interface found by ansible. interface enX0 ip ospf authentication message-digest ip ospf message-digest-key 1 md5 REDACTED ip ospf priority 0 !
Can the host actually join the OSPF area if the passive-interface default is enabled?
For example these routings are present that I do not want if I remove the passive-interface default and restart the frr.service:
O 172.17.0.0/16 [110/10] is directly connected, docker0, weight 1, 00:01:06 O 172.18.0.0/16 [110/10] is directly connected, br-236817c46761, weight 1, 00:01:06 O>* 172.18.0.0/24 [110/20] via 192.168.2.25, enX0, weight 1, 00:00:46 O>* 172.19.0.0/16 [110/20] via 192.168.2.17, enX0, weight 1, 00:00:46 * via 192.168.2.44, enX0, weight 1, 00:00:46 Best regards
-- ---- Taavi Ansper taavi.ansper@cyber.ee
_______________________________________________ frog mailing list frog@lists.frrouting.org https://lists.frrouting.org/listinfo/frog
participants (2)
-
Acee Lindem -
Taavi Ansper