[FROG] No RIP packets, rejecting distribute-list and redistribute

Frank Kardel kardel+froglist at kardel.name
Fri Feb 26 09:45:15 UTC 2021


"distribute-list" and "redistribute" are sub commands of

"router rip" and "router ripng". Thus they must appear

after a "router ..." line and before any non "router ..."

sub command.

vtysh command completion will help you with the legal

syntax. Usually I configure frr/quagga via vtysh and persist

the configuration with the "write" command.

Frank


On 02/26/21 01:53, jimc wrote:
> Version: frr-7.5-3.3.x86_64 from OpenSuSE Tubleweed.
> This is probably a near duplicate of bug 1279 (2017-10-02)
> https://github.com/FRRouting/frr/issues/1279
> except the OP omidit was trying to use BGP while I have RIP[ng].
> I'm pointing the finger of blame at a documentation issue; in other
> words, almost certainly my frr.conf file (appended with comments)
> lacks some prerequisite which would resurrect the redistribute and
> distribute-list commands.
>
> Presenting symptoms: ripd and ripngd never emit any RIP[ng] packets,
> even though the sub-router has a route to the subnet that I want
> the local LAN to be able to reach.  Plus: when I specify
> "redistribute" and "distribute-list", frr -C complains:
>
> ```
> line 56: % Unknown command[4]: distribute-list xenanet in
> line 57: % Unknown command[4]: distribute-list xenanet out
> line 61: % Unknown command[4]: redistribute kernel
> line 63: % Unknown command[4]: redistribute static
> line 65: % Unknown command[4]: redistribute connected
> ```
>
> Back in 1987 I could just start rpc.ripd on SunOS-3 (no authentication
> in RIPv1), but 34 years later, Quagga looked like it gave a lot of
> people a lot of trouble to configure it, so I thought to reinvent the
> wheel.  But for political and national security reasons I think it would
> be a real good idea to have open source routing used more widely, and
> so I decided to give Quagga my best try.  It succumbed to the same issue
> complained about here, attributed to an unfixed bug by many OP's, and
> I dug through the source code but was not able to find the "bug". But
> I also hit references to FRR and tried it in the hope of a fix. No such
> luck.  Currently I'm guessing that the problem is not in the code but in
> the documentation, so I've missed some important setup aspect. I'm
> planning to write up my experiences and of course it will include the
> conf file.  In the appended instance I've retained comments, and if you
> spot any misconceptions among them I would appreciate corrections, so
> errors don't propagate.
>
> ```
> # /etc/frr/frr.conf
> # This file contains plaintext passwords and needs permission 640 frr:frr
> # Revision history:
> #   2021-02-17    jimc    Becomes FRR (Free Range Routing) unified 
> config file.
> #   2021-02-04    jimc    Initial setup for Quagga / rip[ng]d, abandoned.
>
> # hostname itsname # Default is the system's 1-component name per 
> uname -n.
>
> # Without a password, vtysh will not connect; the enable password enables
> # interactive reconfiguration.  But it uses PAM; password not needed 
> for root.
> # Warning, security is not robust; turn this off in production.
> password redacted#1
> enable password redacted#2
>
> # Log file for all daemons
> log file /var/log/frr/frr.log
>
> # /etc/frr/daemons controls which protocol daemons to start, but you 
> also have
> # to enable them.  Not needed for staticd or zebra.
> router rip
> #rejected: version 2    # Do not receive v1 (which can't do 
> authentication)
> router ripng
>
> # "vtysh -C [-f other_file.conf]" will check the configuration file; 
> default
> # is /etc/frr/frr.conf.  It would appear that if no protocol is 
> enabled (e.g.
> # by "router rip") for which a particular command (e.g. "network") is 
> relevant,
> # the command is reported as "Unknown command[4]: network 
> 192.9.200.0/24", not
> # considering the parameters (e.g. with "router ripng", the IPv4 
> version is
> # not unknown).
>
> # Interfaces with an IP address in this range may send and receive 
> protocol
> # packets.  You can also enable named interfaces e.g. en0.
> network 192.9.200.0/24
> network 2600:3c01:e000:306::/64
>
> # We're only going to include these subnet(s) in incoming + outgoing 
> packets.
> # In Quagga you could also use an access-list.
> ip prefix-list xenanet permit 192.9.200.176/29
> ip prefix-list xenanet deny any
>
> # Syntax: 'route-map' its_name permit|deny line_number; matches etc. 
> follow.
> # A number is a valid identifier and you confusingly see this in 
> tutorials.
> route-map cnmap permit 1
> match ip address prefix-list xenanet
> route-map cnmap deny 2
>
> # Zebra can filter incoming routes per protocol or for any protocol.  
> It just
> # ignores non-permitted routes.  Looks like the default is to deny 
> everything.
> ip protocol any route-map cnmap
>
> # In incoming and outgoing packets, only the specified subnets are 
> included.
> distribute-list xenanet in
> distribute-list xenanet out
>
> # Daemons send routes that they learned from these sources.
> # kernel = set in system routing table by non-FRR, e.g. "ip route add..."
> redistribute kernel
> # static = configured in a FRR conf file.  (CouchNet has none.)
> redistribute static
> # connected = seen in protocol packets from neighboring routers.
> redistribute connected
>
> # Turn on authentication (RIP v2 only).  Mode md5 (hiss, boo!) makes a 
> HMAC
> # over the packet with a pre-shared key prepended; the sender and 
> receiver must
> # use the same key.  It's OK to turn on auth for interfaces that don't 
> exist.
> key chain CouchNet
> key 1
> key-string redacted#3
> interface en0
> ip rip authentication mode md5
> ip rip authentication key-chain CouchNet
> interface br0
> ip rip authentication mode md5
> ip rip authentication key-chain CouchNet
> interface rad0
> ip rip authentication mode md5
> ip rip authentication key-chain CouchNet
> interface tun0
> ip rip authentication mode md5
> ip rip authentication key-chain CouchNet
> interface tun1
> ip rip authentication mode md5
> ip rip authentication key-chain CouchNet
> interface tun9
> ip rip authentication mode md5
> ip rip authentication key-chain CouchNet
>
> # Default timer values are used.
> #   update    30sec, send a gratuitous RIP packet this often.
> #   timeout    180sec, a route absent from "learn from" sources (e.g.
> #        neighbors) for this long is redistributed as expired.
> #   garbage    120sec, after this long, expired routes are no longer 
> announced.
> ```
>
>
>
> _______________________________________________
> frog mailing list
> frog at lists.frrouting.org
> https://lists.frrouting.org/listinfo/frog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.frrouting.org/pipermail/frog/attachments/20210226/02a85bf1/attachment-0001.htm>


More information about the frog mailing list