Configuring OSPF routing with not propagating docker routes

Taavi Ansper taavi.ansper at cyber.ee
Wed May 22 08:18:15 UTC 2024 

Hi

(I also posted in the slack channel, sorry for cross-posting, don't know 
which one would be more active...)

I am having a problem, where I have a core network, where I have a bunch 
of servers, but this network has two gateways, one for outbound 
connections on the same site and the second for an ipsec tunnel to 
another site, so if the local connection fails, it will route through 
the ipsec tunnel via the remote site.I have a problem with docker 
networks in this routing. As some of the hosts propagate these routes to 
other hosts and so If there is communication between a docker container 
and the host networking it tries to route through the network. This is 
the |frr.conf| file that is injected to the hosts. The RIP is legacy 
conf, as we moved from RIP to OSPF. As you can see we only have a single 
area, as we have a router on a stick topology, so we don't really need 
many areas. Currently the gitlab-test host cannot connect to the ospf 
network, because of the |passive-interface default| option, if I remove 
it, then it connects to the ospf area and now the docker routing also 
comes from other hosts.

# Ansible managed # default to using syslog. /etc/rsyslog.d/45-frr.conf 
places the log in # /var/log/frr/frr.log # # Note: # FRR's configuration 
shell, vtysh, dynamically edits the live, in-memory # configuration 
while FRR is running. When instructed, vtysh will persist the # live 
configuration to this file, overwriting its contents. If you want to # 
avoid this, you can edit this file manually before starting FRR, or 
instruct # vtysh to write configuration to a different file. log syslog 
informational hostname gitlab-test password REDACTED enable password 
REDACTED # Router RIP configuration router rip distance 66 network 
0.0.0.0/0 passive-interface default ! # Router OSPF configuration router 
ospf network 0.0.0.0/0 area 0.0.0.0 passive-interface default ospf 
router-id 10.0.8.43 ! # Network where this configuration is used. 
network enX0 ! # Interface options for interface found by ansible. 
interface enX0 ip ospf authentication message-digest ip ospf 
message-digest-key 1 md5 REDACTED ip ospf priority 0 !


Can the host actually join the OSPF area if the passive-interface 
default is enabled?

For example these routings are present that I do not want if I remove 
the passive-interface default and restart the frr.service:

O 172.17.0.0/16 [110/10] is directly connected, docker0, weight 1, 
00:01:06 O 172.18.0.0/16 [110/10] is directly connected, 
br-236817c46761, weight 1, 00:01:06 O>* 172.18.0.0/24 [110/20] via 
192.168.2.25, enX0, weight 1, 00:00:46 O>* 172.19.0.0/16 [110/20] via 
192.168.2.17, enX0, weight 1, 00:00:46 * via 192.168.2.44, enX0, weight 
1, 00:00:46 Best regards

-- 
----
Taavi Ansper
taavi.ansper at cyber.ee

More information about the frog mailing list